•Establish, implement, and maintain a reporting methodology program.
02072
•Establish, implement, and maintain communication protocols.
12245
•Analyze organizational objectives, functions, and activities.
00598
•Establish, implement, and maintain organizational objectives.
09959
•Prioritize organizational objectives.
09960
•Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties.
13191
•Document and communicate the linkage between organizational objectives, functions, activities, and general controls.
12398
•Review the organization's approach to managing information security, as necessary.
12005
•Identify all interested personnel and affected parties.
12845
•Analyze and prioritize the requirements of interested personnel and affected parties.
12796
•Establish, implement, and maintain an information classification standard.
00601
•Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard.
11997
•Classify the criticality to unauthorized disclosure or modification of information in the information classification standard.
11996
•Classify the value of information in the information classification standard.
11995
•Classify the legal requirements of information in the information classification standard.
11994
•Establish, implement, and maintain an Information and Infrastructure Architecture model.
00599
•Monitor regulatory trends to maintain compliance.
00604
•Subscribe to a threat intelligence service to receive notification of emerging threats.
12135
•Establish, implement, and maintain a Quality Management framework.
07196
•Establish, implement, and maintain a Quality Management program.
07201
•Include an issue tracking system in the Quality Management program.
06824
•Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.
01241
•Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents.
00688
•Establish and maintain an Information Systems Assurance Categories Definitions document.
01608
•Establish, implement, and maintain a policy and procedure management program.
06285
•Include requirements in the organization’s policies, standards, and procedures.
12956
•Establish and maintain an Authority Document list.
07113
•Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.
01636
•Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.
12901
•Approve all compliance documents.
06286
•Establish, implement, and maintain a compliance exception standard.
01628
•Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.
01631
•Review the compliance exceptions in the exceptions document, as necessary.
01632
•Define the Information Assurance strategic roles and responsibilities.
00608
•Establish and maintain a compliance oversight committee.
00765
•Address Information Security during the business planning processes.
06495
•Establish, implement, and maintain a strategic plan.
12784
•Establish, implement, and maintain a Strategic Information Technology Plan.
00628
•Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan.
06491
•Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.
00632
•Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.
01609
•Monitor and evaluate the implementation and effectiveness of Information Technology Plans.
00634
•Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program.
06492
•Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security.
06493
•Establish, implement, and maintain a financial management program.
13228
•Establish, implement, and maintain a Capital Planning and Investment Control policy.
06279
•Monitoring and measurement
00636
•Monitor the usage and capacity of critical assets.
14825
•Monitor the usage and capacity of Information Technology assets.
00668
•Notify the interested personnel and affected parties before the storage unit will reach maximum capacity.
06773
•Monitor systems for errors and faults.
04544
•Compare system performance metrics to organizational standards and industry benchmarks.
00667
•Establish, implement, and maintain Security Control System monitoring and reporting procedures.
12506
•Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures.
12525
•Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures.
12513
•Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures.
12512
•Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures.
12511
•Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures.
12510
•Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures.
12509
•Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures.
12508
•Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures.
12507
•Establish, implement, and maintain Responding to Failures in Security Controls procedures.
12514
•Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure.
12521
•Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.
12520
•Include performing a risk assessment to determine whether further actions are required because of the failure of a security control in the Responding to Failures in Security Controls procedure.
12519
•Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure.
12518
•Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure.
12517
•Include restoring security functions in the Responding to Failures in Security Controls procedure.
12515
•Establish, implement, and maintain logging and monitoring operations.
00637
•Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.
06312
•Establish, implement, and maintain intrusion management operations.
00580
•Install and maintain an Intrusion Detection System and/or Intrusion Prevention System.
00581
•Protect each person's right to privacy and civil liberties during intrusion management operations.
10035
•Do not intercept communications of any kind when providing a service to clients.
09985
•Determine if honeypots should be installed, and if so, where the honeypots should be placed.
00582
•Monitor systems for inappropriate usage and other security violations.
00585
•Monitor systems for blended attacks and multiple component incidents.
01225
•Monitor systems for Denial of Service attacks.
01222
•Monitor systems for access to restricted data or restricted information.
04721
•Assign roles and responsibilities for overseeing access to restricted data or restricted information.
11950
•Detect unauthorized access to systems.
06798
•Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
06430
•Monitor systems for unauthorized mobile code.
10034
•Update the intrusion detection capabilities and the incident response capabilities regularly.
04653
•Implement honeyclients to proactively seek for malicious websites and malicious code.
10658
•Implement detonation chambers, where appropriate.
10670
•Define and assign log management roles and responsibilities.
06311
•Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.
00638
•Establish, implement, and maintain event logging procedures.
01335
•Include a standard to collect and interpret event logs in the event logging procedures.
00643
•Protect the event logs from failure.
06290
•Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs.
01427
•Compile the event logs of multiple components into a system-wide time-correlated audit trail.
01424
•Review and update event logs and audit logs, as necessary.
00596
•Eliminate false positives in event logs and audit logs.
07047
•Follow up exceptions and anomalies identified when reviewing logs.
11925
•Document the event information to be logged in the event information log specification.
00639
•Enable logging for all systems that meet a traceability criteria.
00640
•Enable and configure logging on network access controls in accordance with organizational standards.
01963
•Synchronize system clocks to an accurate and universal time source on all devices.
01340
•Define the frequency to capture and log events.
06313
•Review and update the list of auditable events in the event logging procedures.
10097
•Monitor and evaluate system performance.
00651
•Monitor for and react to when suspicious activities are detected.
00586
•Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information.
04727
•Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records.
04728
•Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form.
04740
•Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner.
04729
•Establish, implement, and maintain a continuous monitoring program for configuration management.
06757
•Establish, implement, and maintain an automated configuration monitoring system.
07058
•Monitor for and report when a software configuration is updated.
06746
•Notify the appropriate personnel when the software configuration is updated absent authorization.
04886
•Monitor for firmware updates absent authorization.
10675
•Implement file integrity monitoring.
01205
•Identify unauthorized modifications during file integrity monitoring.
12096
•Monitor for software configurations updates absent authorization.
10676
•Allow expected changes during file integrity monitoring.
12090
•Monitor for when documents are being updated absent authorization.
10677
•Include a change history and identify who made the changes in the file integrity monitoring report.
12091
•Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
12045
•Monitor and evaluate user account activity.
07066
•Develop and maintain a usage profile for each user account.
07067
•Log account usage to determine dormant accounts.
12118
•Log account usage times.
07099
•Generate daily reports of user logons during hours outside of their usage profile.
07068
•Generate daily reports of users who have grossly exceeded their usage profile logon duration.
07069
•Notify the appropriate personnel after identifying dormant accounts.
12125
•Log Internet Protocol addresses used during logon.
07100
•Report red flags when logon credentials are used on a computer different from the one in the usage profile.
07070
•Establish, implement, and maintain a risk monitoring program.
00658
•Monitor the organization's exposure to threats, as necessary.
06494
•Monitor for new vulnerabilities.
06843
•Test compliance controls for proper functionality.
00660
•Establish, implement, and maintain a system security plan.
01922
•Create specific test plans to test each system component.
00661
•Monitor devices continuously for conformance with production specifications.
06201
•Establish, implement, and maintain a testing program.
00654
•Conduct Red Team exercises, as necessary.
12131
•Establish and maintain a scoring method for Red Team exercise results.
12136
•Test security systems and associated security procedures, as necessary.
11901
•Scan organizational networks for rogue devices.
00536
•Scan the network for wireless access points.
00370
•Document the business need justification for authorized wireless access points.
12044
•Scan wireless networks for rogue devices.
11623
•Test the wireless device scanner's ability to detect rogue devices.
06859
•Implement incident response procedures when rogue devices are discovered.
11880
•Deny network access to rogue devices until network access approval has been received.
11852
•Isolate rogue devices after a rogue device has been detected.
07061
•Establish, implement, and maintain a port scan baseline for all in scope systems.
12134
•Compare port scan reports for in scope systems against their port scan baseline.
