Duplicate this list in my CCH Account SIGN IN
NOTE: The authority document "" has been copied to your account.
NOTE: The authority document is already in your account and can not be copied again.
Close

Portable Compliance Profile™

Authority Documents

  • California Civil Code Title 1.8 Personal Data Chapter 1 Information Practices Act of 1977 Article 7. Accounting of Disclosures §§ 1798.25-1798.29
  • California Civil Code Title 1.81 Customer Records § 1798.80-1798.84
  • California OPP Recommended Practices on Notification of Security Breach
  • Framework for Improving Critical Infrastructure Cybersecurity
  • ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements
  • Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures
  • Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures
  • Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated
  • Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated
  • Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated
  • The CIS Critical Security Controls for Effective Cyber Defense

CCH Compliance

KEY
1437 Mandated
231 Implied
  • Control Name
    ID #
  • Leadership and high level objectives
    00597
    • Analyze organizational objectives, functions, and activities.
      00598
      • Establish, implement, and maintain organizational objectives.
        09959
        • Prioritize organizational objectives.
          09960
        • Disseminate and communicate organizational objectives to all interested personnel and affected parties.
          13191
        • Document and communicate the linkage between organizational objectives, functions, activities, and general controls.
          12398
          • Review the organization's approach to managing information security, as necessary.
            12005
      • Identify all interested personnel and affected parties.
        12845
      • Analyze and prioritize the requirements of interested personnel and affected parties.
        12796
      • Establish, implement, and maintain an information classification standard.
        00601
        • Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard.
          11997
        • Classify the criticality to unauthorized disclosure or modification of information in the information classification standard.
          11996
        • Classify the value of information in the information classification standard.
          11995
        • Classify the legal requirements of information in the information classification standard.
          11994
      • Establish, implement, and maintain an Information and Infrastructure Architecture model.
        00599
      • Monitor regulatory trends to maintain compliance.
        00604
        • Subscribe to a threat intelligence service to receive notification of emerging threats.
          12135
      • Establish, implement, and maintain a Quality Management framework.
        07196
        • Establish, implement, and maintain a Quality Management program.
          07201
          • Include a bug tracking system in the Quality Management program.
            06824
    • Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.
      01241
      • Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents.
        00688
        • Establish and maintain an Information Systems Assurance Categories Definitions document.
          01608
      • Establish, implement, and maintain a policy and procedure management program.
        06285
        • Include requirements in the organization’s policies, standards, and procedures.
          12956
        • Establish and maintain a list of compliance documents.
          07113
          • Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.
            01636
            • Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.
              12901
        • Approve all compliance documents.
          06286
          • Establish, implement, and maintain a compliance exception standard.
            01628
            • Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.
              01631
            • Review the compliance exceptions in the exceptions document, as necessary.
              01632
    • Define the Information Assurance strategic roles and responsibilities.
      00608
      • Establish and maintain a compliance oversight committee.
        00765
        • Address Information Security during the business planning processes.
          06495
    • Establish, implement, and maintain a strategic plan.
      12784
      • Establish, implement, and maintain a Strategic Information Technology Plan.
        00628
        • Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan.
          06491
        • Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.
          00632
          • Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.
            01609
        • Monitor and evaluate the implementation and effectiveness of Information Technology Plans.
          00634
        • Establish, implement, and maintain a Capital Planning and Investment Control policy.
          06279
    • Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program.
      06492
      • Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security.
        06493
    • Establish, implement, and maintain communication protocols.
      12245
  • Audits and risk management
    00677
    • Define the roles and responsibilities for personnel assigned to tasks in the Audit function.
      00678
      • Define and assign the internal audit manager's roles and responsibilities.
        00680
        • Report audit findings by the internal audit manager directly to senior management.
          01152
      • Define and assign the external auditor's roles and responsibilities.
        00683
        • Retain copies of external auditor outsourcing contracts and engagement letters.
          01188
          • Review external auditor outsourcing contracts and engagement letters.
            01189
            • Review the risk assessments as compared to the in scope controls.
              06978
          • Include the scope and work to be performed in external auditor outsourcing contracts.
            01190
            • Review the adequacy of the external auditor's work papers and audit reports.
              01199
    • Establish, implement, and maintain an audit program.
      00684
      • Assign the audit to impartial auditors.
        07118
      • Exercise due professional care during the planning and performance of the audit.
        07119
      • Include agreement to the audit scope and audit terms in the audit program.
        06965
        • Establish and maintain a bespoke audit scope for each audit being performed.
          13077
        • Include the scope for the desired level of assurance in the audit program.
          12793
        • Include the criteria for determining the desired level of assurance in the audit program.
          12795
        • Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program.
          12794
      • Accept the attestation engagement when all preconditions are met.
        13933
        • Audit in scope audit items and compliance documents as defined in the audit scope.
          06730
          • Audit policies, standards, and procedures.
            12927
          • Determine if the audit assertion's in scope controls are reasonable.
            06980
            • Document test plans for auditing in scope controls.
              06985
              • Determine the effectiveness of in scope controls.
                06984
                • Review incident management audit logs to determine the effectiveness of in scope controls.
                  12157
                • Observe processes to determine the effectiveness of in scope controls.
                  12155
          • Audit the in scope system according to the test plan using relevant evidence.
            07112
          • Respond to questions or clarification requests regarding the audit.
            08902
        • Track and measure the implementation of the organizational compliance framework.
          06445
          • Establish and maintain a Statement on the Level of Compliance.
            12499
      • Establish and maintain organizational audit reports.
        06731
        • Include the scope and work performed in the audit report.
          11621
          • Review the adequacy of the internal auditor's audit reports.
            11620
            • Review past audit reports.
              01155
        • Collect all work papers for the audit and audit report into an engagement file.
          07001
        • Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.
          07117
          • Disseminate and communicate the reviews of audit reports to organizational management.
            00653
      • Implement a corrective action plan in response to the audit report.
        06777
        • Review management's response to issues raised in past audit reports.
          01149
      • Assess the quality of the audit program in regards to its documentation.
        11622
        • Establish, implement, and maintain an audit schedule for the audit program.
          13158
    • Establish, implement, and maintain a risk management program.
      12051
      • Establish, implement, and maintain the risk assessment framework.
        00685
        • Define and assign the roles and responsibilities for the risk assessment framework, as necessary.
          06456
        • Establish, implement, and maintain a risk assessment program.
          00687
          • Establish, implement, and maintain risk assessment procedures.
            06446
            • Establish, implement, and maintain a threat and risk classification scheme.
              07183
              • Document organizational risk criteria.
                12277
              • Include security threats and vulnerabilities in the threat and risk classification scheme.
                00699
              • Categorize the systems, information, and data by risk profile in the threat and risk classification scheme.
                01443
              • Include risks to critical personnel and assets in the threat and risk classification scheme.
                00698
              • Assign a probability of occurrence to all types of threats in the threat and risk classification scheme.
                01173
            • Include the roles and responsibilities involved in risk assessments in the risk assessment program.
              06450
            • Approve the risk assessment program and associated risk assessment procedures at the senior management level.
              06458
          • Perform risk assessments for all target environments, as necessary.
            06452
            • Include the results of the risk assessment in the risk assessment report.
              06481
            • Approve the results of the risk assessment as documented in the risk assessment report.
              07109
            • Update the risk assessment upon discovery of a new threat.
              00708
            • Update the risk assessment upon changes to the risk profile.
              11627
            • Disseminate and communicate the approved risk assessment report to interested personnel and affected parties.
              10633
        • Correlate the business impact of identified risks in the risk assessment report.
          00686
          • Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report.
            01147
            • Establish, implement, and maintain a risk register.
              14828
              • Document organizational risk tolerance in a risk register.
                09961
              • Align organizational risk tolerance to that of industry peers in the risk register.
                09962
          • Analyze and quantify the risks to in scope systems and information.
            00701
            • Establish and maintain a Risk Scoping and Measurement Definitions Document.
              00703
              • Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems.
                06467
            • Establish a risk acceptance level that is appropriate to the organization's risk appetite.
              00706
              • Select the appropriate risk treatment option for each identified risk in the risk register.
                06483
        • Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.
          00704
          • Prioritize and select controls based on the risk assessment findings.
            00707
        • Establish, implement, and maintain a risk treatment plan.
          11983
          • Approve the risk treatment plan.
            13495
        • Integrate the corrective action plan based on the risk assessment findings with other risk management activities.
          06457
        • Document and communicate a corrective action plan based on the risk assessment findings.
          00705
  • Monitoring and measurement
    00636
    • Establish, implement, and maintain Security Control System monitoring and reporting procedures.
      12506
      • Include detecting and reporting the failure of File Integrity Monitoring in the Security Control System monitoring and reporting procedures.
        12525
      • Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures.
        12513
      • Include detecting and reporting the failure of antivirus software in the Security Control System monitoring and reporting procedures.
        12512
      • Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures.
        12511
      • Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures.
        12510
      • Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures.
        12509
      • Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures.
        12508
      • Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures.
        12507
    • Establish, implement, and maintain Responding to Failures in Security Controls procedures.
      12514
      • Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure.
        12521
      • Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.
        12520
      • Include performing a risk assessment to determine whether further actions are required because of the failure of a security control in the Responding to Failures in Security Controls procedure.
        12519
      • Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure.
        12518
      • Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure.
        12517
      • Include restoring security functions in the Responding to Failures in Security Controls procedure.
        12515
    • Establish, implement, and maintain logging and monitoring operations.
      00637
      • Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.
        06312
      • Establish, implement, and maintain intrusion management operations.
        00580
        • Install and maintain an Intrusion Detection System and/or Intrusion Prevention System.
          00581
        • Protect each person's right to privacy and civil liberties during intrusion management operations.
          10035
          • Do not intercept communications of any kind when providing a service to clients.
            09985
        • Determine if honeypots should be installed, and if so, where the honeypots should be placed.
          00582
        • Monitor systems for inappropriate usage and other security violations.
          00585
          • Monitor systems for blended attacks and multiple component incidents.
            01225
          • Monitor systems for Denial of Service attacks.
            01222
          • Monitor systems for access to restricted data or restricted information.
            04721
            • Assign roles and responsibilities for overseeing access to restricted data or restricted information.
              11950
            • Detect unauthorized access to systems.
              06798
          • Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
            06430
          • Monitor systems for unauthorized mobile code.
            10034
        • Update the intrusion detection capabilities and the incident response capabilities regularly.
          04653
        • Implement honeyclients to proactively seek for malicious websites and malicious code.
          10658
        • Implement detonation chambers, where appropriate.
          10670
      • Define and assign log management roles and responsibilities.
        06311
      • Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.
        00638
        • Establish, implement, and maintain event logging procedures.
          01335
        • Document the event information to be logged in the event information log specification.
          00639
        • Enable logging for all systems that meet a traceability criteria.
          00640
          • Enable and configure logging on all network access controls.
            01963
          • Synchronize system clocks to an accurate and universal time source on all devices that have logging enabled.
            01340
        • Define the frequency to capture and log events.
          06313
        • Review and update the list of auditable events in the event logging procedures.
          10097
      • Include a standard to collect and interpret event logs in the event logging procedures.
        00643
        • Protect the event logs from failure.
          06290
        • Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs.
          01427
        • Compile the event logs of multiple components into a system-wide time-correlated audit trail.
          01424
        • Review and update event logs and audit logs, as necessary.
          00596
          • Eliminate false positives in event logs and audit logs.
            07047
          • Follow up exceptions and anomalies identified when reviewing logs.
            11925
      • Monitor and evaluate system performance.
        00651
      • Monitor for and react to when suspicious activities are detected.
        00586
        • Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information.
          04727
        • Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records.
          04728
        • Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form.
          04740
        • Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner.
          04729
      • Establish, implement, and maintain a continuous monitoring program for configuration management.
        06757
        • Establish, implement, and maintain an automated configuration monitoring system.
          07058
        • Monitor for and report when a software configuration is updated.
          06746
          • Notify the appropriate personnel when the software configuration is updated absent authorization.
            04886
            • Monitor for firmware updates absent authorization.
              10675
          • Implement file integrity monitoring.
            01205
            • Identify unauthorized modifications during file integrity monitoring.
              12096
              • Monitor for software configurations updates absent authorization.
                10676
            • Allow expected changes during file integrity monitoring.
              12090
            • Monitor for when documents are being updated absent authorization.
              10677
            • Include a change history and identify who made the changes in the file integrity monitoring report.
              12091
            • Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
              12045
        • Monitor and evaluate user account activity.
          07066
          • Develop and maintain a usage profile for each user account.
            07067
            • Log account usage to determine dormant accounts.
              12118
              • Log account usage times.
                07099
                • Generate daily reports of user logons during hours outside of their usage profile.
                  07068
                • Generate daily reports of users who have grossly exceeded their usage profile logon duration.
                  07069
            • Notify the appropriate personnel after identifying dormant accounts.
              12125
            • Log Internet Protocol addresses used during logon.
              07100
              • Report red flags when logon credentials are used on a computer different from the one in the usage profile.
                07070
    • Establish, implement, and maintain a risk monitoring program.
      00658
      • Monitor the organization's exposure to threats, as necessary.
