Duplicate this list in my CCH Account SIGN IN
NOTE: The authority document "" has been copied to your account.
NOTE: The authority document is already in your account and can not be copied again.
Close

Portable Compliance Profile™

Authority Documents

  • 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs
  • Cloud Computing Compliance Controls Catalogue (C5)
  • CobiT
  • FFIEC Business Continuity Planning (BCP) IT Examination Handbook
  • Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning
  • IM Guidance Update: Cybersecurity Guidance
  • ISO 22301: Societal Security - Business Continuity Management Systems - Requirements
  • ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services
  • ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181
  • Pandemic Response Planning Policy
  • Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers
  • Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery

Pandemic Response Planning

KEY
1715 Mandated
211 Implied
  • Control Name
    ID #
  • Leadership and high level objectives
    00597
    • Analyze organizational objectives, functions, and activities.
      00598
      • Develop instructions for setting organizational objectives and strategies.
        12931
      • Analyze the business environment in which the organization operates.
        12798
        • Identify the internal factors that may affect organizational objectives.
          12957
        • Include key processes in the analysis of the internal business environment.
          12947
        • Align assets with business functions and the business environment.
          13681
        • Monitor for changes which affect organizational strategies in the internal business environment.
          12863
        • Monitor for changes which affect organizational objectives in the internal business environment.
          12862
      • Analyze the external environment in which the organization operates.
        12799
        • Identify the external forces that may affect organizational objectives.
          12960
        • Monitor for changes which affect organizational strategies in the external environment.
          12880
        • Monitor for changes which affect organizational objectives in the external environment.
          12879
        • Include regulatory requirements in the analysis of the external environment.
          12964
        • Include legal requirements in the analysis of the external environment.
          12896
        • Include technology in the analysis of the external environment.
          12837
      • Conduct a context analysis to define objectives and strategies.
        12864
      • Document organizational objectives.
        09959
        • Evaluate organizational objectives to determine impact on other organizational objectives.
          12814
          • Identify conditions that may affect organizational objectives.
            12958
          • Identify opportunities that could affect achieving organizational objectives.
            12826
        • Review and update organizational objectives, as necessary.
          13494
        • Establish and maintain a Mission, Vision, and Values Statement.
          12783
        • Disseminate and communicate organizational objectives to all interested personnel and affected parties.
          13191
        • Document and communicate the linkage between organizational objectives, functions, activities and general controls.
          12398
          • Identify threats that could affect achieving organizational objectives.
            12827
            • Identify how opportunities, threats, and external requirements are trending.
              12829
          • Review the organization's approach to managing information security, as necessary.
            12005
      • Identify all interested personnel and affected parties.
        12845
      • Analyze and prioritize the requirements of interested personnel and affected parties.
        12796
      • Establish, implement, and maintain an information classification standard.
        00601
        • Take into account the organization's obligation to protect data or information when establishing information impact levels.
          04786
        • Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard.
          11997
        • Classify the criticality to unauthorized disclosure or modification of information in the information classification standard.
          11996
        • Classify the value of information in the information classification standard.
          11995
      • Establish and maintain a data classification scheme.
        11628
      • Establish and maintain an organizational data dictionary, including data syntax rules.
        00600
        • Refrain from allowing incompatible data elements in the data dictionary.
          13624
        • Disseminate and communicate the data dictionary to interested personnel and affected parties.
          13516
      • Establish and maintain an Information and Infrastructure Architecture model.
        00599
      • Establish and maintain sustainable infrastructure planning.
        00603
        • Take into account the need for protecting information confidentiality during infrastructure planning.
          06486
      • Monitor regulatory trends to maintain compliance.
        00604
        • Monitor for new Information Security solutions.
          07078
        • Subscribe to a threat intelligence service to receive notification of emerging threats.
          12135
        • Disseminate and communicate emerging threats to all affected parties.
          12185
      • Establish, implement, and maintain a Quality Management framework.
        07196
        • Establish and maintain a Quality Management policy.
          13694
        • Include critical Information Technology processes in the Quality Management Framework.
          13645
        • Establish and maintain an overall Quality Management standard.
          01006
          • Document the measurements used by Quality Assurance and Quality Control testing.
            07200
        • Implement the quality management program.
          13696
          • Correct errors and deficiencies in a timely manner.
            13501
        • Enforce a continuous Quality Control system.
          01005
          • Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures.
            01008
        • Establish and maintain a Quality Management program.
          07201
          • Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement.
            07203
          • Include program documentation standards in the Quality Management program.
            01016
          • Include program testing standards in the Quality Management program.
            01017
          • Review and analyze any quality improvement goals that were missed.
            07204
          • Include system testing standards in the Quality Management program.
            01018
        • Review the Quality Management framework, as necessary.
          07198
    • Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.
      01241
      • Define the scope of the security policy.
        07145
      • Correlate Information Systems with applicable controls.
        01621
      • Establish and maintain an organizational policy and procedure management program.
        06285
        • Analyze organizational policies, as necessary.
          14037
        • Implement organizational policies, standards, and procedures.
          12893
          • Include requirements in the organization’s policies, standards, and procedures.
            12956
        • Establish and maintain a list of compliance documents.
          07113
          • Map in scope assets and in scope records to external requirements.
            12189
          • Document organizational procedures that harmonize external requirements, including all legal requirements.
            00623
          • Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.
            01636
            • Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.
              12901
          • Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties.
            01312
        • Approve all compliance documents.
          06286
          • Align the list of compliance documents with applicable laws, regulations, and contractual obligations.
            06288
          • Assign the appropriate roles to all applicable compliance documents.
            06284
          • Establish and maintain a Compliance Exception standard for compliance exceptions.
            01628
            • Document compliance exceptions, as necessary.
              01630
            • Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.
              01631
            • Review the compliance exceptions in the exceptions document, as necessary.
              01632
        • Disseminate and communicate compliance documents to all interested personnel and affected parties.
          06282
          • Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties.
            06283
    • Define the Information Assurance strategic roles and responsibilities.
      00608
      • Establish and maintain a compliance oversight committee.
        00765
        • Include recommendations for changes or updates to the information security program in the Board Report.
          13180
        • Provide critical project reports to the compliance oversight committee in a timely manner.
          01183
        • Assign the corporate governance of Information Technology to the compliance oversight committee.
          01178
        • Involve the Board of Directors in Information Governance.
          00609
        • Address Information Security during the business planning processes.
          06495
          • Document the requirements of stakeholders during the business planning process regarding Information Security.
            06498
    • Establish and maintain a strategic plan.
      12784
      • Determine progress toward the objectives of the integrated plan.
        12944
      • Include acting with integrity in the strategic plan.
        12870
      • Include the outsource partners in the strategic plan, as necessary.
        13960
      • Align the cybersecurity program strategy with the organization's strategic plan.
        14322
      • Establish and maintain a decision management strategy.
        06913
        • Include an economic impact analysis in the decision management strategy.
          14015
        • Include cost benefit analysis in the decision management strategy.
          14014
        • Include criteria for risk tolerance in the decision management strategy.
          12950
        • Align organizational objectives with performance targets in the decision-making criteria.
          12843
        • Align organizational objectives with the acceptable residual risk in the decision-making criteria.
          12841
        • Create additional decision-making criteria to achieve organizational objectives, as necessary.
          12948
        • Involve knowledgeable and experienced individuals in the decision-making process.
          06915
        • Take actions in accordance with the decision-making criteria.
          12909
        • Document and evaluate the decision outcomes from the decision-making process.
          06918
      • Establish and maintain an information technology process framework.
        13648
        • Include maturity models in the Information Technology process framework.
          13652
        • Include relationships between Information Technology process structures in the Information Technology process framework.
          13651
        • Include Information Technology process structures in the Information Technology process framework.
          13650
      • Establish and maintain a high-level Strategic Information Technology Plan.
        00628
        • Include business continuity objectives in the Strategic Information Technology Plan.
          06496
          • Align business continuity objectives with the business continuity policy.
            12408
        • Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs.
          00631
        • Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan.
          00630
        • Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan.
          06491
        • Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.
          00632
          • Establish and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.
            01609
            • Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan.
              06497
            • Document the business case and return on investment in each Information Technology project plan.
              06846
              • Document all desired outcomes for a proposed project in the Information Technology project plan.
                06916
              • Assign senior management to approve business cases.
                13068
            • Include milestones for each project phase in the Information Technology project plan.
              12621
          • Document lessons learned at the conclusion of each Information Technology project.
            13654
        • Establish and maintain Information Technology projects in support of the Strategic Information Technology Plan.
          13673
        • Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties.
          00633
        • Monitor and evaluate the implementation and effectiveness of Information Technology Plans.
          00634
          • Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans
            06839
            • Include significant security risks in the Information Technology Plan status reports.
              06939
              • Include significant risk mitigations in the Information Technology Plan status reports.
                06841
        • Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors
          13094
    • Establish and maintain a Governance, Risk, and Compliance awareness and training program.
      06492
      • Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security.
        06493
    • Establish, implement, and maintain a financial management program, as necessary.
      13228
      • Review financial reports, as necessary.
        13229
    • Establish and maintain communication protocols.
      12245
      • Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol.
        12419
        • Assess the effectiveness of the communication methods used in the communication protocol.
          12691
      • Include external requirements in the organization's communication protocol.
        12418
      • Report to management and stakeholders on the findings and information gathered from all types of inquiries.
        12797
      • Establish and maintain warning procedures that follow the organization's communication protocol.
        12407
      • Establish and maintain alert procedures that follow the organization's communication protocol.
        12406
        • Include the capturing and alerting of performance variances in the notification system.
          12929
    • Establish and maintain an internal reporting program.
      12409
  • Audits and risk management
    00677
    • Define the roles and responsibilities for personnel assigned to tasks in the Audit function.
      00678
      • Manage supply chain audits.
        01203
      • Define and assign the external auditor's roles and responsibilities.
        00683
        • Retain copies of external auditor outsourcing contracts and engagement letters.
          01188
          • Include the scope and work to be performed in external auditor outsourcing contracts.
            01190
            • Conduct a performance review of the external auditor's performance during the audit process.
              01198
    • Establish and maintain an audit program.
      00684
      • Assign the audit to impartial auditors.
        07118
      • Exercise due professional care during the planning and performance of the audit.
        07119
      • Include provisions for legislative plurality and legislative domain in the audit program.
        06959
      • Include agreement to the audit scope and audit terms in the audit program.
        06965
        • Include audit subject matter in the audit program.
          07103
        • Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties.
          06967
          • Include the in scope risk assessment processes in the audit assertion.
            06975
        • Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms.
          06988
      • Accept the attestation engagement when all preconditions are met.
        13933
        • Audit in scope audit items and compliance documents as defined in the audit scope.
          06730
          • Audit policies, standards, and procedures.
            12927
            • Audit cybersecurity risk management within the policies, standards, and procedures of the organization.
              13011
          • Audit information systems, as necessary.
            13010
            • Audit the potential costs of compromise to information systems.
              13012
          • Determine if the audit assertion's in scope controls are reasonable.
            06980
            • Document test plans for auditing in scope controls.
              06985
              • Determine the effectiveness of in scope controls.
                06984
                • Review incident management audit logs to determine the effectiveness of in scope controls.
                  12157
          • Audit the in scope system according to the test plan using relevant evidence.
            07112
          • Investigate the nature and causes of identified in scope control deviations.
            06986
          • Supervise interested personnel and affected parties participating in the audit.
            07150
          • Respond to questions or clarification requests regarding the audit.
            08902
        • Track and measure the implementation of the organizational compliance framework.
          06445
          • Establish and maintain a Statement on the Level of Compliance.
            12499
            • Review the Statement on the Level of Compliance.
              12500
            • Include a Statement on the Level of Compliance in the tactical Information Technology plan.
              06842
      • Establish and maintain organizational audit reports.
        06731
        • Include the scope and work performed in the audit report.
          11621
          • Review the adequacy of the internal auditor's audit reports.
            11620
            • Review past audit reports.
              01155
        • Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.
          07117
      • Submit an audit report that is complete.
        01145
      • Implement a corrective action plan in response to the audit report.
        06777
        • Assign responsibility for remediation actions, as necessary.
          13622
        • Review management's response to issues raised in past audit reports.
          01149
        • Define penalties for uncorrected audit findings or remaining non-compliant with the audit report.
          08963
        • Take appropriate action to correct deficiencies identified in the audit report.
          01177
      • Assess the quality of the audit program in regards to the staff and their qualifications.
        01150
        • Review the audit program scope as it relates to the organization's profile.
          01159
      • Assess the quality of the audit program in regards to its documentation.
        11622
        • Establish and maintain the audit plan for the audit program.
          01156
        • Establish and maintain the audit schedule for the audit program.
          13158
    • Establish and maintain a risk management program.
      12051
      • Integrate the risk management program with the organization's business activities.
        13661
      • Integrate the risk management program into daily business decision-making.
        13659
      • Establish and maintain risk management strategies, as necessary.
        13209
        • Include the use of alternate service providers in the risk management strategies.
          13217
      • Establish and maintain the risk assessment framework.
        00685
        • Define and assign the roles and responsibilities for the risk assessment framework, as necessary.
          06456
        • Establish, implement, and maintain a risk assessment program to manage internal threats and external threats.
          00687
          • Establish and maintain the factors and context for risk to the organization.
            12230
          • Establish and maintain a financial plan to support the risk management strategy.
            12786
          • Address cybersecurity risks in the risk assessment program.
            13193
          • Establish, implement, and maintain risk assessment procedures.
            06446
            • Include compliance with disposition requirements in the risk assessment procedures.
              12342
            • Establish and maintain a threat and risk classification scheme.
              07183
              • Include security threats and vulnerabilities to the system in the threat and risk classification scheme.
                00699
              • Categorize the systems, information, and data by risk profile in the threat and risk classification scheme.
                01443
              • Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme.
                00698
            • Address past security incidents in the risk assessment program.
              12743
            • Include the environments that call for risk assessments in the risk assessment program.