12162
•Establish, implement, and maintain a penetration test program.
01105
•Align the penetration test program with industry standards.
12469
•Assign penetration testing to a qualified internal resource or external third party.
06429
•Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation.
11958
•Retain penetration test results according to internal policy.
10049
•Retain penetration test remediation action records according to internal policy.
11629
•Perform penetration tests, as necessary.
00655
•Perform internal penetration tests, as necessary.
12471
•Perform external penetration tests, as necessary.
12470
•Include coverage of all in scope systems during penetration testing.
11957
•Test the system for broken access controls.
01319
•Test the system for broken authentication and session management.
01320
•Test the system for insecure communications.
00535
•Test the system for cross-site scripting attacks.
01321
•Test the system for buffer overflows.
01322
•Test the system for injection flaws.
01323
•Test the system for insecure configuration management.
01327
•Perform network-layer penetration testing on all systems, as necessary.
01277
•Test the system for cross-site request forgery.
06296
•Perform application-layer penetration testing on all systems, as necessary.
11630
•Perform penetration testing on segmentation controls, as necessary.
12498
•Repeat penetration testing, as necessary.
06860
•Test the system for covert channels.
10652
•Estimate the maximum bandwidth of any covert channels.
10653
•Reduce the maximum bandwidth of covert channels.
10655
•Test systems to determine which covert channels might be exploited.
10654
•Establish, implement, and maintain a vulnerability management program.
15721
•Establish, implement, and maintain a vulnerability assessment program.
11636
•Perform vulnerability scans, as necessary.
11637
•Repeat vulnerability scanning, as necessary.
11646
•Identify and document security vulnerabilities.
11857
•Rank discovered vulnerabilities.
11940
•Use dedicated user accounts when conducting vulnerability scans.
12098
•Assign vulnerability scanning to qualified personnel or external third parties.
11638
•Record the vulnerability scanning activity in the vulnerability scan report.
12097
•Correlate vulnerability scan reports from the various systems.
10636
•Perform internal vulnerability scans, as necessary.
00656
•Update the vulnerability scanners' vulnerability list.
10634
•Repeat vulnerability scanning after an approved change occurs.
12468
•Perform external vulnerability scans, as necessary.
11624
•Employ an approved third party to perform external vulnerability scans on the organization's systems.
12467
•Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports.
10635
•Notify the interested personnel and affected parties after the failure of an automated security test.
06748
•Perform vulnerability assessments, as necessary.
11828
•Review applications for security vulnerabilities after the application is updated.
11938
•Test the system for unvalidated input.
01318
•Test the system for proper error handling.
01324
•Test the system for insecure data storage.
01325
•Perform penetration tests and vulnerability scans in concert, as necessary.
12111
•Test the system for insecure cryptographic storage.
11635
•Test in scope systems for compliance with the Configuration Baseline Documentation Record.
12130
•Recommend mitigation techniques based on penetration test results.
04881
•Correct or mitigate vulnerabilities.
12497
•Disseminate and communicate the testing program to all interested personnel and affected parties.
11871
•Establish, implement, and maintain a compliance monitoring policy.
00671
•Establish, implement, and maintain a metrics policy.
01654
•Establish, implement, and maintain an approach for compliance monitoring.
01653
•Monitor personnel and third parties for compliance to the organizational compliance framework.
04726
•Carry out disciplinary actions when a compliance violation is detected.
06675
•Align disciplinary actions with the level of compliance violation.
12404
•Establish, implement, and maintain an Information Security metrics program.
01665
•Establish, implement, and maintain a technical measurement metrics policy.
01655
•Establish, implement, and maintain an incident management and vulnerability management metrics program.
02085
•Establish, implement, and maintain a log management program.
00673
•Deploy log normalization tools, as necessary.
12141
•Restrict access to logs to authorized individuals.
01342
•Restrict access to audit trails to a need to know basis.
11641
•Back up audit trails according to backup procedures.
11642
•Back up logs according to backup procedures.
01344
•Copy logs from all predefined hosts onto a log management infrastructure.
01346
•Protect logs from unauthorized activity.
01345
•Archive the audit trail in accordance with compliance requirements.
00674
•Enforce dual authorization as a part of information flow control for logs.
10098
•Preserve the identity of individuals in audit trails.
10594
•Establish, implement, and maintain a cross-organizational audit sharing agreement.
10595
•Provide cross-organizational audit information based on the cross-organizational audit sharing agreement.
10596
•Establish, implement, and maintain a corrective action plan.
00675
•Include monitoring in the corrective action plan.
11645
•Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
00676
•Provide intelligence support to the organization, as necessary.
14020
•Establish, implement, and maintain a Technical Surveillance Countermeasures program.
11401
•Conduct a Technical Surveillance Countermeasures survey.
10637
•Audits and risk management
00677
•Establish, implement, and maintain a Statement of Compliance.
12499
•Define the roles and responsibilities for personnel assigned to tasks in the Audit function.
00678
•Define and assign the internal audit manager's roles and responsibilities.
00680
•Report audit findings to interested personnel and affected parties.
01152
•Define and assign the external auditor's roles and responsibilities.
00683
•Retain copies of external auditor outsourcing contracts and engagement letters.
01188
•Review external auditor outsourcing contracts and engagement letters.
01189
•Review the risk assessments as compared to the in scope controls.
06978
•Include the scope and work to be performed in external auditor outsourcing contracts.
01190
•Review the adequacy of the external auditor's work papers and audit reports.
01199
•Establish, implement, and maintain an audit program.
00684
•Assign the audit to impartial auditors.
07118
•Exercise due professional care during the planning and performance of the audit.
07119
•Include agreement to the audit scope and audit terms in the audit program.
06965
•Establish and maintain a bespoke audit scope for each audit being performed.
13077
•Include the scope for the desired level of assurance in the audit program.
12793
•Include the criteria for determining the desired level of assurance in the audit program.
12795
•Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program.
12794
•Accept the attestation engagement when all preconditions are met.
13933
•Audit in scope audit items and compliance documents.
06730
•Collect all work papers for the audit and audit report into an engagement file.
07001
•Audit policies, standards, and procedures.
12927
•Determine if the audit assertion's in scope controls are reasonable.
06980
•Document test plans for auditing in scope controls.
06985
•Determine the effectiveness of in scope controls.
06984
•Review incident management audit logs to determine the effectiveness of in scope controls.
12157
•Observe processes to determine the effectiveness of in scope controls.
12155
•Audit the in scope system according to the test plan using relevant evidence.
07112
•Respond to questions or clarification requests regarding the audit.
08902
•Establish and maintain organizational audit reports.
06731
•Include the scope and work performed in the audit report.
11621
•Review the adequacy of the internal auditor's audit reports.
11620
•Review past audit reports.
01155
•Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.
07117
•Disseminate and communicate the reviews of audit reports to organizational management.
00653
•Implement a corrective action plan in response to the audit report.
06777
•Review management's response to issues raised in past audit reports.
01149
•Assess the quality of the audit program in regards to its documentation.
11622
•Establish, implement, and maintain an audit schedule for the audit program.
13158
•Establish, implement, and maintain a risk management program.
12051
•Establish, implement, and maintain the risk assessment framework.
00685
•Define and assign the roles and responsibilities for the risk assessment framework, as necessary.
06456
•Establish, implement, and maintain a risk assessment program.
00687
•Establish, implement, and maintain risk assessment procedures.
06446
•Establish, implement, and maintain a threat and risk classification scheme.
07183
•Document organizational risk criteria.
12277
•Include security threats and vulnerabilities in the threat and risk classification scheme.
00699
•Categorize the systems, information, and data by risk profile in the threat and risk classification scheme.
01443
•Include risks to critical personnel and assets in the threat and risk classification scheme.
00698
•Assign a probability of occurrence to all types of threats in the threat and risk classification scheme.
01173
•Include the roles and responsibilities involved in risk assessments in the risk assessment program.
06450
•Approve the risk assessment program and associated risk assessment procedures at the senior management level.