        06494
      • Monitor for new vulnerabilities.
        06843
      • Test compliance controls for proper functionality.
        00660
      • Establish, implement, and maintain a system security plan.
        01922
        • Create specific test plans to test each system component.
          00661
      • Monitor devices continuously for conformance with production specifications.
        06201
    • Establish, implement, and maintain a testing program.
      00654
      • Conduct Red Team exercises, as necessary.
        12131
        • Establish and maintain a scoring method for Red Team exercise results.
          12136
      • Test security systems and associated security procedures, as necessary.
        11901
      • Scan organizational networks for rogue devices.
        00536
        • Scan the network for wireless access points.
          00370
          • Document the business need justification for authorized wireless access points.
            12044
          • Scan wireless networks for rogue devices.
            11623
            • Test the wireless device scanner's ability to detect rogue devices.
              06859
        • Implement incident response procedures when rogue devices are discovered.
          11880
        • Deny network access to rogue devices until network access approval has been received.
          11852
          • Isolate rogue devices after a rogue device has been detected.
            07061
      • Establish, implement, and maintain a port scan baseline for all in scope systems.
        12134
        • Compare port scan reports for in scope systems against their port scan baseline.
          12162
      • Establish, implement, and maintain a penetration test program.
        01105
      • Disseminate and communicate the testing program to all interested personnel and affected parties.
        11871
        • Align the penetration test program with industry standards.
          12469
        • Assign penetration testing to a qualified internal resource or external third party.
          06429
        • Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation.
          11958
        • Retain penetration test results according to internal policy.
          10049
        • Retain penetration test remediation action records according to internal policy.
          11629
        • Perform penetration tests, as necessary.
          00655
          • Perform internal penetration tests, as necessary.
            12471
          • Perform external penetration tests, as necessary.
            12470
          • Include coverage of all in scope systems during penetration testing.
            11957
          • Test the system for broken access controls.
            01319
          • Test the system for broken authentication and session management.
            01320
          • Test the system for insecure communications.
            00535
          • Test the system for cross-site scripting attacks.
            01321
          • Test the system for buffer overflows.
            01322
          • Test the system for injection flaws.
            01323
          • Test the system for insecure configuration management.
            01327
          • Perform network-layer penetration testing on all systems, as necessary.
            01277
          • Test the system for cross-site request forgery.
            06296
          • Perform application-layer penetration testing on all systems, as necessary.
            11630
          • Perform penetration testing on segmentation controls, as necessary.
            12498
          • Correct vulnerabilities and repeat penetration testing.
            06860
          • Test the system for covert channels.
            10652
            • Estimate the maximum bandwidth of any covert channels.
              10653
              • Reduce the maximum bandwidth of covert channels.
                10655
            • Test systems to determine which covert channels might be exploited.
              10654
      • Establish, implement, and maintain a vulnerability assessment program.
        11636
        • Perform vulnerability scans, as necessary.
          11637
          • Repeat vulnerability scanning, as necessary.
            11646
          • Identify and document security vulnerabilities.
            11857
            • Rank discovered vulnerabilities.
              11940
          • Use dedicated user accounts when conducting vulnerability scans.
            12098
          • Assign vulnerability scanning to qualified personnel or external third parties.
            11638
          • Record the vulnerability scanning activity in the vulnerability scan report.
            12097
          • Correlate vulnerability scan reports from the various systems.
            10636
            • Perform internal vulnerability scans.
              00656
          • Update the vulnerability scanners' vulnerability list.
            10634
          • Repeat vulnerability scanning after an approved change occurs.
            12468
          • Perform external vulnerability scans on the organization's systems.
            11624
            • Employ an approved third party to perform external vulnerability scans on the organization's systems.
              12467
          • Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports.
            10635
            • Notify the interested personnel and affected parties after the failure of an automated security test.
              06748
        • Perform vulnerability assessments, as necessary.
          11828
          • Review applications for security vulnerabilities after the application is updated.
            11938
        • Test the system for unvalidated input.
          01318
        • Test the system for proper error handling.
          01324
        • Test the system for insecure data storage.
          01325
      • Perform penetration tests and vulnerability scans in concert, as necessary.
        12111
      • Test the system for insecure cryptographic storage.
        11635
      • Test in scope systems for compliance with the Configuration Baseline Documentation Record.
        12130
      • Recommend mitigation techniques based on penetration test results.
        04881
      • Correct or mitigate vulnerabilities.
        12497
    • Monitor the usage and capacity of critical assets.
      14825
      • Monitor the usage and capacity of critical Information Technology assets.
        00668
        • Notify the interested personnel and affected parties before the storage unit will reach maximum capacity.
          06773
        • Monitor systems for errors and faults.
          04544
        • Compare system performance metrics to organizational standards and industry benchmarks.
          00667
    • Establish, implement, and maintain a compliance monitoring policy.
      00671
      • Establish, implement, and maintain an approach for compliance monitoring.
        01653
        • Monitor personnel and third parties for compliance to the organizational compliance framework.
          04726
          • Carry out disciplinary actions when a compliance violation is detected.
            06675
            • Align disciplinary actions with the level of compliance violation.
              12404
        • Establish, implement, and maintain an Information Security metrics program.
          01665
      • Establish, implement, and maintain a technical measurement metrics policy.
        01655
        • Establish, implement, and maintain an incident management and vulnerability management metrics program.
          02085
      • Establish, implement, and maintain a log management program.
        00673
        • Deploy log normalization tools, as necessary.
          12141
        • Restrict access to logs to a need to know basis.
          01342
        • Restrict access to audit trails to a need to know basis.
          11641
        • Back up audit trails according to backup procedures.
          11642
        • Back up logs according to backup procedures.
          01344
        • Copy logs from all predefined hosts onto a log management infrastructure.
          01346
        • Protect logs from unauthorized activity.
          01345
        • Archive the audit trail in accordance with compliance requirements.
          00674
        • Enforce dual authorization as a part of information flow control for logs.
          10098
        • Preserve the identity of individuals in audit trails.
          10594
        • Establish, implement, and maintain a cross-organizational audit sharing agreement.
          10595
          • Provide cross-organizational audit information based on the cross-organizational audit sharing agreement.
            10596
    • Establish, implement, and maintain a corrective action plan.
      00675
    • Include monitoring in the corrective action plan.
      11645
    • Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
      00676
    • Provide intelligence support to the organization, as necessary.
      14020
      • Establish, implement, and maintain a Technical Surveillance Countermeasures program.
        11401
        • Conduct a Technical Surveillance Countermeasures survey.
          10637
  • Technical security
    00508
    • Establish, implement, and maintain an access classification scheme.
      00509
      • Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.
        00510
        • Include business security requirements in the access classification scheme.
          00002
          • Interpret and apply security requirements based upon the information classification of the system.
            00003
        • Include third party access in the access classification scheme.
          11786
      • Establish, implement, and maintain security classifications for organizational assets.
        00005
        • Limit the use of resources by priority.
          01448
    • Establish, implement, and maintain an access control program.
      11702
      • Include instructions to change passwords as often as necessary in the access control program.
        11931
      • Include guidance for how users should protect their authentication credentials in the access control program.
        11929
      • Include guidance on selecting authentication credentials in the access control program.
        11928
      • Establish, implement, and maintain access control policies.
        00512
        • Disseminate and communicate the access control policies to all interested personnel and affected parties.
          10061
      • Establish, implement, and maintain an access rights management plan.
        00513
        • Identify information system users.
          12081
          • Review user accounts.
            00525
            • Match user accounts to authorized parties.
              12126
            • Review and update accounts and access rights when notified of personnel status changes.
              00788
          • Review shared accounts.
            11840
        • Control access rights to organizational assets.
          00004
          • Add all devices requiring access control to the Access Control List.
            06264
          • Define roles for information systems.
            12454
            • Define access needs for each role assigned to an information system.
              12455
              • Define access needs for each system component of an information system.
                12456
              • Define the level of privilege required for each system component of an information system.
                12457
          • Establish access rights based on least privilege.
            01411
            • Assign user permissions based on job responsibilities.
              00538
            • Assign user privileges after they have management sign off.
              00542
            • Separate processing domains to segregate user privileges and enhance information flow control.
              06767
          • Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.
            01412
          • Establish, implement, and maintain session lock capabilities.
            01417
          • Limit concurrent sessions according to account type.
            01416
          • Establish session authenticity through Transport Layer Security.
            01627
          • Enable access control for objects and users on each system.
            04553
            • Include all system components in the access control system.
              11939
            • Set access control for objects and users to "deny all" unless explicitly authorized.
              06301
            • Enable access control for objects and users to match restrictions set by the system's security classification.
              04850
            • Enable role-based access control for objects and users on information systems.
              12458
          • Include the objects and users subject to access control in the security policy.
            11836
          • Assign Information System access authorizations if implementing segregation of duties.
            06323
            • Enforce access restrictions for change control.
              01428
            • Enforce access restrictions for restricted data.
              01921
          • Perform a risk assessment prior to activating third party access to the organization's critical systems.
            06455
            • Activate third party maintenance accounts and user identifiers, as necessary.
              04262
          • Establish, implement, and maintain a system use agreement for each information system.
            06500
            • Accept and sign the system use agreement before data or system access is enabled.
              06501
          • Display a logon banner and appropriate logon message before granting access to the system.
            06770
            • Display previous logon information in the logon banner.
              01415
          • Document actions that can be performed on an information system absent identification and authentication of the user.
            06771
        • Control user privileges.
          11665
          • Review all user privileges, as necessary.
            06784
        • Establish, implement, and maintain User Access Management procedures.
          00514
          • Establish, implement, and maintain an authority for access authorization list.
            06782
            • Review and approve logical access to all assets based upon organizational policies.
              06641
          • Control the addition and modification of user identifiers, user credentials, or other object identifiers.
            00515
            • Assign roles and responsibilities for administering user account management.
              11900
            • Automate access control methods, as necessary.
              11838
            • Refrain from allowing user access to identifiers and passwords used by applications.
              10048
          • Remove inactive user accounts, as necessary.
            00517
          • Remove temporary user accounts, as necessary.
            11839
          • Terminate user accounts when notified that an individual is terminated.
            11614
            • Terminate access rights when notified that an individual is terminated.
              11826
              • Revoke asset access when an individual is terminated.
                00516
              • Deny access to restricted data or restricted information when an individual is terminated.
                01309
          • Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information.
            00518
          • Limit superuser accounts to designated System Administrators.
            06766
        • Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.
          00526
        • Protect and manage biometric systems and biometric data.
          01261
        • Document the business need justification for authentication data storage.
          06325
      • Establish, implement, and maintain access control procedures.
        11663
        • Implement out-of-band authentication, as necessary.
          10606
        • Grant access to authorized personnel.
          12186
          • Document approving and granting access in the access control log.
            06786
      • Include digital identification procedures in the access control program.
        11841
        • Employ unique user identifiers.
          01273
        • Disseminate and communicate user identifiers and passwords using secure communication protocols.
          06791
        • Include instructions to refrain from using previously used passwords in the access control program.
          11930
        • Require multiple forms of personal identification prior to issuing user identifiers.
          08712
        • Authenticate user identities before manually resetting a password.
          04567
        • Require proper authentication for user identifiers.
          11785
          • Assign passwords to user accounts, as necessary.
            06855
          • Assign authentication mechanisms for user account authentication.
            06856
            • Refrain from allowing individuals to share authentication mechanisms.
              11932
          • Use biometric authentication for identification and authentication, as necessary.
            06857
    • Identify and control all network access controls.
      00529
      • Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective.
        04589
      • Establish, implement, and maintain a network configuration standard.
        00530
        • Establish, implement, and maintain a network security policy.
          06440
          • Establish, implement, and maintain a wireless networking policy.
            06732
        • Maintain up-to-date network diagrams.
          00531
      • Manage all internal network connections.
        06329
        • Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol.
          12109
        • Establish, implement, and maintain separate virtual local area networks to transport sensitive information.
          12124
        • Establish, implement, and maintain separate virtual local area networks for untrusted devices.
          12095
      • Manage all external network connections.
        11842
        • Route outbound Internet traffic through a proxy server that supports decrypting network traffic.
          12116
        • Prohibit systems from connecting directly to external networks.
          08709
      • Secure the Domain Name System.
        00540
        • Implement a fault-tolerant architecture.
          01626
        • Implement segregation of duties.
          11843
      • Establish, implement, and maintain a Boundary Defense program.
        00544
        • Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary.
          11891
        • Segregate out of scope systems from in scope systems.
          12546
          • Segregate servers that contain restricted data or restricted information from direct public access.
            00533
            • Design Demilitarized Zones with proper isolation rules.
              00532
            • Restrict inbound Internet traffic inside the Demilitarized Zone.
              01285
              • Restrict inbound Internet traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone.
                11998
            • Segregate applications and databases that contain restricted data or restricted information in an internal network zone.
              01289
        • Establish, implement, and maintain a network access control standard.
          00546
          • Include assigned roles and responsibilities in the network access control standard.
            06410
          • Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.
            11821
            • Place firewalls between all security domains and between any Demilitarized Zone and internal network zones.