              06448
            • Include the process for defining the scope of each risk assessment in the risk assessment program.
              06462
            • Include the roles and responsibilities involved in risk assessments in the risk assessment program.
              06450
            • Review the risk assessment procedures, as necessary.
              06460
              • Employ risk assessment methodologies that follow legal requirements and contractual obligations when risk profiling.
                06472
              • Employ risk assessment methodologies that align with organizational strategic objectives.
                06474
              • Employ risk assessment methodologies that include appropriate risk treatment options for each identified risk.
                06484
          • Perform risk assessments for all target environments, as necessary.
            06452
            • Include the results of the risk assessment in the risk assessment report.
              06481
            • Update the risk assessment upon discovery of a new threat.
              00708
            • Update the risk assessment upon changes to the risk profile.
              11627
            • Disseminate and communicate the approved risk assessment report to interested personnel and affected parties.
              10633
          • Establish, implement, and maintain a risk assessment awareness and training program.
            06453
            • Disseminate and communicate information about risks to all interested personnel and affected parties.
              06718
        • Correlate the business impact of identified risks in the risk assessment report.
          00686
          • Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report.
            01147
            • Include tolerance to downtime in the Business Impact Analysis report.
              01172
            • Document organizational risk tolerance in a risk register.
              09961
              • Update the risk register, as necessary.
                13047
            • Review the issues of non-compliance from past audit reports.
              01148
            • Review the Business Impact Analysis, as necessary.
              12774
          • Analyze and quantify the risks to in scope systems and information.
            00701
            • Establish and maintain a Risk Scoping and Measurement Definitions Document.
              00703
              • Assess the potential level of business impact risk associated with each business process.
                06463
              • Assess the potential level of business impact risk associated with the business environment.
                06464
              • Assess the potential level of business impact risk associated with business information of in scope systems.
                06465
              • Assess the potential level of business impact risk associated with external entities.
                06469
            • Establish a risk acceptance level that is appropriate to the organization's risk appetite.
              00706
              • Select the appropriate risk treatment option for each identified risk in the risk register.
                06483
              • Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties.
                06849
        • Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.
          00704
          • Prioritize and select controls based on the risk assessment findings.
            00707
          • Determine the effectiveness of risk control measures.
            06601
        • Establish and maintain a risk treatment plan.
          11983
          • Include the risk treatment strategy in the risk treatment plan.
            12159
          • Approve the risk treatment plan.
            13495
        • Integrate the corrective action plan based on the risk assessment findings with other risk management activities.
          06457
        • Document and communicate a corrective action plan based on the risk assessment findings.
          00705
          • Review and approve the risk assessment findings.
            06485
      • Include risk responses in the risk management program.
        13195
      • Document residual risk in a residual risk report.
        13664
      • Establish and Maintain a Cybersecurity Risk Management Strategy.
        11991
        • Include a risk prioritization approach in the Cybersecurity Risk Management Strategy.
          12276
      • Disseminate and communicate the organization's risk management policy to interested personnel and affected parties.
        13792
    • Review and update the risk management program, as necessary.
      13049
    • Publish a Report on Compliance for the organization's external requirements.
      12350
      • Include a commitment to comply with recommendations from applicable statutory bodies in the Report on Compliance.
        12371
      • Include a commitment to cooperate with applicable statutory bodies in the Report on Compliance.
        12370
  • Monitoring and measurement
    00636
    • Establish and maintain an Information Technology inventory with asset discovery audit trails.
      00689
      • Include each Information System's system boundaries in the Information Technology inventory.
        00695
      • Establish and maintain a hardware asset inventory.
        00691
        • Include network equipment in the Information Technology inventory.
          00693
        • Include mobile devices that store restricted data or restricted information in the Information Technology inventory.
          04719
      • Include software in the Information Technology inventory.
        00692
        • Establish and maintain a list of authorized software and versions required for each system.
          12093
      • Establish, implement, and maintain a storage media inventory.
        00694
        • Include all electronic storage media containing restricted data or restricted information in the storage media inventory.
          00962
      • Establish and maintain a records inventory and database inventory.
        01260
    • Establish and maintain Security Control System monitoring and reporting procedures.
      12506
      • Include detecting and reporting the failure of File Integrity Monitoring in the Security Control System monitoring and reporting procedures.
        12525
      • Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures.
        12513
      • Include detecting and reporting the failure of antivirus software in the Security Control System monitoring and reporting procedures.
        12512
      • Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures.
        12511
      • Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures.
        12510
      • Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures.
        12509
      • Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures.
        12508
      • Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures.
        12507
    • Implement Security Control System monitoring and reporting procedures.
      13500
    • Respond to failures of security controls.
      12516
    • Establish and maintain a Responding to Failures in Security Controls procedure.
      12514
      • Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure.
        12521
      • Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.
        12520
      • Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure.
        12518
      • Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure.
        12517
      • Include restoring security functions in the Responding to Failures in Security Controls procedure.
        12515
    • Establish, implement, and maintain logging and monitoring operations.
      00637
      • Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.
        06312
        • Review and approve the use of continuous security management systems.
          13181
        • Protect continuous security management systems from unauthorized use.
          13097
      • Establish and maintain intrusion management operations.
        00580
        • Install and maintain an Intrusion Detection System and/or Intrusion Prevention System.
          00581
        • Monitor systems for inappropriate usage and other security violations.
          00585
          • Address operational anomalies within the problem management system.
            00589
          • Monitor systems for access to restricted data or restricted information.
            04721
            • Assign roles and responsibilities for overseeing access to restricted data or restricted information.
              11950
            • Detect unauthorized access to systems.
              06798
          • Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
            06430
        • Update the intrusion detection capabilities and the incident response capabilities regularly.
          04653
      • Document and communicate the log locations to the owning entity.
        12047
      • Make logs available for review by the owning entity.
        12046
      • Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.
        00638
        • Enable logging for all systems that meet a traceability criteria.
          00640
          • Synchronize system clocks to an accurate and universal time source on all devices that have logging enabled.
            01340
            • Centralize network time servers to as few as practical.
              06308
        • Include logging frequencies in the event logging procedures.
          00642
      • Include a standard to collect and interpret event logs in the event logging procedures.
        00643
        • Compile the event logs of multiple components into a system-wide time-correlated audit trail.
          01424
        • Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly.
          00596
          • Eliminate false positives in event logs, intrusion detection system reports, security incident tracking reports, and other security logs.
            07047
          • Correlate log entries to security controls to verify the security control's effectiveness.
            13207
          • Identify cybersecurity events in event logs and audit logs.
            13206
          • Follow up exceptions and anomalies identified when reviewing logs.
            11925
      • Monitor and evaluate system performance.
        00651
      • Monitor for and react to when suspicious activities are detected.
        00586
      • Assess customer satisfaction.
        00652
      • Disseminate and communicate the reviews of audit reports to organizational management.
        00653
      • Establish and maintain a continuous monitoring for Configuration Management program.
        06757
        • Establish and maintain an automated configuration monitoring system, as necessary.
          07058
        • Monitor for and report when a software configuration is updated.
          06746
          • Implement file integrity monitoring.
            01205
            • Identify unauthorized modifications during file integrity monitoring.
              12096
            • Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
              12045
        • Monitor and evaluate user account activity.
          07066
          • Develop and maintain a usage profile for each user account.
            07067
            • Log account usage to determine dormant accounts.
              12118
              • Log account usage durations.
                12117
    • Establish and maintain a risk monitoring program.
      00658
      • Monitor the organization's exposure to threats, as necessary.
        06494
      • Implement a fraud detection system.
        13081
      • Monitor for new vulnerabilities.
        06843
      • Establish and maintain an overall compliance testing strategy.
        00659
        • Establish and maintain a self-assessment approach as part of the compliance testing strategy.
          12833
      • Establish, implement, and maintain a System Security Plan.
        01922
        • Create specific test plans to test each system component.
          00661
        • Validate all testing assumptions in the test plans.
          00663
          • Include error details, identifying the root causes, and mitigation actions in the testing procedures.
            11827
          • Determine the appropriate assessment method for each testing process in the test plan.
            00665
            • Implement automated audit tools.
              04882
          • Assign senior management to approve test plans.
            13071
      • Analyze system audit reports and determine the need to perform more tests.
        00666
    • Establish and maintain testing programs, necessary.
      00654
      • Employ third parties to carry out testing programs, as necessary.
        13178
      • Define the test requirements for each testing program.
        13177
      • Disseminate and communicate the security test program to all interested personnel and affected parties.
        11871
      • Establish and maintain a business line testing strategy.
        13245
        • Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy.
          13257
      • Implement and comply with the security test program.
        11870
        • Conduct Red Team exercises, as necessary.
          12131
        • Test security systems and associated security procedures, as necessary.
          11901
        • Scan organizational networks for rogue devices.
          00536
          • Scan the network for Wireless Access Points.
            00370
            • Document the business need justification for authorized wireless access points.
              12044
            • Scan wireless networks for rogue devices.
              11623
          • Implement incident response procedures when rogue devices are discovered.
            11880
        • Establish, implement, and maintain a penetration test program.
          01105
          • Align the penetration test program with industry standards.
            12469
          • Assign penetration testing to a qualified internal resource or external third party.
            06429
          • Establish and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation.
            11958
          • Retain penetration test results according to internal policy.
            10049
          • Retain penetration test remediation action records according to internal policy.
            11629
          • Perform penetration tests, as necessary.
            00655
            • Perform internal penetration tests, as necessary.
              12471
            • Perform external penetration tests, as necessary.
              12470
            • Include coverage of all in scope systems during penetration testing.
              11957
            • Test the system for broken access controls.
              01319
            • Test the system for insecure configuration management.
              01327
            • Perform network-layer penetration testing on all systems, as necessary.
              01277
            • Perform application-layer penetration testing on all systems, as necessary.
              11630
            • Perform penetration testing on segmentation controls, as necessary.
              12498
              • Verify segmentation controls are operational and effective.
                12545
            • Correct vulnerabilities and repeat penetration testing.
              06860
        • Establish and maintain a vulnerability assessment program.
          11636
          • Perform vulnerability scans, as necessary.
            11637
            • Correct vulnerabilities and repeat vulnerability scanning.
              11646
            • Identify and document security vulnerabilities.
              11857
              • Rank discovered vulnerabilities.
                11940
            • Assign vulnerability scanning to qualified personnel or external third parties.
              11638
            • Correlate vulnerability scan reports from the various systems.
              10636
              • Perform internal vulnerability scans on the organization's systems.
                00656
            • Repeat vulnerability scanning after an approved change occurs.
              12468
            • Perform external vulnerability scans on the organization's systems.
              11624
              • Employ an approved third party to perform external vulnerability scans on the organization's systems.
                12467
              • Meet the requirements for a passing score during an external vulnerability scan or rescan.
                12039
          • Perform vulnerability assessments, as necessary.
            11828
            • Review applications for security vulnerabilities after the application is updated.
              11938
      • Recommend mitigation techniques based on vulnerability scan reports.
        11639
      • Recommend mitigation techniques based on penetration test results.
        04881
      • Correct or mitigate vulnerabilities.
        12497
        • Establish and maintain an exception management process for vulnerabilities that cannot be remediated.
          13859
    • Monitor the usage and capacity of critical IT assets.
      00668
      • Monitor systems for errors and faults.
        04544
      • Compare system performance metrics to organizational standards and industry benchmarks.
        00667
    • Establish and maintain a service management monitoring and metrics program.
      13916
      • Monitor service availability when implementing the service management monitoring and metrics program.
        13921
    • Establish and maintain a compliance monitoring policy.
      00671
      • Establish and maintain an approach for compliance monitoring.
        01653
        • Establish and maintain risk management metrics.
          01656
        • Identify information being used to support the performance of the governance, risk, and compliance capability.
          12866
        • Monitor personnel and third parties for compliance to the organizational compliance framework.
          04726
          • Identify and document instances of non-compliance with the organizational compliance framework.
            06499
            • Align enforcement reviews for non-compliance with organizational risk tolerance.
              13063
          • Determine the causes of compliance violations.
            12401
            • Identify and document events surrounding non-compliance with the organizational compliance framework.
              12935
            • Determine if multiple compliance violations of the same type could occur.
              12402
          • Correct compliance violations.
            13515
          • Review the effectiveness of disciplinary actions carried out for compliance violations.
            12403
          • Carry out disciplinary actions when a compliance violation is detected.
            06675
            • Align disciplinary actions with the level of compliance violation.
              12404
        • Establish and maintain compliance program metrics.
          11625
        • Establish and maintain a Business Continuity metrics program.
          01663
      • Establish and maintain a metrics policy.
        01654
        • Establish and maintain a metrics standard and template.
          02157
        • Monitor compliance with the Quality Control system.
          01023
        • Establish and maintain a policies and controls metrics program.
          01666
        • Establish, implement, and maintain a security roles and responsibilities metrics program.
          01667
        • Establish and maintain an information risk threshold metrics program.
          01694
        • Establish and maintain an Information Systems architecture metrics program.
          02059
      • Establish, implement, and maintain a technical measurement metrics policy.
        01655
        • Establish and maintain a Software Change Management metrics program.
          02081
        • Establish and maintain a network management and firewall management metrics program.
          02082
        • Establish and maintain an incident management and vulnerability management metrics program.
          02085
          • Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds.
            02126
      • Establish and maintain a log management program.
        00673
        • Restrict access to logs to a need to know basis.
          01342
        • Restrict access to audit trails to a need to know basis.
          11641
        • Back up audit trails according to backup procedures.
          11642
        • Copy logs from all predefined hosts onto a log management infrastructure.
          01346
        • Protect logs from unauthorized activity.
          01345
        • Perform testing and validating activities on all logs.
          06322
        • Archive the audit trail in accordance with compliance requirements.
          00674
    • Monitor the performance of the governance, risk, and compliance capability.
      12857
    • Create a plan of action to correct control deficiencies identified in an audit.
      00675
    • Monitor the activities to correct control deficiencies identified in an audit.