06458
•Perform risk assessments for all target environments, as necessary.
06452
•Include the results of the risk assessment in the risk assessment report.
06481
•Approve the results of the risk assessment as documented in the risk assessment report.
07109
•Update the risk assessment upon discovery of a new threat.
00708
•Update the risk assessment upon changes to the risk profile.
11627
•Disseminate and communicate the approved risk assessment report to interested personnel and affected parties.
10633
•Correlate the business impact of identified risks in the risk assessment report.
00686
•Conduct a Business Impact Analysis, as necessary.
01147
•Establish, implement, and maintain a risk register.
14828
•Document organizational risk tolerance in a risk register.
09961
•Align organizational risk tolerance to that of industry peers in the risk register.
09962
•Analyze and quantify the risks to in scope systems and information.
00701
•Establish and maintain a Risk Scoping and Measurement Definitions Document.
00703
•Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems.
06467
•Establish a risk acceptance level that is appropriate to the organization's risk appetite.
00706
•Select the appropriate risk treatment option for each identified risk in the risk register.
06483
•Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.
00704
•Prioritize and select controls based on the risk assessment findings.
00707
•Establish, implement, and maintain a risk treatment plan.
11983
•Approve the risk treatment plan.
13495
•Integrate the corrective action plan based on the risk assessment findings with other risk management activities.
06457
•Document and communicate a corrective action plan based on the risk assessment findings.
00705
•Technical security
00508
•Establish, implement, and maintain an access classification scheme.
00509
•Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.
00510
•Include business security requirements in the access classification scheme.
00002
•Interpret and apply security requirements based upon the information classification of the system.
00003
•Include third party access in the access classification scheme.
11786
•Establish, implement, and maintain security classifications for organizational assets.
00005
•Limit the use of resources by priority.
01448
•Establish, implement, and maintain an access control program.
11702
•Include instructions to change authenticators as often as necessary in the access control program.
11931
•Include guidance for how users should protect their authentication credentials in the access control program.
11929
•Include guidance on selecting authentication credentials in the access control program.
11928
•Establish, implement, and maintain access control policies.
00512
•Disseminate and communicate the access control policies to all interested personnel and affected parties.
10061
•Establish, implement, and maintain an access rights management plan.
00513
•Identify information system users.
12081
•Review user accounts.
00525
•Match user accounts to authorized parties.
12126
•Review shared accounts.
11840
•Control access rights to organizational assets.
00004
•Configure access control lists in accordance with organizational standards.
16465
•Add all devices requiring access control to the Access Control List.
06264
•Define roles for information systems.
12454
•Define access needs for each role assigned to an information system.
12455
•Define access needs for each system component of an information system.
12456
•Define the level of privilege required for each system component of an information system.
12457
•Establish access rights based on least privilege.
01411
•Assign user permissions based on job responsibilities.
00538
•Assign user privileges after they have management sign off.
00542
•Separate processing domains to segregate user privileges and enhance information flow control.
06767
•Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.
01412
•Establish, implement, and maintain session lock capabilities.
01417
•Limit concurrent sessions according to account type.
01416
•Establish session authenticity through Transport Layer Security.
01627
•Enable access control for objects and users on each system.
04553
•Include all system components in the access control system.
11939
•Set access control for objects and users to "deny all" unless explicitly authorized.
06301
•Enable access control for objects and users to match restrictions set by the system's security classification.
04850
•Enable role-based access control for objects and users on information systems.
12458
•Include the objects and users subject to access control in the security policy.
11836
•Assign Information System access authorizations if implementing segregation of duties.
06323
•Enforce access restrictions for change control.
01428
•Enforce access restrictions for restricted data.
01921
•Perform a risk assessment prior to activating third party access to the organization's critical systems.
06455
•Activate third party maintenance accounts and user identifiers, as necessary.
04262
•Establish, implement, and maintain a system use agreement for each information system.
06500
•Accept and sign the system use agreement before data or system access is enabled.
06501
•Display a logon banner and appropriate logon message before granting access to the system.
06770
•Display previous logon information in the logon banner.
01415
•Document actions that can be performed on an information system absent identification and authentication of the user.
06771
•Control user privileges.
11665
•Review all user privileges, as necessary.
06784
•Revoke asset access when a personnel status change occurs or an individual is terminated.
00516
•Review and update accounts and access rights when notified of personnel status changes.
00788
•Establish, implement, and maintain User Access Management procedures.
00514
•Establish, implement, and maintain an authority for access authorization list.
06782
•Review and approve logical access to all assets based upon organizational policies.
06641
•Control the addition and modification of user identifiers, user credentials, or other authenticators.
00515
•Assign roles and responsibilities for administering user account management.
11900
•Automate access control methods, as necessary.
11838
•Refrain from allowing user access to identifiers and authenticators used by applications.
10048
•Remove inactive user accounts, as necessary.
00517
•Remove temporary user accounts, as necessary.
11839
•Establish, implement, and maintain a password policy.
16346
•Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information.
00518
•Limit superuser accounts to designated System Administrators.
06766
•Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.
00526
•Protect and manage biometric systems and biometric data.
01261
•Document the business need justification for authentication data storage.
06325
•Establish, implement, and maintain access control procedures.
11663
•Implement out-of-band authentication, as necessary.
10606
•Grant access to authorized personnel or systems.
12186
•Document approving and granting access in the access control log.
06786
•Include digital identification procedures in the access control program.
11841
•Employ unique identifiers.
01273
•Disseminate and communicate user identifiers and authenticators using secure communication protocols.
06791
•Include instructions to refrain from using previously used authenticators in the access control program.
11930
•Require multiple forms of personal identification prior to issuing user identifiers.
08712
•Authenticate user identities before manually resetting an authenticator.
04567
•Require proper authentication for user identifiers.
11785
•Assign authenticators to user accounts.
06855
•Assign authentication mechanisms for user account authentication.
06856
•Refrain from allowing individuals to share authentication mechanisms.
11932
•Use biometric authentication for identification and authentication, as necessary.
06857
•Identify and control all network access controls.
00529
•Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective.
04589
•Establish, implement, and maintain a network configuration standard.
00530
•Establish, implement, and maintain a network security policy.
06440
•Establish, implement, and maintain a wireless networking policy.
06732
•Maintain up-to-date network diagrams.
00531
•Manage all internal network connections.
06329
•Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol.
12109
•Establish, implement, and maintain separate virtual private networks to transport sensitive information.
12124
•Establish, implement, and maintain separate virtual local area networks for untrusted devices.
12095
•Manage all external network connections.
11842
•Route outbound Internet traffic through a proxy server that supports decrypting network traffic.
12116
•Prohibit systems from connecting directly to external networks.
08709
•Secure the Domain Name System.
00540
•Implement a fault-tolerant architecture.
01626
•Implement segregation of duties.
11843
•Establish, implement, and maintain a Boundary Defense program.
00544
•Refrain from disclosing Internet Protocol addresses, routing information, and DNS names, unless necessary.
11891
•Segregate systems in accordance with organizational standards.
12546
•Segregate servers that contain restricted data or restricted information from direct public access.
00533
•Design Demilitarized Zones with proper isolation rules.
00532
•Restrict inbound network traffic into the Demilitarized Zone.
01285
•Restrict inbound network traffic into the Demilitarized Zone to destination addresses within the Demilitarized Zone.
11998
•Segregate applications and databases that contain restricted data or restricted information in an internal network zone.
01289
•Establish, implement, and maintain a network access control standard.
00546
•Include assigned roles and responsibilities in the network access control standard.
06410
•Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.
11821
•Place firewalls between security domains and between any Demilitarized Zone and internal network zones.
01274
•Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information.
01293
•Place firewalls between all security domains and between any secure subnet and internal network zones.
11784
•Include configuration management and rulesets in the network access control standard.
11845
•Establish, implement, and maintain a firewall and router configuration standard.
00541
•Include testing and approving all network connections through the firewall in the firewall and router configuration standard.
01270
•Include compensating controls implemented for insecure protocols in the firewall and router configuration standard.