              01274
            • Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information.
              01293
            • Place firewalls between all security domains and between any secure subnet and internal network zones.
              11784
          • Include configuration management and rulesets in the network access control standard.
            11845
        • Establish, implement, and maintain a firewall and router configuration standard.
          00541
          • Include testing and approving all network connections through the firewall in the firewall and router configuration standard.
            01270
          • Include compensating controls implemented for insecure protocols in the firewall and router configuration standard.
            11948
          • Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary.
            11903
          • Include restricting inbound internet traffic in the firewall and router configuration standard.
            11960
          • Include restricting outbound network traffic in the firewall and router configuration standard.
            11961
          • Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard.
            12435
          • Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard.
            12434
          • Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.
            12426
          • Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information.
            11847
          • Include a protocols, ports, applications, and services list in the firewall and router configuration standard.
            00537
            • Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard.
              01280
        • Install and configure firewalls to be enabled on all mobile devices, if possible.
          00550
          • Lock personal firewall configurations to prevent them from being disabled or changed by end users.
            06420
        • Configure network access and control points to protect restricted data or restricted information.
          01284
          • Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions.
            12174
          • Configure firewalls to deny all traffic by default, except explicitly designated traffic.
            00547
          • Configure firewalls to perform dynamic packet filtering.
            01288
            • Configure firewall filtering to only permit established connections into the network.
              12482
            • Restrict outbound network traffic from systems that contain restricted data or restricted information.
              01295
          • Synchronize and secure all router configuration files.
            01291
          • Configure firewalls to generate an alert when a potential security incident is detected.
            12165
          • Record the configuration rules for network access and control points in the configuration management system.
            12105
            • Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system.
              12107
            • Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system.
              12106
          • Configure network access and control points to organizational standards.
            12442
        • Install and configure application layer firewalls for all key web-facing applications.
          01450
      • Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards.
        11853
      • Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard.
        11854
      • Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.
        01646
        • Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.
          04830
    • Enforce information flow control.
      11781
      • Establish, implement, and maintain information flow control configuration standards.
        01924
        • Assign appropriate roles for enabling or disabling information flow controls.
          06760
        • Require the system to identify and authenticate approved devices before establishing a connection to restricted data.
          01429
        • Perform content filtering scans on network traffic.
          06761
          • Use content filtering scans to identify information flows by data type specification.
            06762
          • Use content filtering scans to identify information flows by data type usage.
            11818
            • Take appropriate action to address information flow anomalies.
              12164
            • Document information flow anomalies that do not fit normal traffic patterns.
              12163
          • Prevent encrypted data from bypassing content filtering mechanisms.
            06758
          • Perform content filtering scans on incoming and outgoing e-mail.
            06733
        • Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists.
          12128
        • Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information.
          06734
        • Constrain the information flow of restricted data or restricted information.
          06763
          • Restrict access to restricted data and restricted information on a need to know basis.
            12453
          • Prohibit restricted data or restricted information from being sent to mobile devices.
            04725
          • Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
            06310
      • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
        01410
        • Establish, implement, and maintain information flow procedures.
          04542
        • Establish, implement, and maintain information exchange procedures.
          11782
          • Review and approve information exchange system connections.
            07143
          • Enable encryption of a protected distribution system if sending restricted data or restricted information.
            01749
            • Protect data from modification or loss while transmitting between separate parts of the system.
              04554
        • Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services.
          13104
          • Establish, implement, and maintain whitelists and blacklists of domain names.
            07097
            • Deploy sender policy framework records in the organization's Domain Name Servers.
              12183
            • Block uncategorized sites using URL filtering.
              12140
            • Subscribe to a URL categorization service to maintain website category definitions in the URL filter list.
              12139
        • Establish, implement, and maintain whitelists and blacklists of software.
          11780
        • Implement information flow control policies when making decisions about information sharing or collaboration.
          10094
    • Secure access to each system component operating system.
      00551
      • Enforce privileged accounts and non-privileged accounts for system access.
        00558
        • Create a full text analysis on executed privileged functions.
          06778
      • Separate user functionality from system management functionality.
        11858
      • Segregate electronically stored information from operating system access.
        00552
    • Control all methods of remote access and teleworking.
      00559
      • Establish, implement, and maintain a remote access and teleworking program.
        04545
      • Control remote access through a network access control.
        01421
        • Employ multifactor authentication for remote access to the organization's network.
          12505
      • Implement multifactor authentication techniques.
        00561
      • Protect remote access accounts with encryption.
        00562
      • Monitor and evaluate all remote access usage.
        00563
    • Manage the use of encryption controls and cryptographic controls.
      00570
      • Define the cryptographic module security functions and the cryptographic module operational modes.
        06542
        • Implement the documented cryptographic module security functions.
          06755
        • Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules.
          06547
      • Employ only secure versions of cryptographic controls.
        12491
      • Establish, implement, and maintain an encryption management and cryptographic controls policy.
        04546
        • Refrain from allowing the use of cleartext for input or output of restricted data or restricted information.
          04823
        • Encrypt restricted data or restricted information using the most secure method possible.
          04824
        • Implement cryptographic operations and support functions on identification cards or badges.
          06585
      • Establish, implement, and maintain cryptographic key management procedures.
        00571
        • Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys.
          01301
        • Generate strong cryptographic keys.
          01299
        • Implement decryption keys so that they are not linked to user accounts.
          06851
        • Include the establishment of cryptographic keys in the cryptographic key management procedures.
          06540
        • Disseminate and communicate cryptographic keys securely.
          01300
        • Store cryptographic keys securely.
          01298
          • Restrict access to cryptographic keys.
            01297
          • Store cryptographic keys in encrypted format.
            06084
          • Store key-encrypting keys and data-encrypting keys in different locations.
            06085
        • Change cryptographic keys, as necessary.
          01302
        • Destroy cryptographic keys promptly after the retention period.
          01303
        • Control cryptographic keys with split knowledge and dual control.
          01304
        • Prevent the unauthorized substitution of cryptographic keys.
          01305
        • Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys.
          06852
          • Revoke old cryptographic keys or invalid cryptographic keys immediately.
            01307
          • Replace known or suspected compromised cryptographic keys immediately.
            01306
        • Require key custodians to sign the key custodian's roles and responsibilities.
          11820
        • Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates.
          06587
        • Establish, implement, and maintain Public Key certificate application procedures.
          07079
          • Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures.
            07080
          • Include revocation of Public Key certificates in the Public Key certificate procedures.
            07082
            • Publish revoked Public Key certificates in the Certificate Revocation List.
              07089
          • Issue authentication mechanisms that support the Public Key Infrastructure.
            07092
        • Establish a Root Certification Authority to support the Public Key Infrastructure.
          07084
          • Include access to issued Public Key certificates in the Public Key certificate procedures.
            07086
          • Connect the Public Key Infrastructure to the organization's identity and access management system.
            07091
      • Use strong data encryption to transmit restricted data or restricted information over public networks.
        00564
        • Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.
          12492
        • Encrypt traffic over public networks with trusted cryptographic keys.
          12490
        • Implement non-repudiation for transactions.
          00567
        • Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.
          00568
        • Protect application services information transmitted over a public network from unauthorized modification.
          12021
        • Protect application services information transmitted over a public network from unauthorized disclosure.
          12020
        • Protect application services information transmitted over a public network from contract disputes.
          12019
        • Protect application services information transmitted over a public network from fraudulent activity.
          12018
    • Establish, implement, and maintain a malicious code protection program.
      00574
      • Restrict downloading to reduce malicious code attacks.
        04576
      • Install security and protection software, as necessary.
        00575
      • Scan for malicious code, as necessary.
        11941
        • Test all removable storage media for viruses and malicious code.
          11861
        • Test all untrusted files or unverified files for viruses and malicious code.
          01311
      • Protect the system against replay attacks.
        04552
      • Log and react to all malicious code activity.
        07072
        • Analyze the behavior and characteristics of the malicious code.
          10672
        • Incorporate the malicious code analysis into the patch management program.
          10673
      • Lock antivirus configurations.
        10047
    • Establish, implement, and maintain an application security policy.
      06438
      • Conduct application security reviews, as necessary.
        06298
        • Correct all found deficiencies according to organizational standards after a web application policy compliance review.
          06299
        • Re-evaluate the web application after deficiencies have been corrected.
          06300
    • Establish, implement, and maintain a virtual environment and shared resources security program.
      06551
      • Establish, implement, and maintain a shared resources management program.
        07096
      • Implement non-persistent services and components that are initiated in a known state and terminated, as necessary.
        10685
  • Physical and environmental protection
    00709
    • Establish, implement, and maintain a physical security program.
      11757
      • Establish, implement, and maintain an anti-tamper protection program.
        10638
        • Monitor for evidence of when tampering indicators are being identified.
          11905
          • Inspect device surfaces to detect tampering.
            11868
          • Inspect device surfaces to detect unauthorized substitution.
            11869
          • Inspect for tampering at random intervals.
            10640
        • Protect assets from tampering or unapproved substitution.
          11902
      • Establish, implement, and maintain a facility physical security program.
        00711
        • Inspect items brought into the facility.
          06341
        • Identify and document physical access controls for all physical entry points.
          01637
          • Control physical access to (and within) the facility.
            01329
            • Secure physical entry points with physical access controls or security guards.
              01640
            • Establish, implement, and maintain a visitor access permission policy.
              06699
              • Escort visitors within the facility, as necessary.
                06417
              • Authorize visitors before granting entry to physical areas containing restricted data or restricted information.
                01330
            • Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.
              01436
              • Change access requirements to organizational assets for personnel and visitors, as necessary.
                12463
              • Authorize physical access to sensitive areas based on job functions.
                12462
              • Escort uncleared personnel who need to work in or access controlled access areas.
                00747
            • Establish, implement, and maintain physical identification procedures.
              00713
              • Manage visitor identification inside the facility.
                11670
                • Issue visitor identification badges to all non-employees.
                  00543
                • Retrieve visitor identification badges prior to the exit of a visitor from the facility.
                  01331
              • Establish, implement, and maintain identification issuance procedures for identification cards or badges.
                06598
              • Establish, implement, and maintain identification mechanism termination procedures.
                06306
            • Monitor for unauthorized physical access at physical entry points.
              06797
          • Use locks to protect against unauthorized physical access.
            06342
            • Use locks with electronic authentication systems or cipher locks, as necessary.
              06650
              • Secure unissued access mechanisms.
                06713
              • Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.
                00748
              • Change cipher lock codes, as necessary.
                06651
          • Manage access to loading docks, unloading docks, and mail rooms.
            02210
            • Isolate loading areas from information processing facilities, if possible.
              12028
        • Establish, implement, and maintain a guideline for working in a secure area.
          04538
        • Monitor entry through all physical entry points.
          01638
          • Establish and maintain a visitor log.
            00715
            • Record the visitor's name in the visitor log.
              00557
            • Record the visitor's organization in the visitor log.
              12121
            • Record the onsite personnel authorizing physical access for the visitor in the visitor log.
              12466
            • Retain all records in the visitor log as prescribed by law.
              00572
          • Establish, implement, and maintain a physical access log.
            12080
            • Log the entrance of a staff member to a facility or designated rooms within the facility.
              01641
          • Observe restricted areas with motion detectors or closed-circuit television systems.
            01328
            • Review and correlate all data collected from video cameras and/or access control mechanisms with other entries.
              11609
            • Configure video cameras to cover all physical entry points.
              06302
            • Configure video cameras to prevent physical tampering or disablement.
              06303
            • Retain video events according to Records Management procedures.
              06304
          • Monitor physical entry point alarms.
            01639
        • Build and maintain fencing, as necessary.
          02235
        • Employ security guards to provide physical security, as necessary.
          06653
      • Establish, implement, and maintain physical security controls for distributed assets.
        00718
        • Restrict physical access to distributed assets.
          11865
          • Protect electronic storage media with physical access controls.
            00720
        • Establish, implement, and maintain removable storage media controls.
          06680
          • Control access to restricted storage media.
            04889
          • Physically secure all electronic storage media that store restricted data or restricted information.
            11664
          • Establish, implement, and maintain storage media access control procedures.
            00959
          • Control the storage of restricted storage media.
            00965
          • Control the transiting and internal distribution or external distribution of restricted storage media.
            00963
            • Obtain management authorization for restricted storage media transit or distribution from a controlled access area.
              00964
            • Transport restricted media using a delivery method that can be tracked.
              11777
              • Track restricted storage media while it is in transit.
                00967
        • Protect distributed assets against theft.
          06799
          • Establish, implement, and maintain asset removal procedures or asset decommissioning procedures.
            04540
            • Prohibit assets from being taken off-site absent prior authorization.
              12027
          • Control the delivery of assets through physical entry points and physical exit points.
            01441
          • Establish, implement, and maintain on-site physical controls for all distributed assets.
            04820
          • Establish, implement, and maintain off-site physical controls for all distributed assets.
            04539
          • Attach asset location technologies to distributed assets.
            10626
            • Employ asset location technologies in accordance with applicable laws and regulations.
              10627
        • Establish, implement, and maintain end user computing device security guidelines.
          00719
          • Establish, implement, and maintain a locking screen saver policy.