      11645
    • Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
      00676
    • Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis.
      12330
    • Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis.
      12329
    • Protect against misusing automated audit tools.
      04547
      • Evaluate the measurement process used for metrics.
        06920
    • Provide intelligence support to the organization, as necessary.
      14020
      • Submit or respond to deconfliction requests regarding cyberspace operations, as necessary.
        14269
      • Perform intelligence operations on target systems and networks, as necessary.
        14039
      • Establish and maintain a Technical Surveillance Countermeasures program.
        11401
        • Determine the need for Technical Surveillance Countermeasures.
          11402
          • Determine the need for recurring Technical Surveillance Countermeasures.
            11409
            • Conduct recurring Technical Surveillance Countermeasures based on implemented security measures.
              11411
            • Conduct recurring Technical Surveillance Countermeasures based on information received from counterintelligence operations.
              11413
        • Provide targeting support for the intelligence collection strategy.
          14268
        • Provide targeting products to support the intelligence collection strategy.
          14267
        • Establish and maintain an intelligence collection strategy.
          14017
          • Include managing intelligence requirements in the intelligence collection strategy.
            14321
        • Establish and maintain target lists, as necessary.
          14266
        • Collect threat intelligence, as necessary.
          14064
          • Identify and document intelligence collection shortfalls.
            14078
        • Establish, implement, and maintain Technical Surveillance Countermeasures support request procedures.
          11414
          • Establish and maintain Technical Surveillance Countermeasure support request submission procedures.
            11435
            • Supply documented evidence of a technical penetration when requesting Technical Surveillance Countermeasure support.
              11415
        • Establish and implement cyber threat intelligence tools.
          12696
          • Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures.
            12697
          • Evaluate cyber threat intelligence.
            12747
        • Conduct Technical Surveillance Countermeasures.
          11442
          • Create a Technical Surveillance Countermeasure survey report after completion of a Technical Surveillance Countermeasure survey.
            11445
            • Include the geographic location in the Technical Surveillance Countermeasure survey report.
              11456
          • Conduct joint Technical Surveillance Countermeasure exercises.
            11448
        • Develop and maintain guidance on gathering intelligence on technical penetrations and Technical Surveillance Countermeasures.
          11477
        • Communicate threat intelligence to interested personnel and affected parties.
          14016
  • Technical security
    00508
    • Establish and maintain an access classification scheme.
      00509
      • Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.
        00510
        • Include business security requirements in the access classification scheme.
          00002
          • Interpret and apply security requirements based upon the information classification of the system.
            00003
        • Include third party access in the access classification scheme.
          11786
      • Establish, implement, and maintain security classifications for organizational assets.
        00005
        • Limit the use of resources by priority.
          01448
      • Review security classifications periodically.
        00007
    • Establish and maintain a digital identity management program.
      13713
      • Establish and maintain digital identification procedures.
        13714
        • Implement digital identification processes.
          13731
          • Implement identity proofing processes.
            13719
            • Validate proof of identity during the identity proofing process.
              13756
              • Verify proof of identity records.
                13761
      • Implement federated identity systems, as necessary.
        13837
        • Authenticate all systems in a federated identity system.
          13835
          • Send and receive authentication assertions, as necessary.
            13839
            • Validate each element within the authentication assertion.
              13853
              • Validate the digital signature in the authentication assertion.
                13869
    • Establish and maintain an access control program.
      11702
      • Include instructions to change passwords as often as necessary in the access control program.
        11931
      • Include guidance for how users should protect their authentication credentials in the access control program.
        11929
      • Include guidance on selecting authentication credentials in the access control program.
        11928
      • Establish, implement, and maintain access control policies.
        00512
        • Disseminate and communicate the Access Control policies to all interested personnel and affected parties.
          10061
      • Establish and maintain an access rights management plan.
        00513
        • Identify information system users.
          12081
          • Review user accounts.
            00525
            • Review and update accounts and access rights when notified of personnel status changes.
              00788
        • Control access rights to organizational assets.
          00004
          • Add all devices requiring access control to the Access Control List.
            06264
            • Disallow application IDs from running as privileged users.
              10050
          • Define Roles for information systems.
            12454
            • Define access needs for each Role assigned to an information system.
              12455
              • Define access needs for each system component of an information system.
                12456
              • Define the level of privilege required for each system component of an information system.
                12457
          • Establish access rights based on least privilege.
            01411
            • Assign user permissions based on job responsibilities.
              00538
            • Assign user privileges after they have management sign off.
              00542
            • Separate processing domains to segregate user privileges and enhance information flow control.
              06767
          • Establish lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.
            01412
          • Establish session lock capabilities.
            01417
          • Limit concurrent sessions according to account type.
            01416
          • Enable access control for objects and users on each system.
            04553
            • Include all system components in the access control system.
              11939
            • Set access control for objects and users to "deny all" unless explicitly authorized.
              06301
            • Enable Role-based access control for objects and users on information systems.
              12458
          • Assign Information System access authorizations if implementing segregation of duties.
            06323
            • Enforce access restrictions for change control.
              01428
            • Enforce access restrictions for restricted data.
              01921
          • Perform a risk assessment prior to activating third party access to the organization's critical systems.
            06455
            • Activate third party maintenance accounts and user identifiers, as necessary.
              04262
        • Control user privileges.
          11665
          • Review all user privileges, as necessary.
            06784
        • Establish and maintain User Access Management procedures for all systems.
          00514
          • Establish, implement, and maintain an authority for access authorization list.
            06782
            • Review and approve logical access to all assets based upon organizational policies.
              06641
          • Control the addition and modification of user identifiers, user credentials, or other object identifiers.
            00515
            • Assign roles and responsibilities for administering user account management.
              11900
            • Automate access control methods, as necessary.
              11838
            • Refrain from allowing user access to identifiers and passwords used by applications.
              10048
          • Remove inactive user accounts, as necessary.
            00517
          • Terminate user accounts when notified that an individual is terminated.
            11614
            • Terminate access rights when notified that an individual is terminated.
              11826
              • Revoke asset access when an individual is terminated.
                00516
        • Establish and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.
          00526
        • Document the business need justification for authentication data storage.
          06325
      • Establish and maintain access control procedures.
        11663
        • Include Access Control procedures in the Access Control program.
          00528
        • Grant access to authorized personnel.
          12186
          • Document approving and granting access in the access control log.
            06786
      • Include digital identification procedures in the Access Control program.
        11841
        • Employ unique user identifiers.
          01273
        • Disseminate and communicate IDs and passwords using secure communication protocols.
          06791
        • Include instructions to refrain from using previously used passwords in the access control program.
          11930
        • Authenticate user identities before manually resetting a password.
          04567
        • Require proper authentication for user identifiers.
          11785
          • Assign passwords to user accounts, as necessary.
            06855
          • Assign authentication mechanisms for user account authentication.
            06856
            • Refrain from allowing individuals to share authentication mechanisms.
              11932
            • Limit account credential reuse as a part of digital identification procedures.
              12357
          • Use biometric authentication for identification and authentication, as necessary.
            06857
    • Identify and control all network access controls.
      00529
      • Establish and maintain a network configuration standard.
        00530
        • Establish and maintain a network security policy.
          06440
        • Maintain up-to-date network diagrams.
          00531
        • Maintain up-to-date data flow diagrams.
          10059
          • Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams.
            13737
      • Manage all internal network connections.
        06329
      • Secure the Domain Name System.
        00540
        • Implement segregation of duties.
          11843
      • Establish and maintain a Boundary Defense program.
        00544
        • Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary.
          11891
          • Authorize the disclosure of private Internet Protocol addresses and routing information to external entities.
            12034
        • Segregate out of scope systems from in scope systems.
          12546
          • Segregate servers that contain restricted data or restricted information from direct public access.
            00533
            • Restrict inbound Internet traffic inside the Demilitarized Zone.
              01285
            • Segregate applications and databases that contain restricted data or restricted information in an internal network zone.
              01289
        • Establish and maintain a network access control standard.
          00546
          • Include assigned roles and responsibilities in the network access control standard.
            06410
          • Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.
            11821
            • Place firewalls between all security domains and between any Demilitarized Zone and internal network zones.
              01274
            • Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information.
              01293
        • Establish and maintain a firewall and router configuration standard.
          00541
          • Include testing and approving all network connections through the firewall in the firewall and router configuration standard.
            01270
          • Include compensating controls implemented for insecure protocols in the firewall and router configuration standard.
            11948
          • Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary.
            11903
          • Include restricting inbound internet traffic in the firewall and router configuration standard.
            11960
          • Include restricting outbound network traffic in the firewall and router configuration standard.
            11961
          • Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard.
            12435
          • Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard.
            12434
          • Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.
            12426
          • Include a protocols, ports, applications, and services list in the firewall and router configuration standard.
            00537
            • Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard.
              12547
            • Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard.
              01280
            • Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list.
              12033
            • Identify and document the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration.
              12032
          • Review the firewall and router configuration standard, as necessary.
            12502
        • Install and configure firewalls to be enabled on all mobile devices, if possible.
          00550
          • Lock personal firewall configurations to prevent them from being disabled or changed by end users.
            06420
        • Configure network access and control points to protect restricted data or restricted information.
          01284
          • Configure firewalls to deny all traffic by default, except explicitly designated traffic.
            00547
          • Configure firewalls to perform dynamic packet filtering.
            01288
            • Configure firewall filtering to only permit established connections into the network.
              12482
            • Restrict outbound network traffic from systems that contain restricted data or restricted information.
              01295
          • Synchronize and secure all router configuration files.
            01291
          • Configure firewalls to generate an audit log.
            12038
          • Verify network access and control points are configured according to organizational standards.
            12442
        • Install and configure application layer firewalls for all key web-facing applications.
          01450
          • Update application layer firewalls to the most current version.
            12037
      • Establish and maintain a Wireless Local Area Network Configuration Management program.
        01646
        • Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.
          04830
    • Enforce information flow control.
      11781
      • Establish and maintain information flow control configuration standards.
        01924
        • Perform content filtering scans on network traffic.
          06761
          • Use content filtering scans to identify information flows by data type usage.
            11818
            • Document information flow anomalies that do not fit normal traffic patterns.
              12163
        • Constrain the information flow of restricted data or restricted information.
          06763
          • Restrict access to restricted data and restricted information on a need to know basis.
            12453
      • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
        01410
        • Establish and maintain information flow procedures.
          04542
        • Establish and maintain information exchange procedures.
          11782
          • Review and approve information exchange system connections.
            07143
          • Establish electronic authentication before transmitting restricted data or restricted information between devices.
            01750
          • Enable encryption of a protected distribution system if sending restricted data or restricted information.
            01749
            • Protect data from modification or loss while transmitting between separate parts of the system.
              04554
        • Establish and maintain measures to detect and prevent the use of unsafe internet services.
          13104
          • Establish and maintain whitelists and blacklists of domain names.
            07097
            • Block uncategorized sites using URL filtering.
              12140
        • Establish and maintain whitelists and blacklists of software.
          11780
        • Implement information flow control policies when making decisions about information sharing or collaboration.
          10094
    • Secure access to each system component operating system.
      00551
      • Separate user functionality from system management functionality.
        11858
    • Control all methods of remote access and teleworking.
      00559
      • Establish and maintain a remote access and teleworking program.
        04545
      • Control remote access through a network access control.
        01421
        • Employ multifactor authentication for remote access to the organization's network.
          12505
      • Implement two-factor authentication techniques.
        00561
      • Monitor and evaluate all remote access usage.
        00563
    • Manage the use of encryption controls and cryptographic controls.
      00570
      • Employ only secure versions of cryptographic controls.
        12491
      • Establish and maintain digital signatures, as necessary.
        13828
      • Establish, implement, and maintain an encryption management and cryptographic controls policy.
        04546
        • Encrypt restricted data or restricted information using the most secure method possible.
          04824
        • Provide guidance to customers on how to securely transmit, store, and update cryptographic keys.
          12040
      • Establish and maintain cryptographic key management procedures.
        00571
        • Generate strong cryptographic keys.
          01299
          • Generate unique cryptographic keys for each user.
            12169
        • Include the establishment of cryptographic keys in the cryptographic key management procedures.
          06540
        • Disseminate and communicate cryptographic keys securely.
          01300
        • Store cryptographic keys securely.
          01298
          • Restrict access to cryptographic keys.
            01297
          • Store cryptographic keys in encrypted format.
            06084
          • Store key-encrypting keys and data-encrypting keys in different locations.
            06085
        • Change cryptographic keys, as necessary.
          01302
        • Control cryptographic keys with split knowledge and dual control.
          01304
        • Prevent the unauthorized substitution of cryptographic keys.
          01305
        • Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys.
          06852
          • Replace known or suspected compromised cryptographic keys immediately.
            01306
        • Require key custodians to sign the key custodian's roles and responsibilities.
          11820
        • Establish and maintain requirements for Personal Identity Verification authentication certificates.
          06587
        • Establish a Root Certification Authority to support the Public Key Infrastructure.
          07084
          • Establish and maintain Public Key certificate procedures.
            07085
      • Use strong data encryption to transmit restricted data or restricted information over public networks.
        00564
        • Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.
          12492
        • Encrypt traffic over public networks with trusted cryptographic keys.
          12490
        • Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.
          00568
        • Protect application services information transmitted over a public network from unauthorized modification.
          12021
    • Establish, implement, and maintain a malicious code protection program.
      00574
      • Install security and protection software on all systems.
        00575
      • Scan for malicious code, as necessary.
        11941
        • Remove malware when malicious code is discovered.
          13691
      • Log and react to all malicious code activity.
        07072
        • Analyze the behavior and characteristics of the malicious code.
          10672
      • Lock antivirus configurations.
        10047
    • Establish and maintain an application security policy.
      06438
      • Conduct application security reviews, as necessary.
        06298
        • Include all vulnerabilities in the application security review.
          12036
        • Assign application security reviews for web-facing applications to an organization that specializes in application security.