11948
•Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary.
11903
•Include restricting inbound network traffic in the firewall and router configuration standard.
11960
•Include restricting outbound network traffic in the firewall and router configuration standard.
11961
•Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard.
12435
•Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard.
12434
•Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.
12426
•Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information.
11847
•Include a protocols, ports, applications, and services list in the firewall and router configuration standard.
00537
•Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard.
01280
•Install and configure firewalls to be enabled on all mobile devices, if possible.
00550
•Lock personal firewall configurations to prevent them from being disabled or changed by end users.
06420
•Configure network access and control points to protect restricted information and restricted functions.
01284
•Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions.
12174
•Configure firewalls to deny all traffic by default, except explicitly designated traffic.
00547
•Configure firewalls to perform dynamic packet filtering.
01288
•Configure firewall filtering to only permit established connections into the network.
12482
•Restrict outbound network traffic from systems that contain restricted data or restricted information.
01295
•Synchronize and secure all router configuration files.
01291
•Configure firewalls to generate an alert when a potential security incident is detected.
12165
•Record the configuration rules for network access and control points in the configuration management system.
12105
•Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system.
12107
•Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system.
12106
•Configure network access and control points to organizational standards.
12442
•Install and configure application layer firewalls for all key web-facing applications.
01450
•Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards.
11853
•Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard.
11854
•Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.
01646
•Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.
04830
•Enforce information flow control.
11781
•Establish, implement, and maintain information flow control configuration standards.
01924
•Assign appropriate roles for enabling or disabling information flow controls.
06760
•Require the system to identify and authenticate approved devices before establishing a connection.
01429
•Perform content filtering scans on network traffic.
06761
•Use content filtering scans to identify information flows by data type specification.
06762
•Use content filtering scans to identify information flows by data type usage.
11818
•Take appropriate action to address information flow anomalies.
12164
•Document information flow anomalies that do not fit normal traffic patterns.
12163
•Prevent encrypted data from bypassing content filtering mechanisms.
06758
•Perform content filtering scans on incoming and outgoing e-mail.
06733
•Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists.
12128
•Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information.
06734
•Constrain the information flow of restricted data or restricted information.
06763
•Restrict access to restricted data and restricted information on a need to know basis.
12453
•Prohibit restricted data or restricted information from being sent to mobile devices.
04725
•Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
06310
•Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
01410
•Establish, implement, and maintain information flow procedures.
04542
•Establish, implement, and maintain information exchange procedures.
11782
•Protect data from modification or loss while transmitting between separate parts of the system.
04554
•Review and approve information exchange system connections.
07143
•Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services.
13104
•Establish, implement, and maintain whitelists and blacklists of domain names.
07097
•Deploy sender policy framework records in the organization's Domain Name Servers.
12183
•Block uncategorized sites using URL filtering.
12140
•Subscribe to a URL categorization service to maintain website category definitions in the URL filter list.
12139
•Establish, implement, and maintain whitelists and blacklists of software.
11780
•Implement information flow control policies when making decisions about information sharing or collaboration.
10094
•Secure access to each system component operating system.
00551
•Enforce privileged accounts and non-privileged accounts for system access.
00558
•Create a full text analysis on executed privileged functions.
06778
•Separate user functionality from system management functionality.
11858
•Segregate electronically stored information from operating system access.
00552
•Control all methods of remote access and teleworking.
00559
•Establish, implement, and maintain a remote access and teleworking program.
04545
•Control remote administration in accordance with organizational standards.
04459
•Control remote access through a network access control.
01421
•Employ multifactor authentication for remote access to the organization's network.
12505
•Implement multifactor authentication techniques.
00561
•Protect remote access accounts with encryption.
00562
•Monitor and evaluate all remote access usage.
00563
•Manage the use of encryption controls and cryptographic controls.
00570
•Define the cryptographic module security functions and the cryptographic module operational modes.
06542
•Implement the documented cryptographic module security functions.
06755
•Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules.
06547
•Employ cryptographic controls that comply with applicable requirements.
12491
•Establish, implement, and maintain an encryption management and cryptographic controls policy.
04546
•Refrain from allowing the use of cleartext for input or output of restricted data or restricted information.
04823
•Encrypt in scope data or in scope information, as necessary.
04824
•Implement cryptographic operations and support functions on identification cards or badges.
06585
•Establish, implement, and maintain cryptographic key management procedures.
00571
•Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys.
01301
•Generate strong cryptographic keys.
01299
•Implement decryption keys so that they are not linked to user accounts.
06851
•Include the establishment of cryptographic keys in the cryptographic key management procedures.
06540
•Disseminate and communicate cryptographic keys securely.
01300
•Store cryptographic keys securely.
01298
•Restrict access to cryptographic keys.
01297
•Store cryptographic keys in encrypted format.
06084
•Store key-encrypting keys and data-encrypting keys in different locations.
06085
•Change cryptographic keys in accordance with organizational standards.
01302
•Destroy cryptographic keys promptly after the retention period.
01303
•Control cryptographic keys with split knowledge and dual control.
01304
•Prevent the unauthorized substitution of cryptographic keys.
•Revoke old cryptographic keys or invalid cryptographic keys immediately.
01307
•Replace known or suspected compromised cryptographic keys immediately.
01306
•Require key custodians to sign the key custodian's roles and responsibilities.
11820
•Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates.
06587
•Establish, implement, and maintain Public Key certificate application procedures.
07079
•Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures.
07080
•Include revocation of Public Key certificates in the Public Key certificate procedures.
07082
•Publish revoked Public Key certificates in the Certificate Revocation List.
07089
•Issue authentication mechanisms that support the Public Key Infrastructure.
07092
•Establish a Root Certification Authority to support the Public Key Infrastructure.
07084
•Include access to issued Public Key certificates in the Public Key certificate procedures.
07086
•Connect the Public Key Infrastructure to the organization's identity and access management system.
07091
•Use strong data encryption to transmit in scope data or in scope information, as necessary.
00564
•Ensure restricted data or restricted information are encrypted prior to or at the time of transmission.
01749
•Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.
12492
•Encrypt traffic over networks with trusted cryptographic keys.
12490
•Implement non-repudiation for transactions.
00567
•Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.
00568
•Protect application services information transmitted over a public network from unauthorized modification.
12021
•Protect application services information transmitted over a public network from unauthorized disclosure.
12020
•Protect application services information transmitted over a public network from contract disputes.
12019
•Protect application services information transmitted over a public network from fraudulent activity.
12018
•Establish, implement, and maintain a malicious code protection program.
00574
•Restrict downloading to reduce malicious code attacks.
04576
•Install security and protection software, as necessary.
00575
•Scan for malicious code, as necessary.
11941
•Test all removable storage media for viruses and malicious code.
11861
•Test all untrusted files or unverified files for viruses and malicious code.
01311
•Protect the system against replay attacks.
04552
•Log and react to all malicious code activity.
07072
•Analyze the behavior and characteristics of the malicious code.
10672
•Incorporate the malicious code analysis into the patch management program.
10673
•Lock antivirus configurations.
10047
•Establish, implement, and maintain an application security policy.
06438
•Conduct application security reviews, as necessary.
06298
•Correct all found deficiencies according to organizational standards after a web application policy compliance review.
06299
•Re-evaluate the web application after deficiencies have been corrected.
06300
•Establish, implement, and maintain a virtual environment and shared resources security program.
06551
•Establish, implement, and maintain a shared resources management program.
07096
•Implement non-persistent services and components that are initiated in a known state and terminated, as necessary.
10685
•Physical and environmental protection
00709
•Establish, implement, and maintain a physical security program.
11757
•Establish, implement, and maintain an anti-tamper protection program.
10638
•Monitor for evidence of when tampering indicators are being identified.
11905
•Inspect device surfaces to detect tampering.
11868
•Inspect device surfaces to detect unauthorized substitution.
11869
•Inspect for tampering, as necessary.
10640
•Protect assets from tampering or unapproved substitution.
11902
•Establish, implement, and maintain a facility physical security program.