            06717
          • Secure workstations to desks with security cables.
            04724
        • Establish, implement, and maintain mobile device security guidelines.
          04723
          • Encrypt information stored on mobile devices.
            01422
        • Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.
          00722
        • Establish, implement, and maintain asset return procedures.
          04537
          • Require the return of all assets upon notification an individual is terminated.
            06679
        • Prohibit mobile device usage near restricted data or restricted information, absent authorization.
          04597
          • Prohibit wireless technology usage near restricted data or restricted information, absent authorization.
            08706
          • Inspect mobile devices for the storage of restricted data or restricted information.
            08707
            • Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device.
              08708
        • Establish, implement, and maintain a clean desk policy.
          06534
        • Establish, implement, and maintain a clear screen policy.
          12436
        • Prohibit the unauthorized remote activation of collaborative computing devices.
          06768
        • Provide a physical disconnect of collaborative computing devices in a way that supports ease of use.
          06769
        • Indicate the active use of collaborative computing devices to users physically present at the device.
          10647
      • Establish, implement, and maintain proper container security.
        02208
        • Lock closable storage containers.
          06307
      • Install and protect network cabling.
        08624
        • Control physical access to network cables.
          00723
        • Install network cabling specifically for maintenance purposes.
          10613
      • Install and maintain network jacks and outlet boxes.
        08635
        • Implement physical controls to restrict access to publicly accessible network jacks.
          11989
        • Enable network jacks at the patch panel, as necessary.
          06305
          • Implement logical controls to enable network jacks, as necessary.
            11934
    • Establish, implement, and maintain an environmental control program.
      00724
      • Protect power equipment and power cabling from damage or destruction.
        01438
      • Establish, implement, and maintain facility maintenance procedures.
        00710
        • Define selection criteria for facility locations.
          06351
      • Establish, implement, and maintain work environment requirements.
        06613
      • House system components in areas where the physical damage potential is minimized.
        01623
      • Establish, implement, and maintain a fire prevention and fire suppression standard.
        06695
        • Install and maintain fire protection equipment.
          00728
        • Install and maintain fire suppression systems.
          00729
        • Conduct periodic fire marshal inspections for all organizational facilities.
          04888
      • Employ environmental protections.
        12570
        • Install and maintain emergency lighting for use in a power failure.
          01440
        • Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.
          00727
          • Install and maintain a moisture control system as a part of the climate control system.
            06694
        • Protect physical assets from water damage.
          00730
  • Operational and Systems Continuity
    00731
    • Establish, implement, and maintain a business continuity program.
      13210
      • Establish, implement, and maintain a continuity framework.
        00732
        • Establish and maintain the scope of the continuity framework.
          11908
        • Establish, implement, and maintain continuity roles and responsibilities.
          00733
        • Coordinate continuity planning with other business units responsible for related continuity plans.
          01386
      • Establish, implement, and maintain a continuity plan.
        00752
        • Activate the continuity plan if the damage assessment report indicates the activation criterion has been met.
          01373
          • Execute fail-safe procedures when an emergency occurs.
            07108
        • Document and use the lessons learned to update the continuity plan.
          10037
        • Implement alternate security mechanisms when the means of implementing the security function is unavailable.
          10605
        • Document the uninterrupted power requirements for all in scope systems.
          06707
          • Install an Uninterruptible Power Supply sized to support all critical systems.
            00725
          • Install a generator sized to support the facility.
            06709
        • Establish, implement, and maintain a recovery plan.
          13288
        • Include restoration procedures in the continuity plan.
          01169
          • Include risk prioritized recovery procedures for each business unit in the recovery plan.
            01166
        • Disseminate and communicate business functions across multiple facilities separated by geographic separation.
          10662
          • Disseminate and communicate processing activities across multiple facilities using geographic separation.
            10663
          • Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation.
            10664
        • Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary.
          10665
      • Establish, implement, and maintain organizational facility continuity plans.
        02224
        • Install and maintain redundant power supplies for critical facilities.
          06355
          • Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches.
            01439
          • Run primary power lines and secondary power lines via underground diverse path feeds to organizational facilities, as necessary.
            06696
          • Install electro-magnetic shielding around all electrical cabling.
            06358
      • Establish, implement, and maintain system continuity plan strategies.
        00735
        • Define and prioritize critical business functions.
          00736
          • Review and prioritize the importance of each business unit.
            01165
          • Document the mean time to failure for system components.
            10684
        • Establish and maintain Recovery Time Objectives for all in scope systems.
          11688
          • Reconfigure restored systems to meet the Recovery Point Objectives.
            01256
        • Establish, implement, and maintain a critical third party list.
          06815
        • Establish, implement, and maintain a critical resource list.
          00740
          • Establish and maintain a core supply inventory required to support critical business functions.
            04890
        • Include website continuity procedures in the continuity plan.
          01380
          • Post all required information on organizational websites and ensure all hyperlinks are working.
            04579
        • Include Internet Service Provider continuity procedures in the continuity plan.
          00743
          • Include Wide Area Network continuity procedures in the continuity plan.
            01294
            • Include priority-of-service provisions in the telecommunications Service Level Agreements.
              01396
            • Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers.
              01397
            • Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards.
              01399
            • Require telecommunications service providers to have adequate continuity plans.
              01400
        • Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan.
          01374
        • Designate an alternate facility in the continuity plan.
          00742
          • Separate the alternate facility from the primary facility through geographic separation.
            01394
          • Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs.
            01391
        • Include technical preparation considerations for backup operations in the continuity plan.
          01250
          • Establish, implement, and maintain backup procedures for in scope systems.
            01258
            • Establish and maintain off-site electronic media storage facilities.
              00957
              • Separate the off-site electronic media storage facilities from the primary facility through geographic separation.
                01390
              • Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations.
                01392
              • Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.
                01393
              • Review the security of the off-site electronic media storage facilities, as necessary.
                00573
              • Store backup media at an off-site electronic media storage facility.
                01332
                • Transport backup media in lockable electronic media storage containers.
                  01264
          • Perform backup procedures for in scope systems.
            11692
            • Back up all records.
              11974
            • Encrypt backup data.
              00958
            • Test backup media for media integrity and information integrity, as necessary.
              01401
        • Validate information security continuity controls regularly.
          12008
      • Disseminate and communicate the continuity plan to interested personnel and affected parties.
        00760
    • Prepare the alternate facility for an emergency offsite relocation.
      00744
      • Establish, implement, and maintain Service Level Agreements for all alternate facilities.
        00745
      • Configure the alternate facility to meet the least needed operational capabilities.
        01395
      • Protect backup systems and restoration systems at the alternate facility.
        04883
      • Review the alternate facility preparation procedures.
        04884
    • Train personnel on the continuity plan.
      00759
      • Utilize automated mechanisms for more realistic continuity plan training.
        01387
      • Incorporate simulated events into the continuity plan training.
        01402
    • Establish, implement, and maintain a business continuity plan testing program.
      14829
      • Test the continuity plan, as necessary.
        00755
        • Test the continuity plan under conditions that simulate a disaster or disruption.
          00757
        • Test the continuity plan at the alternate facility.
          01174
          • Coordinate testing the continuity plan with all applicable business units and critical business functions.
            01388
            • Review all third party's continuity plan test results.
              01365
          • Automate the off-site testing to more thoroughly test the continuity plan.
            01389
          • Document the continuity plan test results and provide them to senior management.
            06548
        • Conduct full recovery and restoration of service testing for high impact systems at the alternate facility.
          01404
  • Human Resources management
    00763
    • Establish, implement, and maintain high level operational roles and responsibilities.
      00806
      • Define and assign the head of Information Security's roles and responsibilities.
        06091
      • Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.
        13112
      • Define and assign the Privacy Officer's roles and responsibilities.
        00714
      • Define and assign the Chief Security Officer's roles and responsibilities.
        06431
    • Define and assign workforce roles and responsibilities.
      13267
      • Identify and define all critical roles.
        00777
    • Establish, implement, and maintain a personnel management program.
      14018
      • Establish, implement, and maintain onboarding procedures for new hires.
        11760
        • Train all new hires, as necessary.
          06673
      • Establish, implement, and maintain a personnel security program.
        10628
        • Establish, implement, and maintain security clearance level criteria.
          00780
          • Establish, implement, and maintain staff position risk designations.
            14280
        • Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies.
          00782
          • Perform security skills assessments for all critical employees.
            12102
          • Establish, implement, and maintain personnel screening procedures.
            11700
            • Perform a background check during personnel screening.
              11758
          • Perform personnel screening procedures, as necessary.
            11763
          • Establish, implement, and maintain security clearance procedures.
            00783
            • Perform security clearance procedures, as necessary.
              06644
        • Identify and watch individuals that pose a risk to the organization.
          10674
      • Establish, implement, and maintain personnel status change and termination procedures.
        06549
        • Notify all interested personnel and affected parties when personnel status changes or an individual is terminated.
          06677
        • Notify terminated individuals of applicable, legally binding post-employment requirements.
          10630
          • Enforce the information security responsibilities and duties that remain valid after termination or change of employment.
            11992
        • Require terminated individuals to sign an acknowledgment of post-employment requirements.
          10631
    • Establish and maintain the staff structure in line with the strategic plan.
      00764
      • Assign and staff all roles appropriately.
        00784
      • Implement segregation of duties in roles and responsibilities.
        00774
      • Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff.
        00779
    • Establish job categorization criteria, job recruitment criteria, and promotion criteria.
      00781
    • Train all personnel and third parties, as necessary.
      00785
      • Establish, implement, and maintain an education methodology.
        06671
        • Retrain all personnel, as necessary.
          01362
        • Tailor training to meet published guidance on the subject being taught.
          02217
        • Tailor training to be taught at each person's level of responsibility.
          06674
        • Document all training in a training record.
          01423
        • Use automated mechanisms in the training environment, where appropriate.
          06752
      • Conduct tests and evaluate training.
        06672
      • Review the current published guidance and awareness and training programs.
        01245
      • Establish, implement, and maintain training plans.
        00828
        • Conduct personal data processing training.
          13757
          • Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose.
            13758
        • Establish, implement, and maintain a security awareness program.
          11746
          • Disseminate and communicate the security awareness program to all interested personnel and affected parties.
            00823
            • Train all personnel and third parties on how to recognize and report security incidents.
              01211
            • Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.
              01363
        • Conduct secure coding and development training for developers.
          06822
        • Conduct tampering prevention training.
          11875
          • Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training.
            11877
          • Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training.
            11876
          • Include how to report tampering in the tampering prevention training.
            11879
          • Include how to prevent physical tampering in the tampering prevention training.
            11878
    • Establish, implement, and maintain a personnel health and safety policy.
      00716
      • Establish, implement, and maintain a travel program for all personnel.
        10597
        • Issue devices with secure configurations to individuals traveling to locations deemed to be of risk.
          10598
        • Scan devices for malicious code when an individual returns from locations deemed to be of risk.
          10599
    • Establish, implement, and maintain a Code of Conduct.
      04897
      • Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment.
        12029
      • Implement a sanctions process for personnel who fail to comply to the organizational compliance program.
        01442
        • Notify designated personnel when a formal personnel sanctions process is initiated.
          10632
      • Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.
        06664
    • Establish, implement, and maintain performance reviews.
      14777
      • Conduct staff performance reviews, as necessary.
        07205
    • Establish, implement, and maintain an insider threat program.
      10687
  • Operational management
    00805
    • Establish, implement, and maintain a capacity management plan.
      11751
      • Establish, implement, and maintain future system capacity forecasting methods.
        01617
      • Align critical Information Technology resource availability planning with capacity planning.
        01618
        • Provide excess capacity or redundancy to limit any effects of a Denial of Service attack.
          06754
      • Utilize resource capacity management controls.
        00939
        • Perform system capacity testing.
          01616
    • Manage cloud services.
      13144
      • Protect clients' hosted environments.
        11862
    • Establish, implement, and maintain a Governance, Risk, and Compliance framework.
      01406
      • Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties.
        06955
      • Acquire resources necessary to support Governance, Risk, and Compliance.
        12861
      • Assign accountability for maintaining the Governance, Risk, and Compliance framework.
        12523
      • Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework.
        12524
      • Establish, implement, and maintain a positive information control environment.
        00813
      • Establish, implement, and maintain an internal control framework.
        00820
        • Measure policy compliance when reviewing the internal control framework.
          06442
        • Assign ownership of the internal control framework to the appropriate organizational role.
          06437
        • Assign resources to implement the internal control framework.
          00816
        • Include procedures for continuous quality improvement in the internal control framework.
          00819
        • Include vulnerability management and risk assessment in the internal control framework.
          13102
        • Include personnel security procedures in the internal control framework.
          01349
        • Include continuous security warning monitoring procedures in the internal control framework.
          01358
        • Include security information sharing procedures in the internal control framework.
          06489
          • Share relevant security information with Special Interest Groups, as necessary.
            11732
        • Include security incident response procedures in the internal control framework.
          01359
        • Include continuous user account management procedures in the internal control framework.
          01360
        • Authorize and document all exceptions to the internal control framework.
          06781
        • Disseminate and communicate the internal control framework to all interested personnel and affected parties.