          12035
        • Correct all found deficiencies according to organizational standards after a web application policy compliance review.
          06299
        • Re-evaluate the web application after deficiencies have been corrected.
          06300
    • Establish and maintain a virtual environment and shared resources security program.
      06551
      • Establish and maintain a shared resources management program.
        07096
  • Physical and environmental protection
    00709
    • Establish and maintain a physical security program.
      11757
      • Establish and maintain physical security procedures.
        13076
      • Establish and maintain an anti-tamper protection program.
        10638
        • Monitor for evidence of when tampering indicators are being identified.
          11905
          • Inspect device surfaces to detect tampering.
            11868
          • Inspect device surfaces to detect unauthorized substitution.
            11869
        • Protect assets from tampering or unapproved substitution.
          11902
      • Establish and maintain a facility physical security program.
        00711
        • Maintain all physical security systems.
          02206
        • Identify and document physical access controls for all physical entry points.
          01637
          • Control physical access to (and within) the facility.
            01329
            • Define and implement access procedures for all organizational facilities and controlled access areas.
              13629
            • Secure physical entry points with physical access controls or security guards.
              01640
            • Establish and maintain a visitor access permissions policy.
              06699
              • Escort visitors within the facility, as necessary.
                06417
              • Authorize visitors before granting entry to physical areas containing restricted data or restricted information.
                01330
            • Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.
              01436
              • Authorize physical access to sensitive areas based on job functions.
                12462
              • Review facility access lists.
                01251
                • Change access requirements to organizational assets for personnel and visitors, as necessary.
                  12463
            • Establish and maintain physical identification procedures.
              00713
              • Manage visitor identification inside the facility.
                11670
                • Issue visitor identification badges to all non-employees.
                  00543
                • Retrieve visitor identification badges prior to the exit of a visitor from the facility.
                  01331
              • Establish and maintain identification issuance procedures for identification cards or badges.
                06598
              • Restrict access to the badge system to authorized personnel.
                12043
              • Establish and maintain identification mechanism termination procedures.
                06306
          • Use locks to protect against unauthorized physical access.
            06342
            • Use locks with electronic authentication systems or cipher locks, as necessary.
              06650
              • Establish and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.
                00748
        • Implement physical security standards for mainframe rooms or data centers.
          00749
        • Establish and maintain a guideline for working in a secure area.
          04538
        • Monitor entry through all physical entry points.
          01638
          • Establish and maintain a visitor log.
            00715
            • Record the visitor's name in the visitor log.
              00557
            • Record the visitor's organization in the visitor log.
              12121
            • Record the onsite personnel authorizing physical access for the visitor in the visitor log.
              12466
            • Retain all records in the visitor log as prescribed by law.
              00572
          • Establish and maintain a physical access log.
            12080
          • Observe restricted areas with motion detectors or closed-circuit television systems.
            01328
            • Review and correlate all data collected from video cameras and/or access control mechanisms with other entries.
              11609
            • Retain video events according to Records Management procedures.
              06304
          • Monitor physical entry point alarms.
            01639
      • Establish and maintain physical security controls for distributed Information Technology assets.
        00718
        • Restrict physical access to distributed Information Technology assets.
          11865
          • Protect electronic storage media with physical access controls.
            00720
        • Establish and maintain removable storage media controls.
          06680
          • Control access to restricted storage media.
            04889
          • Physically secure all electronic storage media that store restricted data or restricted information.
            11664
          • Log the transfer of removable storage media.
            12322
          • Establish and maintain storage media access control procedures.
            00959
            • Require removable storage media be in the custody of an authorized individual.
              12319
          • Control the storage of restricted storage media.
            00965
            • Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults.
              00717
          • Control the transiting and internal distribution or external distribution of restricted storage media.
            00963
            • Obtain management authorization for restricted storage media transit or distribution from a controlled access area.
              00964
            • Transport restricted media using a delivery method that can be tracked.
              11777
        • Protect distributed Information Technology assets against theft.
          06799
          • Control the delivery of assets through physical entry points and physical exit points.
            01441
          • Establish, implement, and maintain off-site physical controls for all distributed Information Technology assets.
            04539
        • Establish and maintain mobile device security guidelines.
          04723
          • Include prohibiting the usage of unapproved application stores in the mobile device security guidelines.
            12290
          • Implement mobile device security guidelines.
            06353
          • Encrypt information stored on mobile devices.
            01422
        • Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.
          00722
        • Establish and maintain asset return procedures.
          04537
          • Require the return of all assets upon notification an individual is terminated.
            06679
      • Install and maintain network jacks and outlet boxes.
        08635
        • Implement physical controls to restrict access to publicly accessible network jacks.
          11989
        • Enable network jacks at the patch panel, as necessary.
          06305
          • Implement logical controls to enable network jacks, as necessary.
            11934
    • Establish and maintain an environmental control program.
      00724
      • Establish and maintain environmental control procedures.
        12246
      • Protect power equipment and power cabling from damage or destruction.
        01438
      • Establish and maintain facility maintenance procedures.
        00710
        • Design the Information Technology facility with a low profile and consideration given to natural disasters and man-made disasters.
          00712
          • Build the Information Technology facility with fire resistant materials.
            06365
        • Define selection criteria for facility locations.
          06351
      • Monitor and review environmental protections.
        12571
      • Establish and maintain a fire prevention and fire suppression standard.
        06695
        • Install and maintain fire protection equipment.
          00728
        • Install and maintain fire suppression systems.
          00729
        • Conduct periodic fire marshal inspections for all organizational facilities.
          04888
        • Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes.
          06362
      • Conduct fire drills, as necessary.
        13985
      • Employ environmental protections.
        12570
        • Establish and maintain a Heating Ventilation and Air Conditioning system.
          00727
          • Install and maintain a moisture control system as a part of the climate control system.
            06694
  • Operational and Systems Continuity
    00731
    • Establish and maintain a business continuity program.
      13210
      • Involve auditors in reviewing and testing the business continuity program.
        13211
      • Establish and maintain a business continuity policy.
        12405
      • Establish and maintain a continuity framework.
        00732
        • Establish and maintain the scope of the continuity framework.
          11908
          • Identify all stakeholders critical to the continuity of operations.
            12741
          • Explain any exclusions to the scope of the continuity framework.
            12236
          • Include the organization's business products and services in the scope of the continuity framework.
            12235
          • Include business units in the continuity framework, as necessary.
            11898
          • Include information security continuity in the continuity framework, as necessary.
            12009
          • Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework.
            12242
        • Take into account external requirements when establishing, implementing, and maintaining the continuity framework.
          11907
        • Include Quality Management in the continuity framework.
          12239
        • Establish and maintain a system continuity plan philosophy.
          00734
          • Define the executive vision of the continuity planning process.
            01243
          • Include a pandemic plan in the continuity plan.
            06800
        • Establish, implement, and maintain continuity roles and responsibilities.
          00733
        • Coordinate continuity planning with other business units responsible for related continuity plans.
          01386
        • Include continuity wrap-up procedures and continuity normalization procedures during continuity planning.
          00761
      • Establish, implement, and maintain a continuity plan and associated continuity procedures.
        00752
        • Include the continuity strategy in the organization's continuity plan.
          13189
        • Include roles and responsibilities in the continuity plan, as necessary.
          13254
        • Coordinate continuity planning with community organizations, as necessary.
          13259
        • Include incident management procedures in the continuity plan.
          13244
        • Include the annual statement based on the continuity plan review in the continuity plan.
          12775
        • Document the uninterrupted power requirements for all in scope systems.
          06707
          • Install an Uninterruptible Power Supply sized to support all critical systems.
            00725
        • Document all supporting information in the continuity plan, such as purpose, scope, and requirements.
          01371
          • Approve the continuity plan requirements before documenting the continuity plan.
            12778
        • Review and update the continuity plan call tree mechanism after a personnel status change.
          01167
        • Establish and maintain damage assessment procedures.
          01267
        • Establish and maintain a recovery plan.
          13288
          • Review and update the recovery plan, as necessary.
            13300
            • Notify interested personnel and affected parties of updates to the recovery plan.
              13302
          • Implement the recovery plan.
            13299
          • Test the recovery plan, as necessary.
            13290
            • Test the backup information, as necessary.
              13303
            • Document lessons learned from testing the recovery plan or an actual event.
              13301
        • Include restoration procedures in the continuity plan.
          01169
          • Include risk prioritized recovery procedures for each business unit in the recovery plan.
            01166
          • Include the recovery plan in the continuity plan.
            01377
          • Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties.
            12758
      • Establish and maintain organizational facility continuity plans.
        02224
        • Install and maintain redundant power supplies for the Information Technology facility.
          06355
          • Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches.
            01439
      • Establish and maintain system continuity plan strategies for all in scope systems.
        00735
        • Define and prioritize critical business functions.
          00736
          • Review and prioritize the importance of each business unit.
            01165
          • Review and prioritize the importance of each business process.
            11689
          • Document the mean time to failure for system components.
            10684
          • Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities.
            12759
        • Establish and maintain Recovery Time Objectives for all in scope services.
          12241
        • Establish and maintain Recovery Time Objectives for all in scope systems.
          11688
        • Define and prioritize critical business records.
          11687
          • Identify all critical business records.
            00737
        • Include the protection of personnel in the continuity plan.
          06378
          • Establish and maintain a critical personnel list.
            00739
            • Identify alternate personnel for each person on the critical personnel list.
              12771
            • Define the triggering events for when to activate the pandemic plan.
              06801
        • Establish and maintain a critical third party list.
          06815
          • Disseminate and communicate critical third party dependencies to interested personnel and affected parties.
            06816
        • Establish, implement, and maintain a critical Information Technology resource list.
          00740
          • Define and maintain continuity Service Level Agreements for all critical Information Technology resources.
            00741
          • Establish and maintain a core supply inventory required to support critical business functions.
            04890
        • Include server continuity procedures in the continuity plan.
          01379
        • Include telecommunications continuity procedures in the continuity plan.
          11691
        • Include system continuity procedures in the continuity plan.
          01268
        • Include Internet Service Provider continuity procedures in the continuity plan.
          00743
          • Include Wide Area Network continuity procedures in the continuity plan.
            01294
            • Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers.
              01397
            • Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards.
              01399
        • Include emergency power continuity procedures in the continuity plan.
          01254
        • Include evacuation procedures in the continuity plan.
          12773
        • Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan.
          01374
          • Establish and maintain physical hazard segregation or removal procedures.
            01248
        • Designate an alternate facility in the continuity plan.
          00742
          • Separate the alternate facility from the primary facility through geographic separation.
            01394
          • Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs.
            01391
        • Include technical preparation considerations for backup operations in the continuity plan.
          01250
          • Establish and maintain backup procedures for in scope systems.
            01258
            • Determine which data elements to back up.
              13483
            • Establish and maintain off-site electronic media storage facilities.
              00957
              • Separate the off-site electronic media storage facilities from the primary facility through geographic separation.
                01390
              • Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.
                01393
              • Review the security of the off-site electronic media storage facilities, as necessary.
                00573
              • Store backup media at an off-site electronic media storage facility.
                01332
                • Transport backup media in lockable electronic media storage containers.
                  01264
            • Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility.
              01257
              • Store backup vital records in a manner that is accessible for emergency retrieval.
                12765
          • Perform backup procedures for in scope systems.
            11692
            • Encrypt backup data.
              00958
            • Log the execution of each backup.
              00956
            • Test backup media for media integrity and information integrity, as necessary.
              01401
            • Test each restored system for media integrity and information integrity.
              01920
        • Include emergency communications procedures in the continuity plan.
          00750
          • Include managing multiple responding organizations in the emergency communications plan.
            01249
          • Maintain contact information for key third parties in a readily accessible manner.
            12764
          • Log important conversations conducted during emergencies with third parties.
            12763
          • Identify the appropriate staff to route external communications to in the emergency communications procedures.
            12762
          • Identify who can speak to the media in the emergency communications procedures.
            12761
        • Include emergency operating procedures in the continuity plan.
          11694
        • Include a system acquisition process for critical systems in the emergency mode operation plan.
          01369
        • Use available financial resources for the efficaciousness of the service continuity strategy.
          01370
          • Include the ability to obtain additional liquidity in the continuity plan.
            12770
        • Include purchasing insurance in the continuity plan.
          00762
          • Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography.
            06682
          • Review the insurance coverage of the insurance policy, as necessary.
            12688
      • Disseminate and communicate the continuity plan to interested personnel and affected parties.
        00760
        • Store an up-to-date copy of the continuity plan at the alternate facility.
          01171
    • Establish and maintain a pandemic plan.
      13214
      • Match emergency policies to the level of disruption anticipated in the pandemic plan.
        14375
      • Include work that will be suspended during the pandemic in the pandemic plan.
        14380
      • Include alternate work locations in the pandemic plan.
        14376
      • Assign pandemic planning roles and responsibilities, as necessary.
        13230
      • Include a compensation plan in the pandemic plan.
        13231
      • Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan.
        14374
    • Prepare the alternate facility for an emergency offsite relocation.
      00744
      • Establish, implement, and maintain Service Level Agreements for all alternate facilities.
        00745
        • Include that the shared service provider will not oversubscribe their services in the Service Level Agreement.
          04892
        • Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement.
          04893
      • Configure the alternate facility to meet the least needed operational capabilities.
        01395
      • Protect backup systems and restoration systems at the alternate facility.
        04883
    • Train personnel on the continuity plan.
      00759
      • Include stay at home order training in the continuity plan training.
        14382
    • Establish and maintain a continuity test plan.
      04896
      • Include test scenarios in the continuity test plan.
        13506
    • Test the continuity plan, as necessary.
      00755
      • Include coverage of all major components in the scope of testing the continuity plan.
        12767
      • Include third party recovery services in the scope of testing the continuity plan.
        12766
      • Validate the emergency communications procedures during continuity plan tests.
        12777
      • Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan.
        12769
      • Test the continuity plan under conditions that simulate a disaster or disruption.