00711
•Inspect items brought into the facility.
06341
•Identify and document physical access controls for all physical entry points.
01637
•Control physical access to (and within) the facility.
01329
•Secure physical entry points with physical access controls or security guards.
01640
•Establish, implement, and maintain a visitor access permission policy.
06699
•Escort visitors within the facility, as necessary.
06417
•Authorize visitors before granting entry to physical areas containing restricted data or restricted information.
01330
•Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.
01436
•Authorize physical access to sensitive areas based on job functions.
12462
•Change access requirements to organizational assets for personnel and visitors, as necessary.
12463
•Escort uncleared personnel who need to work in or access controlled access areas.
00747
•Establish, implement, and maintain physical identification procedures.
00713
•Manage visitor identification inside the facility.
11670
•Issue visitor identification badges to all non-employees.
00543
•Retrieve visitor identification badges prior to the exit of a visitor from the facility.
01331
•Establish, implement, and maintain identification issuance procedures for identification cards or badges.
06598
•Establish, implement, and maintain identification mechanism termination procedures.
06306
•Use locks to protect against unauthorized physical access.
06342
•Use locks with electronic authentication systems or cipher locks, as necessary.
06650
•Secure unissued access mechanisms.
06713
•Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.
00748
•Change cipher lock codes, as necessary.
06651
•Manage access to loading docks, unloading docks, and mail rooms.
02210
•Isolate loading areas from information processing facilities, if possible.
12028
•Establish, implement, and maintain a guideline for working in a secure area.
04538
•Monitor for unauthorized physical access at physical entry points and physical exit points.
01638
•Establish and maintain a visitor log.
00715
•Record the visitor's name in the visitor log.
00557
•Record the visitor's organization in the visitor log.
12121
•Record the onsite personnel authorizing physical access for the visitor in the visitor log.
12466
•Retain all records in the visitor log as prescribed by law.
00572
•Establish, implement, and maintain a physical access log.
12080
•Log the entrance of a staff member to a facility or designated rooms within the facility.
01641
•Observe restricted areas with motion detectors or closed-circuit television systems.
01328
•Review and correlate all data collected from video cameras and/or access control mechanisms with other entries.
11609
•Configure video cameras to cover all physical entry points.
06302
•Configure video cameras to prevent physical tampering or disablement.
06303
•Retain video events according to Records Management procedures.
06304
•Monitor physical entry point alarms.
01639
•Build and maintain fencing, as necessary.
02235
•Employ security guards to provide physical security, as necessary.
06653
•Establish, implement, and maintain physical security controls for distributed assets.
00718
•Control the transiting and internal distribution or external distribution of assets.
00963
•Obtain management authorization for restricted storage media transit or distribution from a controlled access area.
00964
•Transport restricted media using a delivery method that can be tracked.
11777
•Track restricted storage media while it is in transit.
00967
•Restrict physical access to distributed assets.
11865
•Protect electronic storage media with physical access controls.
00720
•Establish, implement, and maintain removable storage media controls.
06680
•Control access to restricted storage media.
04889
•Physically secure all electronic storage media that store restricted data or restricted information.
11664
•Establish, implement, and maintain storage media access control procedures.
00959
•Control the storage of restricted storage media.
00965
•Protect distributed assets against theft.
06799
•Establish, implement, and maintain asset removal procedures or asset decommissioning procedures.
04540
•Prohibit assets from being taken off-site absent prior authorization.
12027
•Control the delivery of assets through physical entry points and physical exit points.
01441
•Establish, implement, and maintain on-site physical controls for all distributed assets.
04820
•Establish, implement, and maintain off-site physical controls for all distributed assets.
04539
•Attach asset location technologies to distributed assets.
10626
•Employ asset location technologies in accordance with applicable laws and regulations.
10627
•Establish, implement, and maintain end user computing device security guidelines.
00719
•Establish, implement, and maintain a locking screen saver policy.
06717
•Secure workstations to desks with security cables.
04724
•Establish, implement, and maintain mobile device security guidelines.
04723
•Encrypt information stored on mobile devices.
01422
•Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.
00722
•Establish, implement, and maintain asset return procedures.
04537
•Require the return of all assets upon notification an individual is terminated.
06679
•Prohibit the use of recording devices near restricted data or restricted information, absent authorization.
04598
•Prohibit mobile device usage near restricted data or restricted information, absent authorization.
04597
•Prohibit wireless technology usage near restricted data or restricted information, absent authorization.
08706
•Inspect mobile devices for the storage of restricted data or restricted information.
08707
•Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device.
08708
•Establish, implement, and maintain a clean desk policy.
06534
•Establish, implement, and maintain a clear screen policy.
12436
•Prohibit the unauthorized remote activation of collaborative computing devices.
06768
•Provide a physical disconnect of collaborative computing devices in a way that supports ease of use.
06769
•Indicate the active use of collaborative computing devices to users physically present at the device.
10647
•Establish, implement, and maintain proper container security.
02208
•Lock closable storage containers.
06307
•Install and protect network cabling.
08624
•Control physical access to network cables.
00723
•Install network cabling specifically for maintenance purposes.
10613
•Install and maintain network jacks and outlet boxes.
08635
•Implement physical controls to restrict access to publicly accessible network jacks.
11989
•Enable network jacks at the patch panel, as necessary.
06305
•Implement logical controls to enable network jacks, as necessary.
11934
•Establish, implement, and maintain an environmental control program.
00724
•Protect power equipment and power cabling from damage or destruction.
01438
•Establish, implement, and maintain facility maintenance procedures.
00710
•Define selection criteria for facility locations.
06351
•Establish, implement, and maintain work environment requirements.
06613
•House system components in areas where the physical damage potential is minimized.
01623
•Establish, implement, and maintain a fire prevention and fire suppression standard.
06695
•Install and maintain fire protection equipment.
00728
•Install and maintain fire suppression systems.
00729
•Conduct periodic fire marshal inspections for all organizational facilities.
04888
•Employ environmental protections.
12570
•Install and maintain emergency lighting for use in a power failure.
01440
•Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.
00727
•Install and maintain a moisture control system as a part of the climate control system.
06694
•Protect physical assets from water damage.
00730
•Operational and Systems Continuity
00731
•Establish, implement, and maintain a business continuity program.
13210
•Establish, implement, and maintain a continuity framework.
00732
•Establish and maintain the scope of the continuity framework.
11908
•Establish, implement, and maintain continuity roles and responsibilities.
00733
•Coordinate continuity planning with other business units responsible for related plans.
01386
•Establish, implement, and maintain a continuity plan.
00752
•Activate the continuity plan if the damage assessment report indicates the activation criterion has been met.
01373
•Execute fail-safe procedures when an emergency occurs.
07108
•Document and use the lessons learned to update the continuity plan.
10037
•Implement alternate security mechanisms when the means of implementing the security function is unavailable.
10605
•Document the uninterrupted power requirements for all in scope systems.
06707
•Install an Uninterruptible Power Supply sized to support all critical systems.
00725
•Install a generator sized to support the facility.
06709
•Establish, implement, and maintain a recovery plan.
13288
•Include restoration procedures in the continuity plan.
01169
•Include risk prioritized recovery procedures for each business unit in the recovery plan.
01166
•Disseminate and communicate business functions across multiple facilities separated by geographic separation.
10662
•Disseminate and communicate processing activities across multiple facilities using geographic separation.
10663
•Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation.
10664
•Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary.
10665
•Establish, implement, and maintain organizational facility continuity plans.
02224
•Install and maintain redundant power supplies for critical facilities.
06355
•Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches.
01439
•Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary.
06696
•Install electro-magnetic shielding around all electrical cabling.
06358
•Establish, implement, and maintain system continuity plan strategies.
00735
•Define and prioritize critical business functions.
00736
•Review and prioritize the importance of each business unit.
01165
•Document the mean time to failure for system components.
10684
•Establish, implement, and maintain Recovery Point Objectives for all in scope systems.
15719
•Reconfigure restored systems to meet the Recovery Point Objectives.