          15229
      • Establish, implement, and maintain an information security program.
        00812
        • Monitor and review the effectiveness of the information security program.
          12744
        • Establish, implement, and maintain an information security policy.
          11740
          • Include a commitment to the information security requirements in the information security policy.
            13496
          • Include information security objectives in the information security policy.
            13493
        • Approve the information security policy at the organization's management level or higher.
          11737
        • Assign ownership of the information security program to the appropriate role.
          00814
          • Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.
            11884
          • Assign information security responsibilities to interested personnel and affected parties in the information security program.
            11885
          • Assign the responsibility for distributing the information security program to the appropriate role.
            11883
        • Disseminate and communicate the information security policy to interested personnel and affected parties.
          11739
        • Establish, implement, and maintain a social media governance program.
          06536
          • Include explicit restrictions in the social media acceptable use policy.
            06655
        • Establish, implement, and maintain operational control procedures.
          00831
          • Include assigning and approving operations in operational control procedures.
            06382
          • Establish, implement, and maintain a Standard Operating Procedures Manual.
            00826
            • Adhere to operating procedures as defined in the Standard Operating Procedures Manual.
              06328
            • Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties.
              12026
          • Establish, implement, and maintain Voice over Internet Protocol operating procedures.
            04583
        • Establish, implement, and maintain the Acceptable Use Policy.
          01350
          • Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
            01351
          • Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy.
            11894
          • Include Bring Your Own Device security guidelines in the Acceptable Use Policy.
            01352
          • Include asset tags in the Acceptable Use Policy.
            01354
          • Include asset use policies in the Acceptable Use Policy.
            01355
            • Include authority for access authorization lists for assets in all relevant Acceptable Use Policies.
              11872
            • Include access control mechanisms in the Acceptable Use Policy.
              01353
              • Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy.
                11892
            • Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy.
              11893
            • Include a removable storage media use policy in the Acceptable Use Policy.
              06772
          • Correlate the Acceptable Use Policy with the network security policy.
            01356
            • Include appropriate network locations for each technology in the Acceptable Use Policy.
              11881
          • Correlate the Acceptable Use Policy with the approved product list.
            01357
          • Include disciplinary actions in the Acceptable Use Policy.
            00296
          • Include a software installation policy in the Acceptable Use Policy.
            06749
          • Document idle session termination and logout for remote access technologies in the Acceptable Use Policy.
            12472
          • Require interested personnel and affected parties to sign Acceptable Use Policies.
            06661
            • Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary.
              06663
        • Establish, implement, and maintain an Intellectual Property Right program.
          00821
          • Establish, implement, and maintain Intellectual Property Rights protection procedures.
            11512
        • Protect policies, standards, and procedures from unauthorized modification or disclosure.
          10603
      • Establish, implement, and maintain nondisclosure agreements.
        04536
      • Implement and comply with the Governance, Risk, and Compliance framework.
        00818
        • Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework.
          11747
        • Comply with all implemented policies in the organization's compliance framework.
          06384
        • Review systems for compliance with organizational information security policies.
          12004
        • Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.
          00815
    • Establish, implement, and maintain an Asset Management program.
      06630
      • Establish, implement, and maintain classification schemes for all systems and assets.
        01902
        • Apply security controls to each level of the information classification standard.
          01903
          • Establish, implement, and maintain the systems' availability level.
            01905
        • Classify assets according to the Asset Classification Policy.
          07186
      • Establish, implement, and maintain an asset inventory.
        06631
        • Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails.
          00689
          • Establish, implement, and maintain a hardware asset inventory.
            00691
            • Include network equipment in the Information Technology inventory.
              00693
            • Include mobile devices that store restricted data or restricted information in the Information Technology inventory.
              04719
          • Include interconnected systems and Software as a Service in the Information Technology inventory.
            04885
          • Include software in the Information Technology inventory.
            00692
            • Establish and maintain a list of authorized software and versions required for each system.
              12093
          • Establish, implement, and maintain a storage media inventory.
            00694
            • Include all electronic storage media containing restricted data or restricted information in the storage media inventory.
              00962
          • Add inventoried assets to the asset register database, as necessary.
            07051
            • Identify discrepancies between the asset register database and the Information Technology inventory, as necessary.
              07052
            • Use automated tools to collect Information Technology inventory information, as necessary.
              07054
        • Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory.
          12110
        • Record software license information for each asset in the asset inventory.
          11736
        • Record the make, model of device for applicable assets in the asset inventory.
          12465
        • Record the asset tag for physical assets in the asset inventory.
          06632
        • Record the operating system version for applicable assets in the asset inventory.
          11748
        • Record the operating system type for applicable assets in the asset inventory.
          06633
        • Record the department associated with the asset in the asset inventory.
          12084
        • Record the physical location for applicable assets in the asset inventory.
          06634
        • Record the manufacturer's serial number for applicable assets in the asset inventory.
          06635
        • Record the related business function for applicable assets in the asset inventory.
          06636
        • Record the Internet Protocol address for applicable assets in the asset inventory.
          06638
        • Link the software asset inventory to the hardware asset inventory.
          12085
        • Record the owner for applicable assets in the asset inventory.
          06640
      • Establish, implement, and maintain a software accountability policy.
        00868
        • Establish, implement, and maintain software license management procedures.
          06639
      • Establish, implement, and maintain a system redeployment program.
        06276
        • Test systems for malicious code prior to when the system will be redeployed.
          06339
        • Notify organizational unit leaders prior to when the system is redeployed or the system is disposed.
          06400
      • Establish, implement, and maintain a system preventive maintenance program.
        00885
        • Establish and maintain maintenance reports.
          11749
        • Plan and conduct maintenance so that it does not interfere with scheduled operations.
          06389
        • Maintain contact with the device manufacturer or component manufacturer for maintenance requests.
          06388
          • Replace system components when third party support is no longer available.
            10644
          • Obtain justification for the continued use of system components when third party support is no longer available.
            10645
        • Control and monitor all maintenance tools.
          01432
        • Control remote maintenance according to the system's asset classification.
          01433
          • Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption.
            10614
          • Approve all remote maintenance sessions.
            10615
        • Conduct maintenance with authorized personnel.
          01434
        • Respond to maintenance requests inside the organizationally established time frame.
          04878
          • Establish and maintain an archive of maintenance reports in a maintenance log.
            06202
        • Acquire spare parts prior to when maintenance requests are scheduled.
          11833
        • Perform periodic maintenance according to organizational standards.
          01435
          • Employ dedicated systems during system maintenance.
            12108
            • Isolate dedicated systems used for system maintenance from Internet access.
              12114
      • Dispose of hardware and software at their life cycle end.
        06278
      • Review each system's operational readiness.
        06275
      • Establish and maintain an unauthorized software list.
        10601
    • Establish, implement, and maintain a customer service program.
      00846
      • Establish, implement, and maintain an Incident Management program.
        00853
        • Include intrusion detection procedures in the Incident Management program.
          00588
          • Categorize the incident following an incident response.
            13208
            • Define and document impact thresholds to be used in categorizing incidents.
              10033
            • Determine the incident severity level when assessing the security incidents.
              01650
          • Identify root causes of incidents that force system changes.
            13482
          • Respond to and triage when an incident is detected.
            06942
            • Document the incident and any relevant evidence in the incident report.
              08659
            • Respond to all alerts from security systems in a timely manner.
              06434
          • Contain the incident to prevent further loss and preserve the system for forensic analysis.
            01751
            • Isolate compromised systems from the network.
              01753
          • Assess all security incidents to determine what information was accessed.
            01226
          • Analyze the incident response process following an incident response.
            13179
          • Create an incident response report following an incident response.
            12700
            • Include corrective action taken to eradicate the security incident in the incident response report.
              12708
          • Share incident information with interested personnel and affected parties.
            01212
            • Share data loss event information with the media.
              01759
            • Comply with privacy regulations and civil liberties requirements when sharing data loss event information.
              10036
            • Report data loss event information to breach notification organizations.
              01210
              • Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties.
                04731
          • Remediate security violations according to organizational standards.
            12338
          • Include data loss event notifications in the Incident Response program.
            00364
            • Include legal requirements for data loss event notifications in the Incident Response program.
              11954
            • Notify interested personnel and affected parties of the privacy breach that affects their personal data.
              00365
              • Delay sending incident response notifications under predetermined conditions.
                00804
              • Design the text of the notice for all incident response notifications to be no smaller than 10-point type.
                12985
              • Avoid false positive incident response notifications.
                04732
              • Include information required by law in incident response notifications.
                00802
                • Title breach notifications "Notice of Data Breach".
                  12977
                • Display titles of incident response notifications clearly and conspicuously.
                  12986
                • Display headings in incident response notifications clearly and conspicuously.
                  12987
                • Design the incident response notification to call attention to its nature and significance.
                  12984
                • Use plain language to write incident response notifications.
                  12976
                • Include directions for changing the user's password or security questions and answers in the breach notification.
                  12983
                • Include a "What Happened" heading in breach notifications.
                  12978
                  • Include a general description of the data loss event in incident response notifications.
                    04734
                  • Include the date (or estimated date) the privacy breach was detected in incident response notifications.
                    04745
                • Include a "What Information Was Involved" heading in the breach notification.
                  12979
                  • Include the type of information that was lost in incident response notifications.
                    04735
                • Include a "What We Are Doing" heading in the breach notification.
                  12982
                  • Include what the organization has done to enhance data protection controls in incident response notifications.
                    04736
                  • Include what the organization is offering or has already done to assist affected parties in incident response notifications.
                    04737
                • Include a "For More Information" heading in breach notifications.
                  12981
                  • Include details of the companies and persons involved in incident response notifications.
                    12295
                  • Include the credit reporting agencies' contact information in incident response notifications.
                    04744
                • Include whether the notification was delayed due to a law enforcement investigation in incident response notifications.
                  04746
                • Include a "What You Can Do" heading in the breach notification.
                  12980
                  • Include how the affected parties can protect themselves from identity theft in incident response notifications.
                    04738
                    • Provide enrollment information for identity theft prevention services or identity theft mitigation services.
                      13767
                    • Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties.
                      13766
                • Include contact information in incident response notifications.
                  04739
              • Send paper incident response notifications to affected parties, as necessary.
                00366
              • Determine if a substitute incident response notification is permitted if notifying affected parties.
                00803
              • Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data.
                00368
                • Telephone incident response notifications to affected parties, as necessary.
                  04650
                • Send electronic substitute incident response notifications to affected parties, as necessary.
                  04747
                • Post substitute incident response notifications to the organization's website, as necessary.
                  04748
                • Send substitute incident response notifications to breach notification organizations, as necessary.
                  04750
                • Publish the incident response notification in a general circulation periodical.
                  04651
                • Send electronic incident response notifications to affected parties, as necessary.
                  00367
          • Include incident recovery procedures in the Incident Management program.
            01758
            • Eradicate the cause of the security incident after the security incident has been contained.
              01757
            • Implement security controls for personnel that have accessed information absent authorization.
              10611
            • Establish, implement, and maintain compromised system reaccreditation procedures.
              00592
              • Re-image compromised systems with secure builds.
                12086
          • Analyze security violations in Suspicious Activity Reports.
            00591
            • Include lessons learned from analyzing security violations in the Incident Management program.
              01234
            • Update the incident response procedures using the lessons learned.
              01233
        • Include incident monitoring procedures in the Incident Management program.
          01207
        • Include incident response procedures in the Incident Management program.
          01218
        • Include after-action analysis procedures in the Incident Management program.
          01219
        • Include incident reporting procedures in the Incident Management program.
          11772
          • Establish, implement, and maintain incident reporting time frame standards.
            12142
      • Establish, implement, and maintain a customer service business function.
        00847
      • Provide and display problem management contact information to customers.
        06386
    • Establish, implement, and maintain an Incident Response program.
      00579
      • Analyze and respond to security alerts.
        12504
      • Establish, implement, and maintain an incident response plan.
        12056
      • Include incident response team structures in the Incident Response program.
        01237
        • Include the incident response team member's roles and responsibilities in the Incident Response program.
          01652
          • Include the incident response point of contact's roles and responsibilities in the Incident Response program.
            01877
            • Notify interested personnel and affected parties that a security breach was detected.
              11788
          • Include the customer database owner's roles and responsibilities in the Incident Response program.
            01879
          • Assign the distribution of security alerts to the appropriate role in the incident response program.
            11887
          • Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program.
            11886
          • Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program.
            12473
          • Assign the distribution of incident response procedures to the appropriate role in the incident response program.
            12474
        • Include personnel contact information in the event of an incident in the Incident Response program.
          06385
      • Include coverage of all system components in the Incident Response program.
        11955
      • Prepare for incident response notifications.
        00584
      • Include incident response team services in the Incident Response program.
        11766
        • Include the incident response training program in the Incident Response program.
          06750
          • Incorporate simulated events into the incident response training program.
            06751
          • Incorporate realistic exercises that are tested into the incident response training program.
            06753
          • Conduct incident response training.
            11889
      • Establish, implement, and maintain incident response procedures.
        01206
        • Include references to industry best practices in the incident response procedures.