        00757
        • Validate the evacuation plans during continuity plan tests.
          12760
      • Test the continuity plan at the alternate facility.
        01174
        • Coordinate testing the continuity plan with all applicable business units and critical business functions.
          01388
          • Review all third party's continuity plan test results.
            01365
        • Document the continuity plan test results and provide them to senior management.
          06548
    • Implement the continuity plan, as necessary.
      10604
      • Activate the continuity plan if the damage assessment report indicates the activation criterion has been met.
        01373
        • Execute fail-safe procedures when an emergency occurs.
          07108
      • Lead or manage business continuity and system continuity, as necessary.
        12240
        • Allocate financial resources to implement the continuity plan, as necessary.
          12993
      • Restore systems and environments to be operational.
        13476
      • Monitor and evaluate business continuity management system performance.
        12410
        • Record business continuity management system performance for posterity.
          12411
    • Review and update the continuity plan.
      00754
      • Report changes in the continuity plan to senior management.
        12757
      • Document and use the lessons learned to update the continuity plan.
        10037
  • Human Resources management
    00763
    • Establish and maintain high level operational roles and responsibilities.
      00806
      • Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.
        13112
      • Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures.
        00807
      • Define and assign the Chief Information Officer's roles and responsibilities.
        00808
      • Define and assign the Information Technology staff's roles and responsibilities.
        00809
      • Define and assign the technology security leader's roles and responsibilities.
        01897
      • Define and assign the Chief Security Officer's roles and responsibilities.
        06431
      • Establish and maintain an Information Technology steering committee.
        12706
        • Convene the Information Technology steering committee, as necessary.
          12730
        • Assign reviewing investments to the Information Technology steering committee, as necessary.
          13625
    • Define and assign workforce roles and responsibilities.
      13267
      • Establish and maintain cybersecurity roles and responsibilities.
        13201
      • Assign roles and responsibilities for physical security, as necessary.
        13113
      • Define and assign roles and responsibilities for those involved in risk management.
        13660
      • Assign the roles and responsibilities for the change control program.
        13118
      • Identify and define all key Information Technology roles.
        00777
        • Assign responsibility for cyber threat intelligence.
          12746
        • Define and assign the data controller's roles and responsibilities.
          00471
          • Assign the role of data controller to applicable controls.
            00354
        • Assign the role of the Quality Management committee to applicable controls.
          00769
          • Assign interested personnel to the Quality Management committee.
            07193
        • Assign the role of fire protection management to applicable controls.
          04891
      • Define and assign roles and responsibilities for dispute resolution.
        13626
    • Analyze workforce management.
      12844
      • Evaluate Information Technology personnel job performance.
        00787
      • Identify root causes of staffing shortages, if any exist.
        13276
    • Establish and maintain a personnel management program.
      14018
      • Establish and maintain a succession plan for organizational leaders and support personnel.
        11822
      • Establish and maintain onboarding procedures for new hires.
        11760
        • Train all new hires, as necessary.
          06673
      • Establish, implement, and maintain a personnel security program.
        10628
        • Establish and maintain Information Technology staff security clearance level criteria.
          00780
        • Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies.
          00782
          • Establish and maintain personnel screening procedures.
            11700
            • Perform a background check during personnel screening.
              11758
              • Perform a criminal records check during personnel screening.
                06643
              • Perform an academic records check during personnel screening.
                06647
              • Perform a curriculum vitae check during personnel screening.
                06660
          • Document the personnel risk assessment results.
            11764
          • Establish, implement, and maintain security clearance procedures.
            00783
            • Perform periodic background checks on designated roles, as necessary.
              11759
      • Establish and maintain personnel status change and termination procedures.
        06549
        • Notify terminated individuals of applicable, legally binding post-employment requirements.
          10630
          • Enforce the information security responsibilities and duties that remain valid after termination or change of employment.
            11992
        • Update contact information of any individual undergoing a personnel status change, as necessary.
          12692
    • Establish and maintain the Information Technology staff structure in line with the Strategic Information Technology Plan.
      00764
      • Document and communicate role descriptions to all applicable personnel.
        00776
      • Assign and staff all roles appropriately.
        00784
        • Delegate authority for specific processes, as necessary.
          06780
      • Implement a staff rotation plan.
        12772
      • Place Information Technology operations in a position to support the business model.
        00766
      • Implement personnel supervisory practices.
        00773
      • Implement segregation of duties in roles and responsibilities.
        00774
        • Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical.
          06960
      • Evaluate the Information Technology staffing requirements regularly.
        00775
      • Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the Information Technology staff.
        00779
    • Establish job categorization criteria, job recruitment criteria, and promotion criteria.
      00781
      • Use rewards and career development to motivate personnel.
        06906
      • Establish and maintain a compensation, reward, and recognition program.
        12806
    • Train all personnel and third parties, as necessary.
      00785
      • Establish and maintain an education methodology.
        06671
        • Support certification programs as viable training programs.
          13268
        • Retrain all personnel annually or as necessary.
          01362
        • Tailor training to meet published guidance on the subject being taught.
          02217
        • Tailor training to be taught at each person's level of responsibility.
          06674
        • Conduct cross-training or staff backup training to minimize dependency on critical individuals.
          00786
        • Document all training in a training record.
          01423
      • Conduct tests and evaluate training.
        06672
      • Review the current published guidance and awareness and training programs.
        01245
      • Establish and implement training plans.
        00828
        • Develop or acquire content to update the training plans.
          12867
        • Include ethical culture in the training plan, as necessary.
          12801
        • Include duties and responsibilities in the training plan, as necessary.
          12800
          • Conduct bespoke roles and responsibilities training, as necessary.
            13192
        • Conduct personal data processing training.
          13757
        • Establish and maintain a security awareness program.
          11746
          • Include configuration management procedures in the security awareness program.
            13967
          • Document security awareness requirements.
            12146
            • Include updates on emerging issues in the security awareness program.
              13184
            • Include cybersecurity in the security awareness program.
              13183
            • Include training based on the participants' level of responsibility and access level in the security awareness program.
              11802
          • Document the goals of the security awareness program.
            12145
          • Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties.
            00823
            • Train all personnel and third parties on how to recognize and report security incidents.
              01211
            • Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.
              01363
        • Conduct secure coding and development training for developers.
          06822
        • Conduct tampering prevention training.
          11875
          • Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training.
            11877
          • Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training.
            11876
          • Include how to report tampering in the tampering prevention training.
            11879
          • Include how to prevent physical tampering in the tampering prevention training.
            11878
        • Train interested personnel and affected parties to collect digital forensic evidence.
          08658
        • Update training plans, as necessary.
          12868
      • Analyze and evaluate training records to improve the training program.
        06380
    • Establish and maintain a personnel health and safety policy.
      00716
      • Establish, implement, and maintain health and safety personnel disinfecting procedures.
        06802
      • Provide protective face masks for critical personnel, as necessary.
        06803
      • Establish and maintain food handling procedures.
        11765
      • Vaccinate critical employees, as necessary.
        06805
      • Establish and maintain a travel program for all personnel.
        10597
        • Establish and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally.
          06076
    • Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment.
      04897
      • Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment.
        12029
      • Take disciplinary actions against individuals if they violate the Code of Conduct or any organizational compliance controls.
        06435
      • Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.
        06664
    • Conduct staff performance reviews, as necessary.
      07205
    • Establish and maintain an ethics program.
      11496
      • Establish and maintain an ethical culture in the organization.
        12781
      • Establish mechanisms for whistleblowers to report compliance violations.
        06806
      • Refrain from assigning roles and responsibilities that breach segregation of duties.
        12055
  • Operational management
    00805
    • Establish and implement a capacity management plan.
      11751
      • Establish and maintain a capacity planning baseline.
        13492
      • Establish, implement, and maintain future system capacity forecasting methods.
        01617
      • Align critical Information Technology resource availability planning with capacity planning.
        01618
      • Forecast system workloads.
        00938
      • Utilize resource capacity management controls.
        00939
    • Manage cloud services.
      13144
      • Protect clients' hosted environments.
        11862
        • Notify cloud customers of the geographic locations of the cloud service organization and its assets.
          13037
      • Establish and maintain cloud service agreements, as necessary.
        13157
      • Establish and maintain cloud management procedures.
        13149
      • Establish and maintain a cloud service usage standard.
        13143
        • Include the roles and responsibilities of cloud service users in the cloud service usage standard.
          13984
      • Monitor managing cloud services.
        13150
        • Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties.
          13159
      • Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties.
        13147
    • Document the organization's business processes.
      13035
    • Establish and maintain a Governance, Risk, and Compliance framework.
      01406
      • Include enterprise architecture in the Governance, Risk, and Compliance framework.
        13266
      • Acquire resources necessary to support Governance Risk and Compliance.
        12861
      • Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities.
        12895
      • Analyze the effect of the governance, risk, and compliance capability to achieve organizational objectives.
        12809
      • Assign accountability for maintaining the Governance, Risk, and Compliance framework.
        12523
      • Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework.
        12524
      • Establish and maintain a positive information control environment.
        00813
      • Establish and maintain an internal control framework.
        00820
        • Assign resources to implement the internal control framework.
          00816
        • Establish and maintain a baseline of internal controls.
          12415
        • Include procedures for continuous quality improvement in the internal control framework.
          00819
        • Include threat assessment in the internal control framework.
          01347
        • Include vulnerability management and risk assessment in the internal control framework.
          13102
          • Automate vulnerability management, as necessary.
            11730
        • Include continuous security warning monitoring procedures in the internal control framework.
          01358
        • Include security information sharing procedures in the internal control framework.
          06489
          • Share relevant security information with Special Interest Groups, as necessary.
            11732
        • Include incident response escalation procedures in the internal control framework.
          11745
        • Include continuous user account management procedures in the internal control framework.
          01360
        • Authorize and document all exceptions to the internal control framework.
          06781
        • Review the internal control framework, as necessary.
          01348
          • Measure policy compliance when reviewing the internal control framework.
            06442
      • Establish and maintain an information security program.
        00812
        • Include technical safeguards in the information security program.
          12374
        • Include system development in the information security program.
          12389
        • Include system acquisition in the information security program.
          12387
        • Include communication management in the information security program.
          12384
        • Include a continuous monitoring program in the information security program.
          14323
        • Include risk management in the information security program.
          12378
        • Provide management direction and support for the information security program.
          11999
        • Monitor and review the effectiveness of the information security program.
          12744
        • Establish and maintain an information security policy.
          11740
          • Align the information security policy with the organization's risk acceptance level.
            13042
          • Include a commitment to the information security requirements in the information security policy.
            13496
          • Include information security objectives in the information security policy.
            13493
          • Review and update the information security policy, as necessary.
            11741
          • Review the information security procedures, as necessary.
            12006
        • Approve the information security policy at the organization's management level or higher.
          11737
        • Document the roles and responsibilities for all activities that protect restricted data in the information security procedures.
          12304
        • Assign ownership of the information security program to the appropriate role.
          00814
          • Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.
            11884
          • Assign information security responsibilities to interested personnel and affected parties in the information security program.
            11885
          • Assign the responsibility for distributing the information security program to the appropriate role.
            11883
        • Disseminate and communicate the information security policy to interested personnel and affected parties.
          11739
        • Establish and maintain operational control procedures.
          00831
          • Establish, implement, and maintain a Standard Operating Procedures Manual.
            00826
            • Include information sharing procedures in standard operating procedures.
              12974
            • Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties.
              12026
          • Establish and maintain a job scheduling methodology.
            00834
          • Establish and maintain a data processing continuity plan.
            00836
        • Establish and maintain an Acceptable Use Policy.
          01350
          • Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
            01351
          • Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the acceptable use policy.
            11894
          • Include Bring Your Own Device usage in the Acceptable Use Policy.
            12293
          • Include Bring Your Own Device security guidelines in the Acceptable Use Policy.
            01352
          • Include asset tags in the Acceptable Use Policy.
            01354
          • Include asset use policies in the Acceptable Use Policy.
            01355
            • Include authority for access authorization lists for assets in all relevant Acceptable Use Policies.
              11872
            • Include access control mechanisms in the Acceptable Use Policy.
              01353
              • Include temporary activation of remote access technologies for third parties in the acceptable use policy.
                11892
            • Include prohibiting copying or moving of restricted data from its original source onto local hard drives or removable storage media in the acceptable use policy.
              11893
          • Correlate the Acceptable Use Policy with the network security policy.
            01356
            • Include appropriate network locations for each technology in the acceptable use policy.
              11881
          • Correlate the Acceptable Use Policy with the approved product list.
            01357
          • Include disciplinary actions in the Acceptable Use Policy.
            00296
          • Include a software installation policy in the Acceptable Use Policy.
            06749
          • Document idle session termination and logout for remote access technologies in the Acceptable Use Policy.
            12472
          • Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties.
            12431
        • Establish, implement, and maintain an e-mail policy.
          06439
          • Include business use of personal e-mail in the e-mail policy.
            14381
        • Protect policies, standards, and procedures from unauthorized modification or disclosure.
          10603
      • Establish and maintain nondisclosure agreements.
        04536
        • Require interested personnel and affected parties to sign nondisclosure agreements.
          06667
          • Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary.
            06669
        • Review nondisclosure agreements on a regular basis.
          12437
      • Implement and comply with the Governance, Risk, and Compliance framework.
        00818
        • Analyze the organizational culture.
          12899
          • Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture.
            12922
        • Establish and maintain consequences for non-compliance with the organizational compliance framework.
          11747
        • Comply with all implemented policies in the organization's compliance framework.
          06384
        • Review systems for compliance with organizational information security policies.
          12004
        • Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.
          00815
      • Review and update the Governance, Risk, and Compliance framework, as necessary.
        00817
    • Establish and maintain a Service Management System, as necessary.
      13889
      • Establish and maintain a service management program.
        11388
        • Include the service management objectives in the service management program.
          11389
        • Include the service requirements in the service management program.
          11390
        • Include known limitations in the service management program.