01256
•Establish, implement, and maintain a critical third party list.
06815
•Establish, implement, and maintain a critical resource list.
00740
•Establish and maintain a core supply inventory required to support critical business functions.
04890
•Include website continuity procedures in the continuity plan.
01380
•Post all required information on organizational websites and ensure all hyperlinks are working.
04579
•Include Internet Service Provider continuity procedures in the continuity plan.
00743
•Include Wide Area Network continuity procedures in the continuity plan.
01294
•Include priority-of-service provisions in the telecommunications Service Level Agreements.
01396
•Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers.
01397
•Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards.
01399
•Require telecommunications service providers to have adequate continuity plans.
01400
•Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan.
01374
•Designate an alternate facility in the continuity plan.
00742
•Separate the alternate facility from the primary facility through geographic separation.
01394
•Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs.
01391
•Include technical preparation considerations for backup operations in the continuity plan.
01250
•Establish, implement, and maintain backup procedures for in scope systems.
01258
•Establish and maintain off-site electronic media storage facilities.
00957
•Separate the off-site electronic media storage facilities from the primary facility through geographic separation.
01390
•Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations.
01392
•Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.
01393
•Review the security of the off-site electronic media storage facilities, as necessary.
00573
•Store backup media at an off-site electronic media storage facility.
01332
•Transport backup media in lockable electronic media storage containers.
01264
•Perform backup procedures for in scope systems.
11692
•Back up all records.
11974
•Encrypt backup data.
00958
•Test backup media for media integrity and information integrity, as necessary.
01401
•Validate information security continuity controls regularly.
12008
•Disseminate and communicate the continuity plan to interested personnel and affected parties.
00760
•Prepare the alternate facility for an emergency offsite relocation.
00744
•Establish, implement, and maintain Service Level Agreements for all alternate facilities.
00745
•Configure the alternate facility to meet the least needed operational capabilities.
01395
•Protect backup systems and restoration systems at the alternate facility.
04883
•Review the alternate facility preparation procedures.
04884
•Train personnel on the continuity plan.
00759
•Utilize automated mechanisms for more realistic continuity plan training.
01387
•Incorporate simulated events into the continuity plan training.
01402
•Establish, implement, and maintain a business continuity plan testing program.
14829
•Test the continuity plan, as necessary.
00755
•Test the continuity plan under conditions that simulate a disaster or disruption.
00757
•Test the continuity plan at the alternate facility.
01174
•Coordinate testing the continuity plan with all applicable business units and critical business functions.
01388
•Review all third party's continuity plan test results.
01365
•Automate the off-site testing to more thoroughly test the continuity plan.
01389
•Document the continuity plan test results and provide them to interested personnel and affected parties.
06548
•Conduct full recovery and restoration of service testing for high impact systems at the alternate facility.
01404
•Human Resources management
00763
•Establish, implement, and maintain high level operational roles and responsibilities.
00806
•Define and assign the head of Information Security's roles and responsibilities.
06091
•Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.
13112
•Define and assign the Privacy Officer's roles and responsibilities.
00714
•Define and assign the Chief Security Officer's roles and responsibilities.
06431
•Define and assign workforce roles and responsibilities.
13267
•Identify and define all critical roles.
00777
•Establish, implement, and maintain a personnel management program.
14018
•Establish, implement, and maintain onboarding procedures for new hires.
11760
•Train all new hires, as necessary.
06673
•Establish, implement, and maintain a personnel security program.
10628
•Establish, implement, and maintain security clearance level criteria.
00780
•Establish, implement, and maintain staff position risk designations.
14280
•Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies.
00782
•Perform security skills assessments for all critical employees.
12102
•Establish, implement, and maintain personnel screening procedures.
11700
•Perform a background check during personnel screening.
11758
•Perform personnel screening procedures, as necessary.
11763
•Establish, implement, and maintain security clearance procedures.
00783
•Perform security clearance procedures, as necessary.
06644
•Identify and watch individuals that pose a risk to the organization.
10674
•Establish, implement, and maintain personnel status change and termination procedures.
06549
•Terminate user accounts when notified that an individual is terminated.
11614
•Terminate access rights when notified of a personnel status change or an individual is terminated.
11826
•Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated.
01309
•Notify all interested personnel and affected parties when personnel status changes or an individual is terminated.
06677
•Notify terminated individuals of applicable, legally binding post-employment requirements.
10630
•Enforce the information security responsibilities and duties that remain valid after termination or change of employment.
11992
•Require terminated individuals to sign an acknowledgment of post-employment requirements.
10631
•Establish and maintain the staff structure in line with the strategic plan.
00764
•Assign and staff all roles appropriately.
00784
•Implement segregation of duties in roles and responsibilities.
00774
•Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff.
00779
•Establish job categorization criteria, job recruitment criteria, and promotion criteria.
00781
•Train all personnel and third parties, as necessary.
00785
•Establish, implement, and maintain an education methodology.
06671
•Retrain all personnel, as necessary.
01362
•Tailor training to meet published guidance on the subject being taught.
02217
•Tailor training to be taught at each person's level of responsibility.
06674
•Document all training in a training record.
01423
•Use automated mechanisms in the training environment, where appropriate.
06752
•Conduct tests and evaluate training.
06672
•Review the current published guidance and awareness and training programs.
01245
•Establish, implement, and maintain training plans.
00828
•Conduct personal data processing training.
13757
•Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose.
13758
•Establish, implement, and maintain a security awareness program.
11746
•Disseminate and communicate the security awareness program to all interested personnel and affected parties.
00823
•Train all personnel and third parties on how to recognize and report security incidents.
01211
•Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.
01363
•Conduct secure coding and development training for developers.
06822
•Conduct tampering prevention training.
11875
•Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training.
11877
•Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training.
11876
•Include how to report tampering and unauthorized substitution in the tampering prevention training.
11879
•Include how to prevent physical tampering in the tampering prevention training.
11878
•Establish, implement, and maintain an occupational health and safety management system.
16201
•Establish, implement, and maintain an occupational health and safety policy.
00716
•Establish, implement, and maintain a travel program for all personnel.
10597
•Issue devices with secure configurations to individuals traveling to locations deemed to be of risk.
10598
•Scan devices for malicious code when an individual returns from locations deemed to be of risk.
10599
•Establish, implement, and maintain a Code of Conduct.
04897
•Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment.
12029
•Implement a sanctions process for personnel who fail to comply to the organizational compliance program.
01442
•Notify designated personnel when a formal personnel sanctions process is initiated.
10632
•Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.
06664
•Establish, implement, and maintain performance reviews.
14777
•Conduct staff performance reviews, as necessary.
07205
•Establish, implement, and maintain an insider threat program.
10687
•Operational management
00805
•Establish, implement, and maintain a capacity management plan.
11751
•Establish, implement, and maintain future system capacity forecasting methods.
01617
•Align critical Information Technology resource availability planning with capacity planning.
01618
•Limit any effects of a Denial of Service attack.
06754
•Utilize resource capacity management controls.
00939
•Perform system capacity testing.
01616
•Manage cloud services.
13144
•Protect clients' hosted environments.
11862
•Establish, implement, and maintain a Governance, Risk, and Compliance framework.
01406
•Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties.
06955
•Acquire resources necessary to support Governance, Risk, and Compliance.
12861
•Assign accountability for maintaining the Governance, Risk, and Compliance framework.
12523
•Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework.
12524
•Establish, implement, and maintain a positive information control environment.
00813
•Establish, implement, and maintain an internal control framework.
00820
•Measure policy compliance when reviewing the internal control framework.
06442
•Assign ownership of the internal control framework to the appropriate organizational role.
06437
•Assign resources to implement the internal control framework.
00816
•Include procedures for continuous quality improvement in the internal control framework.
00819
•Include vulnerability management and risk assessment in the internal control framework.
13102
•Include personnel security procedures in the internal control framework.
01349
•Include continuous security warning monitoring procedures in the internal control framework.
01358
•Include security information sharing procedures in the internal control framework.