          11956
        • Include responding to alerts from security monitoring systems in the incident response procedures.
          11949
        • Automatically respond when an integrity violation is detected.
          10678
          • Shut down systems when an integrity violation is detected, as necessary.
            10679
          • Restart systems when an integrity violation is detected, as necessary.
            10680
      • Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred.
        01213
      • Include business continuity procedures in the Incident Response program.
        06433
        • Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures.
          06432
      • Establish trust between the incident response team and the end user community during a security incident.
        01217
      • Include business recovery procedures in the Incident Response program.
        11774
      • Establish, implement, and maintain a digital forensic evidence framework.
        08652
        • Define the business scenarios that require digital forensic evidence.
          08653
          • Define the circumstances for collecting digital forensic evidence.
            08657
            • Conduct forensic investigations in the event of a security compromise.
              11951
        • Identify potential sources of digital forensic evidence.
          08651
        • Establish, implement, and maintain a digital forensic evidence collection program.
          08655
        • Establish, implement, and maintain secure storage and handling of evidence procedures.
          08656
        • Collect evidence from the incident scene.
          02236
      • Disseminate and communicate the incident response procedures to all interested personnel and affected parties.
        01215
      • Test the incident response procedures.
        01216
    • Establish, implement, and maintain a performance management standard.
      01615
      • Establish, implement, and maintain rate limiting filters.
        06883
        • Establish, implement, and maintain system capacity monitoring procedures.
          01619
        • Establish, implement, and maintain system performance monitoring procedures.
          11752
    • Establish, implement, and maintain a Service Level Agreement framework.
      00839
      • Include the security mechanisms of network services in the Service Level Agreement.
        12023
      • Include the management requirements for network services in the Service Level Agreement.
        12025
      • Include the service levels for network services in the Service Level Agreement.
        12024
    • Establish, implement, and maintain a cost management program.
      13638
      • Identify and allocate departmental costs.
        00871
        • Prepare an Information Technology budget, as necessary.
          00872
    • Establish, implement, and maintain a change control program.
      00886
      • Include potential consequences of unintended changes in the change control program.
        12243
      • Separate the production environment from development environment or test environment for the change control process.
        11864
      • Establish, implement, and maintain a back-out plan.
        13623
        • Establish, implement, and maintain back-out procedures for each proposed change in a change request.
          00373
      • Manage change requests.
        00887
        • Include documentation of the impact level of proposed changes in the change request.
          11942
        • Document all change requests in change request forms.
          06794
        • Test proposed changes prior to their approval.
          00548
        • Examine all changes to ensure they correspond with the change request.
          12345
        • Approve tested change requests.
          11783
          • Validate the system before implementing approved changes.
            01510
          • Disseminate and communicate proposed changes to all interested personnel and affected parties.
            06807
      • Perform risk assessments prior to approving change requests.
        00888
      • Implement changes according to the change control program.
        11776
      • Establish, implement, and maintain a patch management program.
        00896
        • Implement patch management software, as necessary.
          12094
        • Include updates and exceptions to hardened images as a part of the patch management program.
          12087
        • Perform a patch test prior to deploying a patch.
          00898
        • Deploy software patches.
          07032
        • Update computer firmware, as necessary.
          11755
          • Remove outdated computer firmware after the computer firmware has been updated.
            10671
          • Implement cryptographic mechanisms to authenticate software and computer firmware before installation.
            10682
      • Mitigate the adverse effects of unauthorized changes.
        12244
      • Establish, implement, and maintain approved change acceptance testing procedures.
        06391
        • Test the system's operational functionality after implementing approved changes.
          06294
        • Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred.
          04541
      • Update associated documentation after the system configuration has been changed.
        00891
        • Establish, implement, and maintain a configuration change log.
          08710
        • Document approved configuration deviations.
          08711
    • Introduce randomness into organizational operations and assets.
      10650
      • Change the locations of processing facilities at random intervals.
        10651
  • System hardening through configuration management
    00860
    • Establish, implement, and maintain a Configuration Management program.
      00867
      • Establish, implement, and maintain configuration control and Configuration Status Accounting.
        00863
      • Establish, implement, and maintain a configuration management plan.
        01901
      • Employ the Configuration Management program.
        11904
      • Test network access controls for proper Configuration Management settings.
        01281
      • Disseminate and communicate the configuration management program to all interested personnel and affected parties.
        11946
      • Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities.
        02132
      • Establish, implement, and maintain a configuration baseline based on the least functionality principle.
        00862
    • Identify and document the system's Configurable Items.
      02133
      • Approve each system's Configurable Items (and changes to those Configurable Items).
        04887
      • Request an acknowledgment from the system owner of the system's configuration.
        10602
    • Establish, implement, and maintain a system hardening standard.
      00876
      • Establish, implement, and maintain configuration standards for all systems based upon industry best practices.
        11953
        • Apply configuration standards to all systems, as necessary.
          12503
        • Document and justify system hardening standard exceptions.
          06845
    • Establish, implement, and maintain system hardening procedures.
      12001
      • Configure session timeout and reauthentication settings according to organizational standards.
        12460
      • Configure the Intrusion Detection System and Intrusion Prevention System in accordance with organizational standards.
        04831
        • Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards.
          04490
        • Configure the Intrusion Detection System and the Intrusion Prevention System to detect rogue devices and unauthorized connections.
          04837
        • Display an explicit logout message when disconnecting an authenticated communications session.
          10093
        • Invalidate session identifiers upon session termination.
          10649
      • Use the latest version of all software.
        00897
        • Install all available critical security updates and important security updates in a timely manner.
          01696
      • Change default configurations, as necessary.
        00877
        • Change all default passwords.
          06080
        • Reconfigure the encryption keys from their default setting or previous setting.
          06079
        • Configure the system's booting configuration.
          10656
          • Configure the system to boot from hardware enforced read-only media.
            10657
      • Configure Least Functionality and Least Privilege settings to organizational standards.
        07599
        • Implement hardware-based write-protect for system firmware components.
          10659
          • Implement procedures to manually disable hardware-based write-protect to change computer firmware.
            10660
      • Establish, implement, and maintain idle session termination and logout capabilities.
        01418
      • Configure Simple Network Management Protocol (SNMP) to organizational standards.
        12423
        • Change the default community string for Simple Network Management Protocol.
          01872
      • Configure the system's storage media.
        10618
        • Configure the system's electronic storage media's encryption settings.
          11927
        • Prohibit the use of sanitization-resistant media in Information Systems.
          10617
      • Implement only one application or primary function per network component or server.
        00879
      • Disable all unnecessary services unless otherwise noted in a policy exception.
        00880
        • Disable telnet unless telnet use is absolutely necessary.
          01478
      • Disable all unnecessary applications unless otherwise noted in a policy exception.
        04827
        • Restrict and control the use of privileged utility programs.
          12030
        • Disable the use of removable storage media for systems that processes restricted data or restricted information, as necessary.
          06681
        • Disable automatic updates unless automatic updates are absolutely necessary.
          01811
          • Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards.
            05979
      • Remove all unnecessary functionality.
        00882
        • Disable all unnecessary computer interfaces.
          04826
          • Enable or disable all unused USB ports as appropriate.
            06042
          • Disable Autorun.
            01790
        • Disable any unnecessary scripting languages, as necessary.
          12137
      • Establish, implement, and maintain the interactive logon settings.
        01739
        • Configure the system logon banner.
          01742
      • Enable logon authentication management techniques.
        00553
        • Configure devices and users to re-authenticate, as necessary.
          10609
        • Prohibit the use of cached authenticators and credentials after a defined period of time.
          10610
      • Configure each system's security alerts to organizational standards.
        12113
        • Configure the system to issue a security alert when an administrator account is created.
          12122
      • Establish, implement, and maintain a password standard.
        01702
        • Establish, implement, and maintain a password management system.
          12031
          • Establish, implement, and maintain password procedures.
            12002
            • Restrict access to authentication files to accounts other than administrator accounts.
              12127
            • Configure passwords to comply with organizational standards.
              06412
              • Configure the system to require new users to change their password on first logon to organizational standards.
                05268
              • Configure passwords so that group passwords or shared passwords are prohibited.
                00519
              • Configure the system to prevent unencrypted password use.
                04457
              • Configure the system to encrypt passwords.
                06735
              • Configure the system to use asterisks to mask passwords.
                02037
              • Configure the password policy to ban or allow usernames or user identifiers in passwords to organizational standards.
                05992
              • Configure the "Minimum password age" to organizational standards.
                01703
            • Notify affected parties to keep passwords confidential.
              06787
      • Configure the system security parameters to prevent system misuse or information misappropriation.
        00881
        • Configure the system to require a password before it unlocks the Screen saver software.
          04443
      • Disable or configure the e-mail server, as necessary.
        06563
        • Configure e-mail servers to enable receiver-side verification.
          12223
      • Configure the system account settings and the permission settings in accordance with the organizational standards.
        01538
        • Configure user accounts.
          07036
          • Remove unnecessary default accounts.
            01539
            • Disable or delete shared User IDs.
              12478
            • Disable or delete generic user IDs.
              12479
            • Disable all unnecessary user identifiers.
              02185
          • Configure accounts with administrative privilege.
            07033
            • Employ multifactor authentication for accounts with administrative privilege.
              12496
            • Encrypt non-console administrative access.
              00883
          • Configure the user account expiration date.
            07101
        • Implement a reference monitor to implement the Access Control policies.
          10096
      • Configure appropriate Partitioning schemes.
        02162
      • Establish and maintain procedures for configuring the appropriate network parameter modifications.
        01517
        • Configure devices to deny outbound connections.
          04807
        • Configure devices to deny inbound connections.
          04805
        • Review and restrict network addresses and network protocols.
          01518
          • Disable wireless access if it is not necessary.
            12100
          • Configure wireless access to be restricted to authorized wireless networks.
            12099
          • Enable Network Address Translation or Port Address Translation for internal networks on all network access and control points.
            00545
          • Disable Bluetooth unless Bluetooth is absolutely necessary.
            04476
          • Assign or reserve static IP addresses in Dynamic Host Configuration Protocol.
            04801
        • Configure the amount of idle time required before disconnecting an idle session.
          01763
        • Enable the firewall and configure it to meet organizational standards.
          01926
          • Review the firewall rules, as necessary.
            06745
        • Use only secure communication protocols for remote system management.
          04459
        • Create an access control list on Network Access and Control Points to restrict access.
          04810
          • Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information.
            06077
          • Configure the Access Control List (ACL) so that internal network addresses cannot pass from the Internet into the Demilitarized Zone (DMZ).
            06421
          • Configure the Access Control List so that outbound network traffic from protected subnets can only access IP Addresses inside the Demilitarized Zone.
            06422
        • Configure wireless communication to be encrypted using strong cryptography.
          06078
        • Disable feedback on protocol format validation errors.
          10646
      • Configure the time server in accordance with organizational standards.
        06426
        • Configure system clocks for synchronization (SYN) of time to an accurate and universal time source, preferably an organizational Network Time Protocol (NTP) server.
          06425
        • Configure the time server to synchronize with specifically designated hosts.
          06427
        • Restrict access to time server configuration to personnel with a business need.
          06858
      • Configure Wireless Access Points in accordance with organizational standards.
        12477
        • Configure the Wireless Access Point transmit power setting to the lowest level possible.
          04593
        • Use Wireless Local Area Network Network Interface Cards that turn off or disable Peer-To-Peer Wireless Local Area Network communications.
          04594
        • Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users.
          04595
        • Enable WiFi Protected Access or WiFi Protected Access-2.
          04832
        • Enable or disable all wireless interfaces, as necessary.
          05755
      • Configure mobile device settings in accordance with organizational standards.
        04600
        • Enable data-at-rest encryption on mobile devices.
          04842
        • Configure environmental sensors on mobile devices.
          10667
          • Prohibit the remote activation of environmental sensors on mobile devices.
            10666
          • Configure the mobile device to explicitly show when an environmental sensor is in use.
            10668
          • Configure the environmental sensor to report collected data to designated personnel only.
            10669
      • Establish, implement, and maintain virtualization configuration settings.
        07110
        • Execute permitted mobile code in confined virtual machine environments.
          10648
      • Configure Account settings in accordance with organizational standards.
        07603
        • Configure the "Account lockout threshold" to organizational standards.
          07604
        • Configure the "Account lockout duration" to organizational standards.
          07771
      • Configure system integrity settings to organizational standards.
        07605
        • Prohibit the use of binary code or machine code from sources with limited or no warranty absent the source code.
          10681
        • Do not allow processes to execute absent supervision.
          10683
      • Configure Logging settings in accordance with organizational standards.
        07611
        • Configure the storage parameters for all logs.
          06330
          • Configure sufficient log storage capacity and prevent the capacity from being exceeded.
            01425
        • Configure the security parameters for all logs.
          01712
          • Configure the log to capture audit log initialization, along with auditable event selection.
            00649
        • Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.
          06331
          • Configure the log to capture the user's identification.
            01334
          • Configure the log to capture a date and time stamp.
            01336
          • Configure the log to capture each auditable event's origination.
            01338
          • Configure the log to uniquely identify each asset.