          11391
        • Include all resources needed to achieve the objectives in the service management program.
          11394
        • Include all technologies used to support service management in the service management program.
          11398
    • Establish and maintain a network management program.
      13123
      • Document the network design in the network management program.
        13135
    • Establish and maintain an Asset Management program.
      06630
      • Assign an information owner to organizational assets, as necessary.
        12729
      • Establish and apply classification schemes for all systems and assets.
        01902
        • Apply security controls to each level of the information classification standard.
          01903
          • Define confidentiality controls.
            01908
          • Establish and maintain the systems' availability level.
            01905
          • Establish and maintain the systems' integrity level.
            01906
          • Define availability controls.
            01911
        • Classify assets according to the Asset Classification Policy.
          07186
          • Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.
            07184
      • Establish, implement, and maintain an asset inventory database.
        06631
        • Record the make, model of device for applicable assets in the asset inventory.
          12465
        • Record the physical location for applicable assets in the asset inventory.
          06634
        • Record the manufacturer's serial number for applicable assets in the asset inventory.
          06635
        • Record the owner for applicable assets in the asset inventory.
          06640
        • Record all changes to assets in the asset inventory database.
          12190
      • Establish and maintain a software accountability policy.
        00868
        • Establish and maintain software asset management procedures.
          00895
      • Establish and maintain a system redeployment or disposal program.
        06276
        • Wipe all data on systems prior to when the system is redeployed or the system is disposed.
          06401
      • Establish and maintain a system preventive maintenance program.
        00885
        • Establish and maintain maintenance reports.
          11749
        • Conduct maintenance with authorized personnel.
          01434
        • Acquire spare parts prior to when maintenance requests are scheduled.
          11833
        • Perform periodic maintenance according to organizational standards.
          01435
        • Calibrate assets according to the calibration procedures for the asset.
          06203
          • Post calibration limits or calibration tolerances on or near assets requiring calibration.
            06204
      • Dispose of hardware and software at their life cycle end.
        06278
    • Establish and maintain a customer service program.
      00846
      • Establish and maintain an Incident Management program.
        00853
        • Assign the roles and responsibilities for incident management procedures.
          13055
        • Include incident escalation procedures in the Incident Management program.
          00856
        • Define the characteristics of the Incident Management program.
          00855
          • Include the criteria for a security incident in the Incident Management program.
            12173
        • Include intrusion detection procedures in the Incident Management program.
          00588
          • Categorize the incident following an incident response.
            13208
            • Define and document impact thresholds to be used in categorizing incidents.
              10033
            • Determine the incident severity level when assessing the security incidents.
              01650
          • Identify root causes of incidents that force system changes.
            13482
          • Respond to and triage when a security incident is detected.
            06942
            • Document the incident and any relevant evidence in the incident report.
              08659
            • Respond to all alerts from security systems in a timely manner.
              06434
            • Coordinate incident response activities with interested personnel and affected parties.
              13196
          • Contain the incident to prevent further loss and preserve the system for forensic analysis.
            01751
          • Assess all security incidents to determine what information was accessed.
            01226
            • Check the precursors and indicators when assessing the security incidents.
              01761
          • Create an incident response report following an incident response.
            12700
            • Include the number of customers that were affected by the security incident in the incident response report.
              12727
            • Include the scope of the security incident in the incident response report.
              12717
            • Include the reasons the security incident occurred in the incident response report.
              12711
            • Include lessons learned from the security incident in the incident response report.
              12713
            • Include corrective action that was taken to eradicate the security incident in the incident response report.
              12708
            • Include a description of the impact the security incident had on operations in the incident response report.
              12703
            • Include a root cause analysis of the security incident in the incident response report.
              12701
          • Share incident information with interested personnel and affected parties.
            01212
            • Share data loss event information with the media.
              01759
          • Include data loss event notifications in the Incident Response program.
            00364
            • Include legal requirements for data loss event notifications in the incident response program.
              11954
            • Notify interested personnel and affected parties of the privacy breach that affects their personal data.
              00365
              • Establish and maintain incident response notifications, as necessary.
                12975
              • Include information required by law in incident response notifications.
                00802
                • Include a "What We Are Doing" heading in the breach notification.
                  12982
                  • Include what the organization has done to enhance data protection controls in incident response notifications.
                    04736
          • Include incident recovery procedures in the Incident Management program.
            01758
            • Establish and maintain a restoration log.
              12745
          • Analyze security violations in Suspicious Activity Reports.
            00591
            • Update the incident response procedures using the lessons learned.
              01233
        • Include incident monitoring procedures in the Incident Management program.
          01207
        • Include incident response procedures in the Incident Management program.
          01218
        • Integrate configuration management procedures into the incident management program.
          13647
        • Include incident management procedures in the Incident Management program.
          12689
          • Include temporary and emergency access authorization procedures in the Incident Management program.
            00858
        • Include after-action analysis procedures in the Incident Management program.
          01219
        • Conduct incident investigations, as necessary.
          13826
          • Analyze the behaviors of individuals involved in the incident during the incident investigation.
            14042
          • Interview suspects during an incident investigation, as necessary.
            14041
          • Interview victims and witnesses during incident investigations, as necessary.
            14038
        • Establish, implement, and maintain incident management audit logs.
          13514
          • Log incidents in the Incident Management audit log.
            00857
            • Include the organizational functions affected by disruption in the Incident Management audit log.
              12238
            • Include the organization's business products and services affected by disruptions in the Incident Management audit log.
              12234
        • Include incident record closure procedures in the Incident Management program.
          01620
        • Include incident reporting procedures in the Incident Management program.
          11772
      • Establish and maintain a customer service business function.
        00847
        • Confirm the customer agrees with the resolution process associated with the complaint.
          13630
        • Document the resolution of issues reported to customer service.
          12918
      • Investigate and take action regarding help desk queries.
        06324
      • Log help desk queries.
        00848
      • Establish and maintain help desk query escalation procedures.
        00849
      • Establish and maintain help desk query clearance monitoring procedures.
        00850
      • Establish and maintain help desk query trend analysis procedures.
        00851
      • Provide customer security advice, as necessary.
        13674
    • Establish and maintain an Incident Response program.
      00579
      • Define target resolution times for incident response in the Incident Response program.
        13072
      • Analyze and respond to security alerts.
        12504
      • Mitigate reported incidents.
        12973
      • Establish and maintain an incident response plan.
        12056
      • Establish and maintain a cyber Incident response plan.
        13286
      • Include incident response team structures in the Incident Response program.
        01237
        • Include the incident response team member's roles and responsibilities in the Incident Response program.
          01652
          • Include the incident response point of contact's roles and responsibilities in the Incident Response program.
            01877
            • Notify interested personnel and affected parties that a security breach was detected.
              11788
          • Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program.
            01885
          • Assign the distribution of security alerts to the appropriate role in the incident response program.
            11887
          • Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program.
            11886
          • Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program.
            12473
          • Assign the distribution of incident response procedures to the appropriate role in the incident response program.
            12474
        • Include personnel contact information in the event of an incident in the Incident Response program.
          06385
        • Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program.
          11789
        • Include procedures for providing updated status information to the crisis management team in the incident response plan.
          12776
      • Include coverage of all system components in the incident response program.
        11955
      • Include incident response team services in the Incident Response program.
        11766
        • Include the incident response training program in the Incident Response program.
          06750
          • Incorporate realistic exercises that are tested into the incident response training program.
            06753
          • Conduct incident response training.
            11889
      • Establish and maintain incident response procedures.
        01206
        • Include references to industry best practices in the incident response procedures.
          11956
        • Include responding to alerts from security monitoring systems in the incident response procedures.
          11949
      • Include business continuity procedures in the Incident Response program.
        06433
        • Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures.
          06432
      • Establish trust between the incident response team and the end user community during a security incident.
        01217
      • Include business recovery procedures in the Incident Response program.
        11774
      • Establish and maintain a digital forensic evidence framework.
        08652
        • Retain collected evidence for potential future legal actions.
          01235
          • Establish and maintain a chain of custody for all devices containing digital forensic evidence.
            08686
        • Define the business scenarios that require digital forensic evidence.
          08653
          • Define the circumstances for collecting digital forensic evidence.
            08657
            • Conduct forensic investigations in the event of a security compromise.
              11951
        • Contact affected parties to participate in forensic investigations, as necessary.
          12343
        • Identify potential sources of digital forensic evidence.
          08651
        • Document the legal requirements for evidence collection.
          08654
        • Establish and maintain a digital forensic evidence collection program.
          08655
        • Establish, implement, and maintain secure storage and handling of evidence procedures.
          08656
        • Prepare digital forensic equipment.
          08688
          • Use digital forensic equipment suitable to the circumstances.
            08690
          • Test the operation of the digital forensic equipment prior to use.
            08694
        • Collect evidence from the incident scene.
          02236
          • Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report.
            08679
          • Secure devices containing digital forensic evidence.
            08681
            • Use a write blocker to prevent digital forensic evidence from being modified.
              08692
            • Create a system image of the device before collecting digital forensic evidence.
              08673
      • Review and update the incident response procedures after a security incident has been closed.
        01208
      • Disseminate and communicate the incident response procedures to all interested personnel and affected parties.
        01215
      • Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results.
        12306
      • Test the incident response procedures.
        01216
    • Establish and maintain a performance management standard.
      01615
      • Establish and maintain future system performance forecasting methods.
        11775
      • Utilize resource availability management controls.
        00940
      • Establish, implement, and maintain rate limiting filters.
        06883
        • Establish and maintain system capacity monitoring procedures.
          01619
        • Establish and maintain system performance monitoring procedures.
          11752
    • Establish and maintain a collection management program.
      14013
      • Receive and follow up on information collection requests.
        14075
        • Track status of information collection requests.
          14265
        • Validate the link between critical information requirements and intelligence requirements in information collection requests.
          14090
        • Develop information requirements for following up on information collection requests.
          14077
        • Submit information collection requests for processing.
          14259
        • Solicit feedback on the follow up quality of information requests.
          14254
      • Disseminate information collected using collection resources to all interested personnel and affected parties.
        14089
      • Establish and implement a collection plan.
        14021
        • Include collection requirements in the collection plan.
          14036
          • Review collection requirements in the collection plan, as necessary.
            14088
        • Include collection plans in other governance documents, as necessary.
          14261
        • Request discipline-specific exploitation for information collected using collection resources.
          14087
        • Request discipline-specific processing for information collected using collection resources.
          14085
        • Allocate collection assets as defined in the collection plan.
          14083
        • Monitor collection activities.
          14046
        • Review and update the collection plan, as necessary.
          14044
          • Document changes to the collection plan that affect collection assets.
            14079
          • Modify collection requirements as necessary.
            14076
        • Evaluate the effectiveness of collection assets against the collection plan.
          14082
        • Evaluate the effectiveness of collection operations against the collection plan.
          14043
          • Compile lessons learned from collection management activity's execution of the collection plan.
            14264
          • Optimize collection resources, as necessary.
            14086
          • Adjust collection operations or the collection plan itself, as necessary.
            14080
        • Communicate the collection management program to all interested personnel and affected parties.
          14263
        • Link collection requirements to assets and resources in the collection plan.
          14040
      • Establish and maintain electronic target folders, as necessary.
        14320
      • Provide feedback regarding the collection management program to all interested personnel and affected parties.
        14262
    • Provide language analysis support, as necessary.
      14084
      • Transcribe voice materials, as necessary.
        14260
    • Establish and maintain a Service Level Agreement framework.
      00839
      • Include exceptions in the Service Level Agreements, as necessary.
        13912
      • Include the appropriate aspects of the Quality Management program in the Service Level Agreement.
        00845
      • Include the organizational structure for service level management in the Service Level Agreement framework.
        13633
      • Include capacity planning in Service Level Agreements.
        13096
      • Include Operational Level Agreements within Service Level Agreements, as necessary.
        13631
      • Include funding sources in Service Level Agreements, as necessary.
        13632
      • Include business requirements of delivered services in the Service Level Agreement.
        00840
      • Include performance requirements in the Service Level Agreement.
        00841
      • Include the service levels for network services in the Service Level Agreement.
        12024
      • Include availability requirements in Service Level Agreements.
        13095
    • Establish and maintain a cost management program, as necessary.
      13638
      • Establish and maintain cost management procedures.
        00873
        • Update the business cases for cost management procedures, as necessary.
          13642
        • Perform an impact assessment of any deviations found in the cost management procedures.
          13641
        • Identify deviations in cost management procedures.
          13640
      • Identify and allocate departmental costs.
        00871
        • Establish and maintain an Information Technology financial management framework.
          01610
        • Prepare an annual Information Technology budget.
          00872
          • Review and approve the Information Technology budget.
            13644
          • Update the Information Technology budget, as necessary.
            13643
        • Justify the system's cost and benefit.
          00874
        • Compare actual Information Technology costs to forecasted Information Technology budgets.
          11753
    • Establish and maintain a change control program.
      00886
      • Include potential consequences of unintended changes in the change control program.
        12243
      • Include version control in the change control program.
        13119
      • Separate the production environment from development environment or test environment for the change control process.
        11864
      • Integrate configuration management procedures into the change control program.
        13646
      • Establish and maintain a back-out plan.
        13623
        • Establish back-out procedures for each proposed change in a change request.
          00373
        • Review and approve back-out plans, as necessary.
          13627
      • Manage change requests.
        00887
        • Include documentation of the impact level of proposed changes in the change request.
          11942
        • Document all change requests in change request forms.
          06794
        • Examine all changes to ensure they correspond with the change request.
          12345
        • Approve tested change requests.
          11783
          • Disseminate and communicate proposed changes to all interested personnel and affected parties.
            06807
      • Establish and maintain emergency change procedures.
        00890
        • Perform emergency changes, as necessary.
          12707
          • Log emergency changes after they have been performed.
            12733
      • Perform risk assessments prior to approving change requests.
        00888
      • Implement changes according to the change control program.
        11776
        • Provide audit trails for all approved changes.
          13120
      • Establish and maintain a patch management program.