06489
•Share security information with interested personnel and affected parties.
11732
•Include security incident response procedures in the internal control framework.
01359
•Include continuous user account management procedures in the internal control framework.
01360
•Authorize and document all exceptions to the internal control framework.
06781
•Disseminate and communicate the internal control framework to all interested personnel and affected parties.
15229
•Establish, implement, and maintain an information security program.
00812
•Monitor and review the effectiveness of the information security program.
12744
•Establish, implement, and maintain an information security policy.
11740
•Include a commitment to the information security requirements in the information security policy.
13496
•Include information security objectives in the information security policy.
13493
•Approve the information security policy at the organization's management level or higher.
11737
•Assign ownership of the information security program to the appropriate role.
00814
•Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.
11884
•Assign information security responsibilities to interested personnel and affected parties in the information security program.
11885
•Assign the responsibility for distributing the information security program to the appropriate role.
11883
•Disseminate and communicate the information security policy to interested personnel and affected parties.
11739
•Establish, implement, and maintain a social media governance program.
06536
•Include explicit restrictions in the social media acceptable use policy.
06655
•Establish, implement, and maintain operational control procedures.
00831
•Include assigning and approving operations in operational control procedures.
06382
•Establish, implement, and maintain a Standard Operating Procedures Manual.
00826
•Adhere to operating procedures as defined in the Standard Operating Procedures Manual.
06328
•Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties.
12026
•Establish, implement, and maintain Voice over Internet Protocol operating procedures.
04583
•Establish, implement, and maintain the Acceptable Use Policy.
01350
•Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
01351
•Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy.
11894
•Include Bring Your Own Device security guidelines in the Acceptable Use Policy.
01352
•Include asset tags in the Acceptable Use Policy.
01354
•Include asset use policies in the Acceptable Use Policy.
01355
•Include authority for access authorization lists for assets in all relevant Acceptable Use Policies.
11872
•Include access control mechanisms in the Acceptable Use Policy.
01353
•Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy.
11892
•Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy.
11893
•Include a removable storage media use policy in the Acceptable Use Policy.
06772
•Correlate the Acceptable Use Policy with the network security policy.
01356
•Include appropriate network locations for each technology in the Acceptable Use Policy.
11881
•Correlate the Acceptable Use Policy with the approved product list.
01357
•Include disciplinary actions in the Acceptable Use Policy.
00296
•Include a software installation policy in the Acceptable Use Policy.
06749
•Document idle session termination and logout for remote access technologies in the Acceptable Use Policy.
12472
•Require interested personnel and affected parties to sign Acceptable Use Policies.
06661
•Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary.
06663
•Establish, implement, and maintain an Intellectual Property Right program.
00821
•Establish, implement, and maintain Intellectual Property Rights protection procedures.
11512
•Protect policies, standards, and procedures from unauthorized modification or disclosure.
10603
•Establish, implement, and maintain nondisclosure agreements.
04536
•Implement and comply with the Governance, Risk, and Compliance framework.
00818
•Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework.
11747
•Comply with all implemented policies in the organization's compliance framework.
06384
•Review systems for compliance with organizational information security policies.
12004
•Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.
00815
•Establish, implement, and maintain an Asset Management program.
06630
•Establish, implement, and maintain classification schemes for all systems and assets.
01902
•Apply security controls to each level of the information classification standard.
01903
•Establish, implement, and maintain the systems' availability level.
01905
•Classify assets according to the Asset Classification Policy.
07186
•Establish, implement, and maintain an asset inventory.
06631
•Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails.
00689
•Establish, implement, and maintain a hardware asset inventory.
00691
•Include network equipment in the Information Technology inventory.
00693
•Include mobile devices that store restricted data or restricted information in the Information Technology inventory.
04719
•Include interconnected systems and Software as a Service in the Information Technology inventory.
04885
•Include software in the Information Technology inventory.
00692
•Establish and maintain a list of authorized software and versions required for each system.
12093
•Establish, implement, and maintain a storage media inventory.
00694
•Include all electronic storage media containing restricted data or restricted information in the storage media inventory.
00962
•Add inventoried assets to the asset register database, as necessary.
07051
•Identify discrepancies between the asset register database and the Information Technology inventory, as necessary.
07052
•Use automated tools to collect Information Technology inventory information, as necessary.
07054
•Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory.
12110
•Record software license information for each asset in the asset inventory.
11736
•Record the make, model of device for applicable assets in the asset inventory.
12465
•Record the asset tag for physical assets in the asset inventory.
06632
•Record the operating system version for applicable assets in the asset inventory.
11748
•Record the operating system type for applicable assets in the asset inventory.
06633
•Record the department associated with the asset in the asset inventory.
12084
•Record the physical location for applicable assets in the asset inventory.
06634
•Record the manufacturer's serial number for applicable assets in the asset inventory.
06635
•Record the related business function for applicable assets in the asset inventory.
06636
•Record the Internet Protocol address for applicable assets in the asset inventory.
06638
•Link the software asset inventory to the hardware asset inventory.
12085
•Record the owner for applicable assets in the asset inventory.
06640
•Establish, implement, and maintain a software accountability policy.
00868
•Establish, implement, and maintain software license management procedures.
06639
•Establish, implement, and maintain a system redeployment program.
06276
•Test systems for malicious code prior to when the system will be redeployed.
06339
•Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed.
06400
•Establish, implement, and maintain a system preventive maintenance program.
00885
•Establish and maintain maintenance reports.
11749
•Plan and conduct maintenance so that it does not interfere with scheduled operations.
06389
•Maintain contact with the device manufacturer or component manufacturer for maintenance requests.
06388
•Use system components only when third party support is available.
10644
•Obtain justification for the continued use of system components when third party support is no longer available.
10645
•Control and monitor all maintenance tools.
01432
•Control remote maintenance according to the system's asset classification.
01433
•Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption.
10614
•Approve all remote maintenance sessions.
10615
•Conduct maintenance with authorized personnel.
01434
•Respond to maintenance requests inside the organizationally established time frame.
04878
•Establish and maintain an archive of maintenance reports in a maintenance log.
06202
•Acquire spare parts prior to when maintenance requests are scheduled.
11833
•Perform periodic maintenance according to organizational standards.
01435
•Employ dedicated systems during system maintenance.
12108
•Isolate dedicated systems used for system maintenance from Internet access.
12114
•Dispose of hardware and software at their life cycle end.
06278
•Review each system's operational readiness.
06275
•Establish and maintain an unauthorized software list.
10601
•Establish, implement, and maintain a customer service program.
00846
•Establish, implement, and maintain an Incident Management program.
00853
•Include incident monitoring procedures in the Incident Management program.
01207
•Categorize the incident following an incident response.
13208
•Define and document the criteria to be used in categorizing incidents.
10033
•Determine the incident severity level when assessing the security incidents.
01650
•Identify root causes of incidents that force system changes.
13482
•Respond to and triage when an incident is detected.
06942
•Document the incident and any relevant evidence in the incident report.
08659
•Respond to all alerts from security systems in a timely manner.
06434
•Contain the incident to prevent further loss.
01751
•Isolate compromised systems from the network.
01753
•Assess all incidents to determine what information was accessed.
01226
•Analyze the incident response process following an incident response.
13179
•Share incident information with interested personnel and affected parties.
01212
•Share data loss event information with the media.
01759
•Comply with privacy regulations and civil liberties requirements when sharing data loss event information.
10036
•Report data loss event information to breach notification organizations.
01210
•Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties.
04731
•Remediate security violations according to organizational standards.
12338
•Include data loss event notifications in the Incident Response program.
00364
•Include legal requirements for data loss event notifications in the Incident Response program.
11954
•Notify interested personnel and affected parties of the privacy breach that affects their personal data.
00365
•Delay sending incident response notifications under predetermined conditions.
00804
•Design the text of the notice for all incident response notifications to be no smaller than 10-point type.
•Include information required by law in incident response notifications.
00802
•Title breach notifications "Notice of Data Breach".