            01339
          • Configure the log to capture the type of each event.
            06423
          • Configure the log to capture each event's success or failure indication.
            06424
        • Configure all logs to capture auditable events or actionable events.
          06332
          • Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated.
            00577
          • Configure the log to capture all URL requests.
            12138
          • Configure the log to capture logons, logouts, logon attempts, and logout attempts.
            01915
          • Configure system accounting/system events.
            01529
          • Configure the log to capture access to restricted data or restricted information.
            00644
          • Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
            00645
          • Configure the log to capture identification and authentication mechanism use.
            00648
          • Configure the log to capture all access to the audit trail.
            00646
          • Configure the log to capture Object access to key directories or key files.
            01697
            • Configure the log to capture system level object creation and deletion.
              00650
          • Configure the log to capture configuration changes.
            06881
            • Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.
              01698
        • Configure the event log settings for specific Operating System functions.
          06337
          • Enable or disable auditing at boot time, as appropriate.
            06031
          • Generate an alert when an audit log failure occurs.
            06737
        • Configure additional log settings.
          06333
          • Configure the log to send alerts for each auditable events success or failure.
            01337
      • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.
        07621
        • Configure the "Maximum password age" to organizational standards.
          07688
        • Configure the "Minimum password length" to organizational standards.
          07711
        • Configure the "Password must meet complexity requirements" to organizational standards.
          07743
        • Configure the "Enforce password history" to organizational standards.
          07877
      • Configure the proxy server to organizational standards.
        12115
        • Configure the proxy server to log Transmission Control Protocol sessions.
          12123
      • Configure security and protection software according to Organizational Standards.
        11917
        • Configure security and protection software to automatically run at startup.
          12443
        • Configure security and protection software to check for up-to-date signature files.
          00576
        • Configure security and protection software to enable automatic updates.
          11945
        • Configure security and protection software to check e-mail messages.
          00578
        • Configure security and protection software to check e-mail attachments.
          11860
      • Configure network access and control points to organizational standards.
        12119
        • Configure network switches to organizational standards.
          12120
          • Enable Virtual Local Area Networks on network switches, as necessary.
            12129
      • Configure dedicated systems used for system management according to organizational standards.
        12132
        • Configure dedicated systems used for system management to prohibit them from composing documents.
          12161
        • Configure dedicated systems used for system management so they are prohibited from accessing e-mail.
          12160
      • Configure the Domain Name System in accordance with organizational standards.
        12202
        • Configure the Domain Name System query logging to organizational standards.
          12210
        • Configure the secure name/address resolution service (recursive or caching resolver).
          01625
        • Configure the secure name/address resolution service (authoritative source).
          01624
      • Configure File Integrity Monitoring Software to Organizational Standards.
        11923
        • Configure the file integrity monitoring software to perform critical file comparisons, as necessary.
          11924
      • Configure systems to protect against unauthorized data mining.
        10095
      • Implement safeguards to protect memory from unauthorized code execution.
        10686
    • Establish, implement, and maintain a Configuration Baseline Documentation Record.
      02130
      • Document and approve any changes to the Configuration Baseline Documentation Record.
        12104
      • Create a hardened image of the baseline configuration to be used for building new systems.
        07063
        • Store master images on securely configured servers.
          12089
        • Update the security configuration of hardened images, as necessary.
          12088
  • Records management
    00902
    • Establish, implement, and maintain records management policies.
      00903
      • Establish, implement, and maintain a record classification scheme.
        00914
        • Establish, implement, and maintain a records authentication system.
          11648
        • Associate records with their security attributes.
          06764
          • Reconfigure the security attributes of records as the information changes.
            06765
        • Establish and maintain Records Management procedures.
          00919
          • Establish, implement, and maintain data input and data access authorization tracking.
            00920
          • Control error handling when data is being inputted.
            00922
          • Establish, implement, and maintain data processing integrity controls.
            00923
            • Establish, implement, and maintain Automated Data Processing validation checks and editing checks.
              00924
            • Establish, implement, and maintain Automated Data Processing error handling procedures.
              00925
            • Establish, implement, and maintain Automated Data Processing error handling reporting.
              11659
          • Establish, implement, and maintain document security requirements for the output of records.
            11656
            • Establish, implement, and maintain document handling procedures for paper documents.
              00926
          • Establish, implement, and maintain document retention procedures.
            11660
          • Establish, implement, and maintain paper document integrity requirements for the output of records.
            00930
      • Define each system's preservation requirements for records and logs.
        00904
        • Establish, implement, and maintain a data retention program.
          00906
          • Select the appropriate format for archived data and records.
            06320
          • Archive appropriate records, logs, and database tables.
            06321
        • Determine how long to keep records and logs before disposing them.
          11661
          • Retain records in accordance with applicable requirements.
            00968
        • Establish, implement, and maintain storage media disposition and destruction procedures.
          11657
          • Sanitize all electronic storage media before disposing a system or redeploying a system.
            01643
          • Degauss as a method of sanitizing electronic storage media.
            00973
          • Destroy electronic storage media following the storage media disposition and destruction procedures.
            00970
            • Maintain media sanitization equipment in operational condition.
              00721
      • Define each system's disposition requirements for records and logs.
        11651
        • Establish, implement, and maintain records disposition procedures.
          00971
          • Manage the disposition status for all records.
            00972
          • Remove and/or destroy records according to the records' retention event and retention period schedule.
            06621
            • Place printed records awaiting destruction into secure containers.
              12464
            • Destroy printed records so they cannot be reconstructed.
              11779
            • Automate a programmatic process to remove stored data and records that exceed retention requirements.
              06082
          • Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures.
            11962
    • Establish, implement, and maintain records management procedures.
      11619
      • Protect records from loss in accordance with applicable requirements.
        12007
      • Capture the records required by organizational compliance requirements.
        00912
        • Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity.
          04720
      • Include record integrity techniques in the Records Management procedures.
        06418
      • Establish, implement, and maintain electronic storage media management procedures.
        00931
        • Establish, implement, and maintain security label procedures for records and storage media.
          06747
          • Label restricted storage media appropriately.
            00966
          • Label printed output for specific record categories as directed by the organization's information classification standard.
            01420
        • Establish and maintain access controls for all records.
          00371
        • Establish, implement, and maintain a records lifecycle management program.
          00951
          • Establish, implement, and maintain information preservation procedures.
            06277
          • Implement and maintain backups and duplicate copies of organizational records.
            00953
        • Establish, implement, and maintain online storage controls.
          00942
          • Establish, implement, and maintain security controls appropriate to the record types and electronic storage media.
            00943
            • Store records on non-rewritable, non-erasable storage media formats, as necessary.
              00944
            • Provide encryption for different types of electronic storage media.
              00945
          • Implement electronic storage media integrity controls.
            00946
        • Provide audit trails for all pertinent records.
          00372
        • Establish, implement, and maintain storage media downgrading procedures.
          10619
          • Identify electronic storage media that require downgrading.
            10620
          • Downgrade electronic storage media, as necessary.
            10621
          • Document all actions taken when downgrading electronic storage media.
            10622
          • Test the storage media downgrade for correct performance.
            10623
  • Systems design, build, and implementation
    00989
    • Establish, implement, and maintain a System Development Life Cycle program.
      11823
    • Initiate the System Development Life Cycle planning phase.
      06266
      • Establish, implement, and maintain system design principles and system design guidelines.
        01057
        • Define and assign the system development project team roles and responsibilities.
          01061
          • Restrict system architects from being assigned as Administrators.
            01064
            • Restrict the development team from having access to the production environment.
              01066
        • Establish, implement, and maintain a security controls definition document.
          01080
        • Establish, implement, and maintain a system use training plan.
          01089
          • Train the affected users during system development life cycle projects.
            01091
      • Establish and maintain System Development Life Cycle documentation.
        12079
      • Establish, implement, and maintain a system design project management framework.
        00990
        • Identify system design strategies.
          01046
        • Establish, implement, and maintain project management standards.
          00992
          • Perform a risk assessment for each system development project.
            01000
      • Separate the design and development environment from the production environment.
        06088
        • Specify appropriate tools for the system development project.
          06830
    • Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
      06267
      • Develop systems in accordance with the system design specifications and system design standards.
        01094
        • Establish, implement, and maintain outsourced development procedures.
          01141
          • Supervise and monitor outsourced development projects.
            01096
        • Develop new products based on best practices.
          01095
          • Establish, implement, and maintain a system design specification.
            04557
            • Document the system architecture in the system design specification.
              12287
              • Include a description of each module and asset in the system design specification.
                11734
            • Include security requirements in the system design specification.
              06826
              • Establish, implement, and maintain access control procedures for the test environment that match those of the production environment.
                06793
              • Include anti-tamper technologies and anti-tamper techniques in the system design specification.
                10639
            • Establish, implement, and maintain identification card or badge architectural designs.
              06591
            • Include measurable system performance requirements in the system design specification.
              08667
          • Implement security controls when developing systems.
            06270
            • Analyze and minimize attack surfaces when developing systems.
              06828
            • Establish, implement, and maintain session security coding standards.
              04584
            • Establish and maintain a cryptographic architecture document.
              12476
              • Include the algorithms used in the cryptographic architecture document.
                12483
              • Include an inventory of all protected areas in the cryptographic architecture document.
                12486
              • Include a description of the key usage for each key in the cryptographic architecture document.
                12484
              • Include descriptions of all cryptographic keys in the cryptographic architecture document.
                12487
              • Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document.
                12488
              • Include each cryptographic key's expiration date in the cryptographic architecture document.
                12489
              • Include the protocols used in the cryptographic architecture document.
                12485
            • Establish and maintain a coding manual for secure coding techniques.
              11863
              • Protect applications from improper access control through secure coding techniques in source code.
                11959
              • Protect applications from improper error handling through secure coding techniques in source code.
                11937
              • Protect applications from insecure communications through secure coding techniques in source code.
                11936
              • Protect applications from injection flaws through secure coding techniques in source code.
                11944
              • Control user account management through secure coding techniques in source code.
                11909
                • Restrict direct access of databases to the database administrator through secure coding techniques in source code.
                  11933
              • Protect applications from buffer overflows through secure coding techniques in source code.
                11943
              • Protect applications from cross-site scripting through secure coding techniques in source code.
                11899
              • Protect against coding vulnerabilities through secure coding techniques in source code.
                11897
              • Protect applications from broken authentication and session management through secure coding techniques in source code.
                11896
              • Protect applications from insecure cryptographic storage through secure coding techniques in source code.
                11935
              • Protect applications from cross-site request forgery through secure coding techniques in source code.
                11895
              • Refrain from displaying error messages to end users through secure coding techniques in source code.
                12166
          • Follow security design requirements when developing systems.
            06827
            • Use randomly generated session identifiers.
              07074
          • Establish, implement, and maintain a system implementation representation document.
            04558
          • Design the security architecture.
            06269
            • Limit the embedding of data types inside other data types.
              06759
          • Protect system libraries.
            01097
          • Conduct a design review at each milestone or quality gate.
            01087
          • Perform source code analysis at each milestone or quality gate.
            06832
          • Establish and maintain system security documentation.
            06271
            • Document the procedures and environment used to create the system or software.
              06609
          • Establish and maintain access rights to source code based upon least privilege.
            06962
      • Develop new products based on secure coding techniques.
        11733
        • Address known coding vulnerabilities as a part of secure coding techniques.
          12493
        • Include all confidentiality, integrity, and availability functions in the system design specification.
          04556
        • Establish, implement, and maintain a security policy model document.
          04560
      • Establish and maintain the overall system development project management roles and responsibilities.
        00991
        • Assign the role of information security management as a part of developing systems.
          06823
      • Perform Quality Management on all newly developed or modified systems.
        01100
        • Evaluate system development projects for compliance with the system requirements specifications.
          06903
        • Establish, implement, and maintain a system testing policy.
          01102
          • Configure the test environment similar to the production environment.
            06837
        • Establish, implement, and maintain system testing procedures.
          11744
          • Restrict production data from being used in the test environment.
            01103
          • Protect test data in the development environment.
            12014
          • Control the test data used in the development environment.
            12013
          • Select the test data carefully.
            12011
          • Test all software changes before promoting the system to a production environment.
            01106
          • Test security functionality during the development process.
            12015
          • Review and test custom code to identify potential coding vulnerabilities.
            01316
            • Assign the review of custom code changes to individuals other than the code author.
              06291
            • Correct code anomalies and code deficiencies in custom code and retest before release.
              06292
            • Approve all custom code test results before code is released.
              06293
      • Develop the system in a timely manner and cost-effective way.
        06908
        • Change the scope, definition, and work breakdown of the system development project after corrective actions are taken.
          06910
    • Initiate the System Development Life Cycle implementation phase.
      06268
      • Establish, implement, and maintain a system implementation standard.
        01111
        • Establish, implement, and maintain system implementation procedures to ensure product conformity.
          06617
      • Manage the system implementation process.
        01115
        • Establish, implement, and maintain promoting the system to a production environment procedures.
          01119
          • Remove test accounts prior to promoting the system to a production environment.
            12495
          • Remove test data prior to promoting the system to a production environment.