        00896
        • Implement patch management software, as necessary.
          12094
        • Establish and maintain a patch log.
          01642
        • Deploy software patches.
          07032
          • Patch software.
            11825
        • Update computer firmware.
          11755
          • Implement cryptographic mechanisms to authenticate software and computer firmware before installation.
            10682
      • Mitigate the adverse effects of unauthorized changes.
        12244
      • Establish and maintain approved change acceptance testing procedures.
        06391
        • Test the system's operational functionality after implementing approved changes.
          06294
        • Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred.
          04541
      • Update associated documentation after the system configuration has been changed.
        00891
      • Update the system's backup procedures after an approved change has occurred.
        04498
    • Establish and maintain production process control procedures.
      06209
      • Establish and maintain a service delivery and production process Quality Management program.
        07194
        • Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary.
          07197
    • Document the organization's local environments.
      06726
      • Establish and maintain local environment security profiles.
        07037
        • Include the technology used in the local environment in the local environment security profile.
          07040
    • Manage the creation of products and services, as necessary.
      13497
      • Define the processing activities to meet products and services creation requirements.
        13499
    • Establish and maintain a service catalog.
      13634
      • Include a service description in the service catalog.
        13917
      • Include Service Level Agreements in the service catalog, as necessary.
        13636
      • Include Information Technology services in the service catalog, as necessary.
        13635
        • Base definitions of Information Technology services on their service characteristics.
          13655
    • Conduct official proceedings, as necessary.
      13836
      • Support legal counsel during the judicial process.
        14019
  • System hardening through configuration management
    00860
    • Establish and maintain a Configuration Management program.
      00867
      • Establish, implement, and maintain a Configuration Management Plan.
        01901
      • Employ the configuration management program.
        11904
      • Record Configuration Management items in the Configuration Management database.
        00861
      • Disseminate and communicate the configuration management program to all interested personnel and affected parties.
        11946
      • Establish and maintain a current configuration baseline based on the least functionality principle.
        00862
    • Identify and document the system's Configurable Items.
      02133
      • Define the relationships and dependencies between Configurable Items.
        02134
    • Establish and maintain a system hardening standard.
      00876
      • Establish and maintain configuration standards for all systems based upon industry best practices.
        11953
        • Include common security parameter settings in the configuration standards for all systems.
          12544
        • Apply configuration standards to all systems, as necessary.
          12503
        • Update the system configuration standard upon discovery of new vulnerabilities.
          06844
        • Configure security parameter settings on all system components appropriately.
          12041
    • Establish and maintain system hardening procedures.
      12001
      • Use the latest version of all software.
        00897
        • Install all available critical security updates and important security updates in a timely manner.
          01696
      • Change default configurations, as necessary.
        00877
        • Change all default passwords.
          06080
        • Reconfigure the encryption keys from their default setting or previous setting.
          06079
      • Establish and maintain procedures to standardize Operating System software installation.
        00869
      • Establish idle session termination and logout capabilities.
        01418
        • Configure Session Configuration settings in accordance with organizational standards.
          07698
          • Configure session timeout and reauthentication settings according to organizational standards.
            12460
      • Configure virtual networks in accordance with the information security policy.
        13165
      • Configure Simple Network Management Protocol according to organizational standards.
        12423
        • Change the default community string for Simple Network Management Protocol.
          01872
      • Configure the system's storage media.
        10618
        • Configure the system's electronic storage media's encryption settings.
          11927
      • Implement only one application or primary function per network component or server.
        00879
      • Disable all unnecessary services unless otherwise noted in a policy exception.
        00880
        • Disable telnet unless telnet use is absolutely necessary.
          01478
      • Disable all unnecessary applications unless otherwise noted in a policy exception.
        04827
        • Install and enable public Instant Messaging clients as necessary.
          02173
      • Remove all unnecessary functionality.
        00882
        • Document that all enabled functions support secure configurations.
          11985
      • Configure the settings of the system registry and the systems objects (for Windows OS only).
        01781
        • Configure the system to protect against source-routing spoofing.
          01793
      • Establish and maintain a password standard.
        01702
        • Establish and maintain a password management system.
          12031
          • Establish and maintain password procedures.
            12002
            • Configure passwords to comply with organizational standards.
              06412
              • Configure the require new users to change their password on first logon setting to organizational standards.
                05268
              • Configure the system to encrypt passwords.
                06735
              • Configure the "minimum number of digits required for new passwords" setting to organizational standards.
                08717
              • Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards.
                08718
              • Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards.
                08719
              • Configure the "minimum number of special characters required for new passwords" setting to organizational standards.
                08720
      • Configure the system security parameters to prevent system misuse or information misappropriation.
        00881
      • Configure the system account settings and the permission settings in accordance with the organizational standards.
        01538
        • Configure user accounts.
          07036
          • Remove unnecessary default accounts.
            01539
            • Disable or delete shared User IDs.
              12478
            • Disable or delete generic user IDs.
              12479
            • Disable all unnecessary user identifiers.
              02185
          • Configure accounts with administrative privilege.
            07033
            • Employ multifactor authentication for accounts with administrative privilege.
              12496
            • Encrypt non-console administrative access.
              00883
              • Invoke a strong encryption method before requesting a password.
                11986
      • Enable and configure auditing operations and logging operations, as necessary.
        01522
        • Configure the security parameters for all logs.
          01712
          • Configure the log to capture audit log initialization, along with auditable event selection.
            00649
        • Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.
          06331
          • Configure the log to capture creates, reads, updates, or deletes of records containing personal data.
            11890
          • Configure the log to capture the user's identification.
            01334
          • Configure the log to capture a date and time stamp.
            01336
          • Configure the log to capture each auditable event's origination.
            01338
          • Configure the log to uniquely identify each asset.
            01339
          • Configure the log to capture the type of each event.
            06423
          • Configure the log to capture each event's success or failure indication.
            06424
        • Configure all logs to capture auditable events or actionable events.
          06332
          • Configure the log to capture logons, logouts, logon attempts, and logout attempts.
            01915
          • Configure the log to capture access to restricted data or restricted information.
            00644
          • Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
            00645
          • Configure the log to capture identification and authentication mechanism use.
            00648
          • Configure the log to capture all access to the audit trail.
            00646
          • Configure the log to capture Object access to key directories or key files.
            01697
            • Configure the log to capture system level object creation and deletion.
              00650
          • Configure the log to capture configuration changes.
            06881
            • Log, monitor, and review all changes to time settings on critical systems.
              11608
            • Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.
              01698
      • Establish and maintain procedures for configuring the appropriate network parameter modifications.
        01517
        • Create an access control list on Network Access and Control Points to restrict access.
          04810
      • Configure the time server in accordance with organizational standards.
        06426
        • Configure system clocks for synchronization (SYN) of time to an accurate and universal time source, preferably an organizational Network Time Protocol (NTP) server.
          06425
        • Configure the time server to synchronize with specifically designated hosts.
          06427
        • Restrict access to time server configuration to personnel with a business need.
          06858
        • Keep current the time synchronization technology.
          12548
      • Configure mobile device settings in accordance with organizational standards.
        04600
        • Configure mobile devices to enable remote wipe.
          12212
      • Certify and accredit the system before releasing it into a production environment.
        06419
      • Establish, implement, and maintain virtualization configuration settings.
        07110
        • Implement the security features of hypervisor to protect virtual machines.
          12176
      • Configure Services settings in accordance with organizational standards.
        07434
        • Configure the "Group Policy Client" to organizational standards.
          07522
      • Configure Account settings in accordance with organizational standards.
        07603
        • Configure the "Account lockout threshold" to organizational standards.
          07604
        • Configure the "Account lockout duration" to organizational standards.
          07771
      • Configure System Integrity settings in accordance with organizational standards.
        07605
        • Configure the "Turn on script execution" to organizational standards.
          08411
      • Configure Logging settings in accordance with organizational standards.
        07611
        • Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards.
          07734
      • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.
        07621
        • Configure the "Maximum password age" to organizational standards.
          07688
        • Configure the "Minimum password length" to organizational standards.
          07711
        • Configure the "Password must meet complexity requirements" to organizational standards.
          07743
        • Configure the "Enforce password history" to organizational standards.
          07877
      • Configure security and protection software according to Organizational Standards.
        11917
        • Configure security and protection software to automatically run at startup.
          12443
        • Configure security and protection software to check for up-to-date signature files.
          00576
        • Configure security and protection software to enable automatic updates.
          11945
      • Configure network access and control points to organizational standards.
        12119
        • Configure network switches to organizational standards.
          12120
      • Configure File Integrity Monitoring Software to Organizational Standards.
        11923
        • Configure the file integrity monitoring software to perform critical file comparisons, as necessary.
          11924
    • Audit the configuration of organizational assets, as necessary.
      13653
      • Audit assets after maintenance was performed.
        13657
  • Records management
    00902
    • Establish and implement a translation management program.
      14316
      • Translate graphic materials, as necessary.
        14324
    • Establish and implement an information management program.
      14315
    • Establish and maintain records management policies used to manage organizational records.
      00903
      • Establish and maintain a record classification scheme for forms.
        00911
        • Establish and maintain form creation, management, and distribution procedures.
          06393
      • Establish and maintain a record classification scheme.
        00914
        • Allocate record identifiers to reference the records as a part of document tracking.
          11662
        • Establish and maintain Records Management procedures.
          00919
          • Establish, implement, and maintain source document error handling tracking.
            01263
          • Establish and maintain data accuracy controls.
            00921
          • Establish and maintain data completeness controls.
            11649
          • Control error handling during data input.
            00922
          • Establish and maintain data processing integrity controls.
            00923
            • Establish and maintain Automated Data Processing validation checks and editing checks.
              00924
          • Establish and maintain document security requirements for the output of records.
            11656
          • Establish and maintain output distribution procedures.
            00927
          • Establish and maintain document retention procedures.
            11660
      • Define each system's preservation requirements for records and logs.
        00904
        • Establish and maintain a data retention program.
          00906
          • Select the appropriate format for archived data and records.
            06320
        • Determine how long to keep records and logs before disposing them.
          11661
          • Retain records in accordance with applicable requirements.
            00968
        • Establish and maintain storage media disposition and destruction procedures.
          11657
          • Sanitize all electronic storage media before disposing a system or redeploying a system.
            01643
          • Destroy electronic storage media following the storage media disposition and destruction procedures.
            00970
      • Define each system's disposition requirements for records and logs.
        11651
        • Establish and maintain records disposition procedures.
          00971
          • Remove and/or destroy records according to the records' retention event and retention period schedule.
            06621
            • Place printed records awaiting destruction into secure containers.
              12464
            • Destroy printed records so they cannot be reconstructed.
              11779
            • Automate a programmatic process to remove stored data and records that exceed retention requirements.
              06082
          • Include methods to Identify records that meet or exceed the record's retention event in the records disposition procedures.
            11962
    • Establish and maintain records management procedures used to manage organizational records.
      11619
      • Review the information that the organization collects, processes, and stores, as necessary.
        12988
        • Review the information classification of the information that the organization collects, processes, and stores, as necessary.
          13008
        • Review the electronic storage media for the information the organization collects and processes.
          13009
      • Protect records from loss in accordance with applicable requirements.
        12007
      • Capture the records required by organizational compliance requirements.
        00912
        • Assign the appropriate information classification to records imported into the Records Management system.
          04555
      • Include record integrity techniques in the Records Management procedures.
        06418
      • Establish and maintain electronic storage media management procedures.
        00931
        • Establish and maintain access controls for all records.
          00371
        • Establish and maintain a records lifecycle management program.
          00951
          • Establish and maintain information preservation procedures.
            06277
          • Implement and maintain backups and duplicate copies of organizational records.
            00953
        • Establish and maintain online storage controls.
          00942
          • Establish and maintain security controls appropriate to the record types and electronic storage media in use.
            00943
            • Store records on non-rewritable, non-erasable storage media formats, as necessary.
              00944
            • Provide encryption for different types of electronic storage media.
              00945
        • Establish and maintain a removable storage media log.
          12317
          • Include the date and time in the removable storage media log.
            12318
          • Record the number of physical media used for the data transfer in the removable storage media log.
            12754
          • Record the recipient's name for the data transfer in the removable storage media log.
            12753
          • Record the sender's name in the removable storage media log.
            12752
          • Record the type of physical media being used for the data transfer in the removable storage media log.
            12751
    • Physically secure printed records.
      11778
    • Establish and maintain an e-discovery program.
      00976
      • Establish and maintain a document retrieval system to use during e-discovery.
        00985
  • Systems design, build, and implementation
    00989
    • Establish and maintain a System Development Life Cycle program.
      11823
      • Perform a feasibility study for product requests.
        06895
        • Assign senior management to approve the cost benefit analysis in the feasibility study.
          13069
      • Include information security throughout the system development life cycle.
        12042
    • Initiate the System Development Life Cycle planning phase.
      06266
      • Establish and maintain research and development plans, as necessary.
        13649
      • Establish and maintain system design principles and system design guidelines.
        01057
        • Include naming conventions in system design guidelines.
          13656
        • Define and assign the system development project team roles and responsibilities.
          01061
          • Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties.
            01062
        • Redesign business activities to support the system implementation.
          01067
          • Establish and maintain a source data collection design specification.
            01070
        • Include identified risks and legal requirements in the security controls definition document.
          11743
        • Establish, implement, and maintain a security controls definition document.
          01080
          • Implement security controls into the system during the development process.
            01082
            • Establish and maintain a cryptographic architecture document.
              12476
              • Include the algorithms used in the cryptographic architecture document.
                12483
              • Include an inventory of all protected areas in the cryptographic architecture document.
                12486
              • Include a description of the key usage for each key in the cryptographic architecture document.
                12484
              • Include descriptions of all cryptographic keys in the cryptographic architecture document.
                12487
              • Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document.
                12488
              • Include each cryptographic key's expiration date in the cryptographic architecture document.
                12489
              • Include the protocols used in the cryptographic architecture document.
                12485
            • Establish and maintain a coding manual for secure coding techniques.
              11863
              • Protect applications from improper access control through secure coding techniques in source code.
                11959
              • Protect applications from Improper error handling through secure coding techniques in source code.
                11937
              • Protect applications from Insecure communications through secure coding techniques in source code.
                11936
              • Protect applications from Injection flaws through secure coding techniques in source code.
                11944
              • Control user account management through secure coding techniques in source code.
                11909
                • Restrict direct access of databases to the database administrator through secure coding techniques.
                  11933
              • Protect applications from Buffer overflows through secure coding techniques in source code.
                11943
              • Protect applications from Cross-site scripting through secure coding techniques in source code.
                11899
              • Protect against coding vulnerabilities through secure coding techniques in source code.
                11897
              • Protect applications from Broken authentication and session management through secure coding techniques in source code.
                11896
              • Protect applications from Insecure cryptographic storage through secure coding techniques in source code.
                11935
              • Protect applications from Cross-site request forgery through secure coding techniques in source code.
                11895
        • Establish and maintain a system use training plan.
          01089
          • Train the affected users during system development life cycle projects.
            01091
      • Establish and maintain System Development Life Cycle documentation.
        12079
        • Define and document organizational structures for the System Development Life Cycle program.
          12549
          • Include system maintenance responsibilities in the System Development Life Cycle documentation.
            12556
          • Include system and network monitoring responsibilities in the System Development Life Cycle documentation.
            12557
          • Define and document organizational structures for system and network monitoring.
            12554
        • Establish and maintain a full set of system procedures.
          01074
          • Establish and maintain a database management standard.
            01079
      • Establish and maintain system design requirements.
        06618
        • Identify all stakeholders who may influence the System Development Life Cycle.
          06922
          • Document stakeholder requirements and how they influence system design requirements.
            06925
        • Compare system design requirements against system design requests.
          06619
          • Resolve conflicting design and development inputs.
            13703
        • Design and develop built-in redundancies, as necessary.
          13064
        • Identify and document system design constraints.
          06923
          • Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution.
            06928
        • Include performance criteria in the system requirements specification.
          11540
          • Include product upgrade methodologies in the system requirements specification.
            11563
      • Establish and maintain a system design project management framework.
        00990
        • Conduct a preliminary investigation before new system development projects begin.
          01025
          • Define and document the nature and scope of all new system development projects.
            01026
          • Update infrastructure resources when system development project requirements change.
            06900
        • Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems.
          01028
          • Obtain stakeholder approval for system design projects.
            01033
        • Analyze existing systems during preliminary investigations for system design projects.
          01043
          • Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects.
            01045
          • Assess the continuity requirements during the planning and development stage for new products and services.
            12779
        • Identify system design strategies.
          01046
          • Reassess Information Technology staffing needs while identifying the system design strategies.
            01053
          • Adopt a system design strategy after examining the strategic options and tactical options.
            01054
          • Disseminate and communicate the adopted system design strategy to interested personnel and affected parties.
            01055
        • Establish, implement, and maintain a system requirements specification.
          01035
          • Include relevant resources needed for the system design project in the system requirements specification.
            01036
          • Include pertinent legal requirements in the system requirements specification.
            01037
            • Include privacy policy requirements in the system requirements specification.
              01040
            • Include file format standards in the system requirements specification.
              01041
        • Conduct a project feasibility study prior to designing a system.
          01613
        • Include the threats and risks associated with the system development project in the project feasibility study.
          11797
        • Establish and maintain project management standards.
          00992
          • Include participation by each affected user department in the implementation phase of the project plan.
            00993
          • Include budgeting for projects in the project management standard.
            13136
          • Formally approve the initiation of each project phase.
            00997
          • Establish and maintain integrated project plans.
            01056
          • Perform a risk assessment for each system development project.
            01000
          • Establish, implement, and maintain a project control program.
            01612
          • Establish and maintain a project test plan.
            01001
          • Establish and maintain a project team plan.
            06533
            • Identify accreditation tasks.
              00999
          • Conduct a post implementation review when the system design project ends.
            01003
      • Separate the design and development environment from the production environment.
        06088
    • Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
      06267
      • Develop systems in accordance with the system design specifications and system design standards.
        01094
        • Develop new products based on best practices.
          01095
          • Establish and maintain a system design specification.
            04557
            • Document the system architecture in the system design specification.
              12287
              • Include communication links in the system design specification.
                08665
              • Include a description of each module and asset in the system design specification.
                11734
              • Include supporting software requirements in the system design specification.
                08664
            • Include threat models in the system design specification.
              06829
            • Include security requirements in the system design specification.
              06826
            • Establish and implement coding guidelines.
              08661
            • Establish and maintain human interface guidelines.
              08662
              • Establish and maintain User Interface documentation.
                12204
            • Include measurable system performance requirements in the system design specification.
              08667
            • Include the data structure in the system design specification.
              08669
            • Assign senior management to approve the system design specification.
              13070
          • Implement security controls when developing systems.
            06270
            • Implement a hardware security module, as necessary.
              12222
              • Establish and maintain an acceptable use policy for the hardware security module.
                12247
                • Include roles and responsibilities in the acceptable use policy for the hardware security module.
                  12264
                • Include administrative responsibilities in the acceptable use policy for the hardware security module.
                  12260
          • Follow security design requirements when developing systems.
            06827
          • Establish, implement, and maintain a system implementation representation document.
            04558
          • Design the security architecture.
            06269
          • Implement software development version controls.
            01098
          • Follow the system development process when upgrading a system.
            01059
          • Conduct a design review at each milestone or quality gate.
            01087
            • Reassess the system design after the product has been tested.
              01088
          • Approve the design methodology before moving forward on the system design project.
            01060
          • Perform source code analysis at each milestone or quality gate.
            06832
            • Monitor the development environment for when malicious code is discovered.
              06396
          • Establish and maintain system security documentation.
            06271
          • Establish and maintain access rights to source code based upon least privilege.
            06962
      • Develop new products based on secure coding techniques.
        11733
        • Address known coding vulnerabilities as a part of secure coding techniques.
          12493
        • Include all confidentiality, integrity, and availability functions in the system design specification.
          04556
      • Establish and maintain the overall system development project management roles and responsibilities.
        00991
        • Disseminate and communicate continuously and routinely regarding system development project requirements.
          06899
      • Perform Quality Management on all newly developed or modified systems.
        01100
        • Evaluate system development projects for compliance with the system requirements specifications.
          06903
        • Establish and maintain system testing policies.
          01102
          • Configure the test environment similar to the production environment.
            06837
          • Establish and maintain parallel testing criteria and pilot testing criteria.
            01107
        • Establish and maintain system testing procedures.
          11744
          • Restrict production data from being used in the test environment.
            01103
          • Control the test data used in the development environment.
            12013
          • Test all software changes before promoting the system to a production environment.
            01106
          • Test security functionality during the development process.
            12015
          • Include system performance in the scope of system testing.
            12624
          • Include security controls in the scope of system testing.
            12623
          • Review and test custom code to identify potential coding vulnerabilities.
            01316
            • Review and test source code.
              01086
            • Assign the review of custom code changes to individuals other than the code author.
              06291
            • Correct code anomalies and code deficiencies in custom code and retest before release.
              06292
            • Review and approve all custom code test results before code is released.
              06293
      • Perform Quality Management on all newly developed or modified software.
        11798
        • Establish and maintain a system testing program for all system development projects.
          01101
      • Develop the system in a timely manner and cost-effective way.
        06908
        • Identify new technologies and critical processes during system development projects.
          06907
      • Develop Natural Language Processing tools, as necessary.
        14063
        • Document requirements and feedback when developing language processing tools.
          14081
    • Initiate the System Development Life Cycle implementation phase.
      06268
      • Establish and maintain a system implementation standard.
        01111
        • Deploy applications based on best practices.
          12738
        • Select implementation strategies based on the system design requirements.
          01113
        • Establish and maintain implementation plans.
          01114
          • Review and approve implementation plans, as necessary.
            13628
        • Plan and document the Certification and Accreditation process.
          11767
        • Install and integrate the system components according to the system implementation standard.
          06930
        • Document the system implementation integration process.
          06931
      • Perform a final acceptance test prior to implementing a new system.
        01108
        • Involve all stakeholders in the final acceptance test.
          13168
        • Document the acceptance status for all products passing the System Development Life Cycle implementation phase.
          06211
        • Control products that do not conform to the system acceptance criteria.
          06212
      • Manage the system implementation process.
        01115
        • Establish, implement, and maintain system conversion procedures.
          01117
        • Establish and maintain a data conversion plan.
          01118
        • Establish and maintain promoting the system to a production environment procedures.
          01119
          • Remove test accounts prior to promoting the system to a production environment.
            12495
          • Remove test data prior to promoting the system to a production environment.
            12494
        • Evaluate and determine whether or not the newly developed system meets users' system design requirements.
          01120
        • Evaluate and determine whether or not the newly developed system meets security requirements.
          06273
        • Conduct a management level post implementation review.
          01121
      • Approve and authorize the newly implemented system.
        06274
    • Establish and maintain end user support communications.
      06615
      • Establish and maintain end user documentation for all systems.
        12285
      • Establish and maintain user documentation as a part of user support communications.
        12250
  • Acquisition or sale of facilities, technology, and services
    01123
    • Establish and maintain a product upgrade program.
      12216
    • Plan for acquiring facilities, technology, or services.
      06892
      • Involve all stakeholders in the acquisition process.
        13169
      • Include security requirements in system acquisition contracts.
        01124
        • Include required service levels in system acquisition contracts.
          11652
        • Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired Information Technology assets.
          01447
      • Identify and include alternatives to meeting the security requirements when acquiring Information Technology assets.
        01128
      • Conduct an acquisition feasibility study prior to acquiring Information Technology assets.
        01129
        • Establish test environments separate from the production environment to support integration testing before product acquisition.
          11668
      • Establish and maintain a product and services acquisition strategy.
        01133
      • Establish, implement, and maintain a product and services acquisition program.
        01136
        • Establish and maintain acquisition approval requirements.
          13704
        • Include chain of custody procedures in the product and services acquisition program.
          10058
      • Establish and maintain a software product acquisition methodology.
        01138
        • Store source code documentation in escrow by an independent third party.
          01139
        • Review software licensing agreements to ensure compliance.
          01140
    • Acquire products or services.
      11450
      • Register new systems with the program office or other applicable stakeholder.
        13986
    • Establish and maintain facilities, assets, and services acceptance procedures.
      01144
      • Test new hardware or upgraded hardware and software against predefined performance requirements.
        06740
      • Test new hardware or upgraded hardware and software for implementation of security controls.
        06743
        • Test new software or upgraded software for security vulnerabilities.
          01898
        • Test new software or upgraded software for compatibility with the current system.
          11654
        • Test new hardware or upgraded hardware for compatibility with the current system.
          11655
        • Test new hardware or upgraded hardware for security vulnerabilities.
          01899
  • Privacy protection for information and data
    00008
    • Establish and maintain a privacy framework that protects restricted data.
      11850
      • Establish and maintain a personal data transparency and openness program.
        00375
        • Establish and maintain privacy notices, as necessary.
          13443
        • Establish, implement, and maintain adequate openness procedures.
          00377
          • Register with public bodies and notify the Data Commissioner before processing personal data.
            00383
          • Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes.
            00398
          • Document the countries where personal data may be stored.
            12750
        • Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
          00393
          • Provide the data subject with the means of gaining access to personal data held by the organization.
            00396
            • Provide the data subject with information about the right to erasure.
              12602
          • Provide the data subject with what personal data is made available to related organizations or subsidiaries.
            00399
            • Establish and maintain a disclosure accounting record.
              13022
              • Include what information was disclosed and to whom in the disclosure accounting record.
                04680
                • Include the disclosure date in the disclosure accounting record.
                  07133
                • Include the disclosure recipient in the disclosure accounting record.
                  07134
      • Establish and maintain a privacy policy.
        06281
        • Document privacy policies in clearly written and easily understood language.
          00376
        • Disseminate and communicate the privacy policy, as necessary.
          13346
        • Update the privacy policy, as necessary.
          06259
          • Notify interested personnel and affected parties when changes are made to the privacy policy.
            06943
            • Document the notification of interested personnel and affected parties regarding privacy policy changes.
              06944
      • Establish and maintain personal data Choice and Consent program.
        12569
        • Establish and maintain disclosure authorization forms for authorization of consent to use personal data.
          13433
      • Establish, implement, and maintain a personal data accountability program.
        13432
        • Assign ownership of the privacy program to the appropriate organizational role.
          11848
        • Establish and maintain Binding Corporate Rules for the international transfers of personal data.
          12584
          • Include privacy awareness and training in the Binding Corporate Rules.
            12626
      • Establish and maintain Data Processing Contracts, as necessary.
        12650
        • Include data processor confidentiality requirements in the Data Processing Contract.
          12685
        • Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract.
          12669
      • Establish and maintain a personal data use limitation program.
        13428
        • Establish, implement, and maintain a personal data use purpose specification.
          00093
          • Display or print the least amount of personal data necessary.
            04643
          • Notify the data subject of changes to personal data use.
            00105
            • Document the use of personal data as an acceptable secondary purpose when the data subject gives consent.
              00115
        • Establish and maintain personal data access procedures.
          00414
          • Respond to personal data access requests in a timely manner.
            00421
          • Establish and maintain procedures for individuals to be able to modify their personal data, as necessary.
            11811
        • Establish and maintain personal data use limitation procedures.
          00128
          • Notify the data subject after personal data is used or disclosed.
            06247
          • Refrain from processing personal data, as necessary.
            12551
          • Process personal data lawfully and carefully.
            00086
            • Analyze requirements for processing personal data in contracts.
              12550
            • Process personal data after the data subject has granted explicit consent.
              00180
          • Define the exceptions to disclosure absent consent.
            00135
            • Disclose personal data absent consent when it is needed by law.