            12494
      • Approve and authorize the newly implemented system.
        06274
      • Archive release records related to the newly implemented system.
        06834
      • Develop and maintain an operating strategy for newly implemented systems.
        06932
    • Establish and maintain end user support communications.
      06615
  • Acquisition or sale of facilities, technology, and services
    01123
    • Establish, implement, and maintain payment and settlement functions for selling products and services.
      13538
      • Establish, implement, and maintain an electronic commerce program.
        08617
        • Establish, implement, and maintain payment transaction security measures.
          13088
          • Protect the integrity of application service transactions.
            12017
    • Plan for acquiring facilities, technology, or services.
      06892
      • Allocate sufficient resources to protect Information Systems during capital planning.
        01444
      • Establish, implement, and maintain system acquisition contracts.
        14758
        • Include security requirements in system acquisition contracts.
          01124
          • Obtain system documentation before acquiring products and services.
            01445
          • Provide a Configuration Management plan by the Information System developer for all newly acquired assets.
            01446
          • Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets.
            01447
      • Conduct an acquisition feasibility study prior to acquiring assets.
        01129
        • Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study.
          01135
      • Establish, implement, and maintain a product and services acquisition strategy.
        01133
      • Establish, implement, and maintain a product and services acquisition program.
        01136
        • Prohibit the use of Personal Electronic Devices, absent approval.
          04599
    • Acquire products or services.
      11450
      • Discourage the modification of vendor-supplied software.
        12016
      • Establish, implement, and maintain an anti-counterfeit program for acquiring new systems.
        10641
        • Establish, implement, and maintain anti-counterfeit procedures.
          11498
          • Scan for potential counterfeit parts and potential counterfeit components.
            10643
          • Create and distribute a counterfeit product report.
            10642
    • Establish, implement, and maintain facilities, assets, and services acceptance procedures.
      01144
      • Test new hardware or upgraded hardware and software for implementation of security controls.
        06743
        • Test new software or upgraded software for security vulnerabilities.
          01898
        • Test new hardware or upgraded hardware for security vulnerabilities.
          01899
    • Establish, implement, and maintain a consumer complaint management program.
      04570
      • Establish, implement, and maintain consumer complaint escalation procedures.
        07208
  • Privacy protection for information and data
    00008
    • Establish, implement, and maintain a privacy framework that protects restricted data.
      11850
      • Establish, implement, and maintain a personal data transparency program.
        00375
        • Establish and maintain privacy notices, as necessary.
          13443
          • Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice.
            13503
            • Include the right to opt out of personal data disclosure in the privacy notice.
              13460
          • Include instructions on how to opt out of personal data disclosure in the privacy notice.
            13461
        • Notify data subjects about the organization's external requirements relevant to the privacy program.
          12354
          • Notify data subjects about their privacy rights.
            12989
        • Establish, implement, and maintain adequate openness procedures.
          00377
          • Publish a description of activities about processing personal data in an official register.
            00379
            • Establish and maintain a records request manual.
              00381
          • Register with public bodies and notify the Data Commissioner before processing personal data.
            00383
          • Provide the data subject with the name, title, and address of the individual accountable for the organizational policies.
            00394
          • Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes.
            00398
        • Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
          00393
          • Provide the data subject with the means of gaining access to personal data held by the organization.
            00396
            • Provide the data subject with the data protection officer's contact information.
              12573
          • Provide the data subject with what personal data is made available to related organizations or subsidiaries.
            00399
            • Establish and maintain a disclosure accounting record.
              13022
              • Include what information was disclosed and to whom in the disclosure accounting record.
                04680
                • Include the disclosure date in the disclosure accounting record.
                  07133
                • Include the disclosure recipient in the disclosure accounting record.
                  07134
                • Include the disclosure purpose in the disclosure accounting record.
                  07135
      • Establish, implement, and maintain a privacy policy.
        06281
        • Define what is included in the privacy policy.
          00404
          • Include other organizations that personal data is being disclosed to in the privacy policy.
            00409
          • Include how to gain access to personal data held by the organization in the privacy policy.
            00410
        • Post the privacy policy in an easily seen location.
          00401
      • Establish, implement, and maintain a personal data accountability program.
        13432
        • Require data controllers to be accountable for their actions.
          00470
          • Notify the supervisory authority.
            00472
      • Establish, implement, and maintain a personal data use limitation program.
        13428
        • Establish, implement, and maintain a personal data use purpose specification.
          00093
          • Display or print the least amount of personal data necessary.
            04643
          • Notify the data subject of the collection purpose.
            00095
            • Refrain from using personal data collected for research and statistics for other purposes.
              00096
          • Document the law that requires personal data to be collected.
            00103
          • Notify the data subject of the consequences for not providing personal data.
            00104
          • Obtain the data subject's consent when the personal data use changes.
            11832
          • Dispose of media and personal data in a timely manner.
            00125
        • Establish, implement, and maintain personal data access procedures.
          00414
          • Provide individuals with information about disclosure of their personal data.
            00417
          • Respond to personal data access requests in a timely manner.
            00421
        • Establish, implement, and maintain personal data use limitation procedures.
          00128
          • Notify the data subject after personal data is used or disclosed.
            06247
          • Refrain from disclosing personal data absent consent of the individual or for defined exceptions.
            11967
          • Establish, implement, and maintain personal data retention procedures.
            00167
          • Establish, implement, and maintain personal data disposition procedures.
            13498
            • Remove personal data from records after receiving a personal data removal request.
              11972
        • Establish, implement, and maintain personal data disclosure procedures.
          00133
          • Disseminate and communicate personal data to the individual that it relates to.
            00428
            • Provide personal data at a cost that is not excessive.
              00430
      • Establish, implement, and maintain a personal data collection program.
        06487
        • Establish, implement, and maintain personal data collection limitation boundaries.
          00507
          • Obtain the data subject's consent and acknowledgment before collecting data.
            00012
            • Document each individual's personal data collection consent preferences.
              06945
          • Establish and maintain a personal data definition.
            00028
            • Include an individual's name in the personal data definition.
              04710
              • Include an individual's name combined with other personal data in the personal data definition.
                04709
            • Include an individual's electronic identification name or number in the personal data definition.
              04694
              • Include an individual's driver's license number or an individual's state identification card number in the personal data definition.
                04691
              • Include an individual's Social Security Number or Personal Identification Number in the personal data definition.
                04690
            • Include an individual's payment card information in the personal data definition.
              04751
            • Include an individual's Individually Identifiable Health Information in the personal data definition.
              04700
              • Include an individual's medical history in the personal data definition.
                04701
              • Include an individual's medical treatment in the personal data definition.
                04702
              • Include an individual's medical diagnosis in the personal data definition.
                04703
              • Include an individual's mental condition or an individual's physical condition in the personal data definition.
                04704
            • Include an individual's health insurance information in the personal data definition.
              04705
              • Include an individual's health insurance policy number in the personal data definition.
                04706
              • Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition.
                04707
            • Refrain from including publicly available information in the personal data definition.
              13084
          • Establish, implement, and maintain a personal data collection policy.
            00029
            • Collect personal data directly from the data subject.
              00011
            • Collect the minimum amount of personal data necessary.
              00078
            • Collect and record personal data for specific, explicit, and legitimate purposes.
              00027
            • Collect personal data when an individual gives consent.
              00030
          • Provide the data subject with information about the data controller during the collection process.
            00023
            • Disseminate and communicate the data collector's name and contact information to all interested personnel.
              13760
            • Provide the data subject with the third party processor's contact information when the data controller is not processing the personal data.
              00026
      • Establish, implement, and maintain a data handling program.
        13427
        • Establish, implement, and maintain data handling policies.
          00353
          • Establish, implement, and maintain data and information confidentiality policies.
            00361
            • Prohibit personal data from being sent by e-mail or instant messaging.
              00565
            • Protect electronic messaging information.
              12022
            • Establish, implement, and maintain record structures to support information confidentiality.
              00360
              • Include passwords, Personal Identification Numbers, and card security codes in the personal data definition.
                04699
              • Refrain from storing data elements containing payment card full magnetic stripe data.
                04757
              • Refrain from storing data elements containing sensitive authentication data after authorization is approved.
                04758
              • Render unrecoverable sensitive authentication data after authorization is approved.
                11952
              • Encrypt, truncate, or tokenize data fields, as necessary.
                06850
            • Limit data leakage.
              00356
              • Conduct personal data risk assessments.
                00357
              • Search the Internet for evidence of data leakage.
                10419
                • Review monitored websites for data leakage.
                  10593
          • Establish, implement, and maintain de-identifying and re-identifying procedures.
            07126
        • Establish, implement, and maintain data handling procedures.
          11756
          • Define personal data that falls under breach notification rules.
            00800
            • Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules.
              04662
            • Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules.
              04657
            • Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules.
              04658
              • Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules.
                04660
            • Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules.
              04752
              • Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules.
                04661
            • Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules.
              04673
              • Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules.
                04674
              • Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules.
                04675
              • Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules.
                04676
              • Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules.
                04682
            • Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules.
              04681
              • Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules.
                04683
              • Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules.
                04684
          • Define an out of scope privacy breach.
            04677
            • Include personal data that is publicly available information as an out of scope privacy breach.
              04678
      • Establish, implement, and maintain a personal data transfer program.
        00307
        • Include procedures for transferring personal data to third parties in the personal data transfer program.
          00333
          • Require transferees to implement adequate data protection levels for the personal data.
            00335
      • Develop remedies and sanctions for privacy policy violations.
        00474
        • Change or destroy any personal data that is incorrect.
          00462
          • Notify the data subject of changes made to personal data as the result of a dispute.
            00463
        • Establish, implement, and maintain a privacy dispute resolution program.
          12526
          • Provide the data subject with the name, title, and address to whom complaints are forwarded.
            00395
          • Notify individuals of their right to challenge personal data.
            00457
            • Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections.
              00467
    • Establish, implement, and maintain a Customer Information Management program.
      00084
      • Establish, implement, and maintain customer data authentication procedures.
        13187
        • Check the accuracy of personal data.
          00088
          • Record personal data correctly.
            00089
      • Check that personal data is complete.
        00090
      • Keep personal data up-to-date and valid.
        00091
  • Harmonization Methods and Manual of Style
    06095
    • Organize all compliance documents.
      06096
      • Organize all compliance documents to fit the message.
        06097
        • Define the structure for compliance documents and governance documents.
          06111
  • Third Party and supply chain oversight
    08807
    • Establish, implement, and maintain a supply chain management program.
      11742
      • Formalize client and third party relationships with contracts or nondisclosure agreements.
        00794
        • Establish, implement, and maintain information flow agreements with all third parties.
          04543
        • Include a description of the data or information to be covered in third party contracts.
          06510
          • Include text about access, use, disclosure, and transfer of data or information in third party contracts.
            11610
        • Include text that signatories must meet organizational compliance requirements in third party contracts.
          06506
          • Include compliance with the organization's access policy as a requirement in third party contracts.
            06507
          • Include compliance with the organization's privacy policy in third party contracts.
            06518
        • Include change control clauses in third party contracts, as necessary.
          06523
        • Include third party requirements for personnel security in third party contracts.
          00790
          • Establish, implement, and maintain third party transaction authentication procedures.
            00791
        • Include third party acknowledgment of their data protection responsibilities in third party contracts.
          01364
          • Include auditing third party security controls and compliance controls in third party contracts.
            01366
          • Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data.
            04264
          • Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements.
            06087
      • Document the organization's supply chain in the supply chain management program.
        09958
        • Establish and maintain a Third Party Service Provider list.
          12480
          • Include the services provided by each supplier in the Third Party Service Provider list.
            12481
        • Document supply chain transactions in the supply chain management program.
          08857
          • Document the supply chain's critical paths in the supply chain management program.
            10032
      • Establish, implement, and maintain Service Level Agreements with the organization's supply chain.
        00838
        • Approve all Service Level Agreements.
          00843
      • Categorize all suppliers in the supply chain management program.
        00792
      • Include risk management procedures in the supply chain management policy.
        08811
        • Perform a risk assessment prior to engaging a third party.
          06454
          • Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report.
            10029
      • Establish, implement, and maintain a supply chain management policy.
        08808
        • Include the third party selection process in the supply chain management policy.
          13132
          • Select suppliers based on their qualifications.
            00795
        • Include a clear management process in the supply chain management policy.
          08810
        • Use third parties that are compliant with the applicable requirements.
          08818
    • Conduct all parts of the supply chain due diligence process.
      08854
      • Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements.
        00359
        • Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information.
          13353
      • Assess third parties' compliance environment during due diligence.
        13134
        • Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members.
          11888
        • Request attestation of compliance from third parties.
          12067
          • Document the third parties compliance with the organization's system hardening framework.
            04263
          • Validate the third parties' compliance to organizationally mandated compliance requirements.
            08819
    • Assess the effectiveness of third party services provided to the organization.
      13142
      • Monitor third parties for performance and effectiveness, as necessary.
        00799
        • Review the supply chain's service delivery on a regular basis.
          12010
    • Establish, implement, and maintain a product inventory.
      08955
      • Include a unique reference identifier on products for sale.
        08958