12977
•Display titles of incident response notifications clearly and conspicuously.
12986
•Display headings in incident response notifications clearly and conspicuously.
12987
•Design the incident response notification to call attention to its nature and significance.
12984
•Use plain language to write incident response notifications.
12976
•Include directions for changing the user's authenticator or security questions and answers in the breach notification.
12983
•Include a "What Happened" heading in breach notifications.
12978
•Include a general description of the data loss event in incident response notifications.
04734
•Include time information in incident response notifications.
04745
•Include a "What Information Was Involved" heading in the breach notification.
12979
•Include the type of information that was lost in incident response notifications.
04735
•Include a "What We Are Doing" heading in the breach notification.
12982
•Include what the organization has done to enhance data protection controls in incident response notifications.
04736
•Include what the organization is offering or has already done to assist affected parties in incident response notifications.
04737
•Include a "For More Information" heading in breach notifications.
12981
•Include details of the companies and persons involved in incident response notifications.
12295
•Include the credit reporting agencies' contact information in incident response notifications.
04744
•Include whether the notification was delayed due to a law enforcement investigation in incident response notifications.
04746
•Include a "What You Can Do" heading in the breach notification.
12980
•Include how the affected parties can protect themselves from identity theft in incident response notifications.
04738
•Provide enrollment information for identity theft prevention services or identity theft mitigation services.
13767
•Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties.
13766
•Include contact information in incident response notifications.
04739
•Send paper incident response notifications to affected parties, as necessary.
00366
•Determine if a substitute incident response notification is permitted if notifying affected parties.
00803
•Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data.
00368
•Telephone incident response notifications to affected parties, as necessary.
04650
•Send electronic substitute incident response notifications to affected parties, as necessary.
04747
•Post substitute incident response notifications to the organization's website, as necessary.
04748
•Send substitute incident response notifications to breach notification organizations, as necessary.
04750
•Publish the incident response notification in a general circulation periodical.
04651
•Send electronic incident response notifications to affected parties, as necessary.
00367
•Include incident recovery procedures in the Incident Management program.
01758
•Eradicate the cause of the incident after the incident has been contained.
01757
•Implement security controls for personnel that have accessed information absent authorization.
10611
•Establish, implement, and maintain compromised system reaccreditation procedures.
00592
•Re-image compromised systems with secure builds.
12086
•Analyze security violations in Suspicious Activity Reports.
00591
•Include lessons learned from analyzing security violations in the Incident Management program.
01234
•Update the incident response procedures using the lessons learned.
01233
•Include incident response procedures in the Incident Management program.
01218
•Include after-action analysis procedures in the Incident Management program.
01219
•Include incident reporting procedures in the Incident Management program.
11772
•Establish, implement, and maintain incident reporting time frame standards.
12142
•Establish, implement, and maintain a customer service business function.
00847
•Provide and display incident management contact information to customers.
06386
•Establish, implement, and maintain an Incident Response program.
00579
•Create an incident response report.
12700
•Include corrective action taken to eradicate the incident in the incident response report.
12708
•Analyze and respond to security alerts.
12504
•Establish, implement, and maintain an incident response plan.
12056
•Include incident response team structures in the Incident Response program.
01237
•Include the incident response team member's roles and responsibilities in the Incident Response program.
01652
•Include the incident response point of contact's roles and responsibilities in the Incident Response program.
01877
•Notify interested personnel and affected parties that a security breach was detected.
11788
•Include the customer database owner's roles and responsibilities in the Incident Response program.
01879
•Assign the distribution of security alerts to the appropriate role in the incident response program.
11887
•Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program.
11886
•Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program.
12473
•Assign the distribution of incident response procedures to the appropriate role in the incident response program.
12474
•Include personnel contact information in the event of an incident in the Incident Response program.
06385
•Include coverage of all system components in the Incident Response program.
11955
•Prepare for incident response notifications.
00584
•Include incident response team services in the Incident Response program.
11766
•Include the incident response training program in the Incident Response program.
06750
•Incorporate simulated events into the incident response training program.
06751
•Incorporate realistic exercises that are tested into the incident response training program.
06753
•Conduct incident response training.
11889
•Establish, implement, and maintain incident response procedures.
01206
•Include references to industry best practices in the incident response procedures.
11956
•Include responding to alerts from security monitoring systems in the incident response procedures.
11949
•Respond when an integrity violation is detected, as necessary.
10678
•Shut down systems when an integrity violation is detected, as necessary.
10679
•Restart systems when an integrity violation is detected, as necessary.
10680
•Maintain contact with breach notification organizations for notification purposes in the event a privacy breach has occurred.
01213
•Include business continuity procedures in the Incident Response program.
06433
•Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures.
06432
•Establish trust between the incident response team and the end user community during an incident.
01217
•Include business recovery procedures in the Incident Response program.
11774
•Establish, implement, and maintain a digital forensic evidence framework.
08652
•Define the business scenarios that require digital forensic evidence.
08653
•Define the circumstances for collecting digital forensic evidence.
08657
•Conduct forensic investigations in the event of a security compromise.
11951
•Identify potential sources of digital forensic evidence.
08651
•Establish, implement, and maintain a digital forensic evidence collection program.
08655
•Establish, implement, and maintain secure storage and handling of evidence procedures.
08656
•Collect evidence from the incident scene.
02236
•Disseminate and communicate the incident response procedures to all interested personnel and affected parties.
01215
•Test the incident response procedures.
01216
•Establish, implement, and maintain a performance management standard.
01615
•Establish, implement, and maintain rate limits, as necessary.
06883
•Establish, implement, and maintain system capacity monitoring procedures.
01619
•Establish, implement, and maintain system performance monitoring procedures.
11752
•Establish, implement, and maintain a Service Level Agreement framework.
00839
•Include the security mechanisms of network services in the Service Level Agreement.
12023
•Include the management requirements for network services in the Service Level Agreement.
12025
•Include the service levels for network services in the Service Level Agreement.
12024
•Establish, implement, and maintain a cost management program.
13638
•Identify and allocate departmental costs.
00871
•Prepare an Information Technology budget, as necessary.
00872
•Establish, implement, and maintain a change control program.
00886
•Include potential consequences of unintended changes in the change control program.
12243
•Separate the production environment from development environment or test environment for the change control process.
11864
•Establish, implement, and maintain a back-out plan.
13623
•Establish, implement, and maintain back-out procedures for each proposed change in a change request.
00373
•Manage change requests.
00887
•Include documentation of the impact level of proposed changes in the change request.
11942
•Document all change requests in change request forms.
06794
•Test proposed changes prior to their approval.
00548
•Examine all changes to ensure they correspond with the change request.
12345
•Approve tested change requests.
11783
•Validate the system before implementing approved changes.
01510
•Disseminate and communicate proposed changes to all interested personnel and affected parties.
06807
•Perform risk assessments prior to approving change requests.
00888
•Implement changes according to the change control program.
11776
•Establish, implement, and maintain a patch management program.
00896
•Implement patch management software, as necessary.
12094
•Include updates and exceptions to hardened images as a part of the patch management program.
12087
•Perform a patch test prior to deploying a patch.
00898
•Deploy software patches in accordance with organizational standards.
07032
•Update computer firmware, as necessary.
11755
•Remove outdated computer firmware after the computer firmware has been updated.
10671
•Implement cryptographic mechanisms to authenticate software and computer firmware before installation.
10682
•Mitigate the adverse effects of unauthorized changes.
12244
•Establish, implement, and maintain approved change acceptance testing procedures.
06391
•Test the system's operational functionality after implementing approved changes.
06294
•Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred.
04541
•Update associated documentation after the system configuration has been changed.
00891
•Establish, implement, and maintain a configuration change log.
08710
•Document approved configuration deviations.
08711
•Introduce randomness into organizational operations and assets.
10650
•Change the locations of processing facilities at random intervals.
10651
•System hardening through configuration management
00860
•Establish, implement, and maintain a Configuration Management program.
00867
•Establish, implement, and maintain configuration control and Configuration Status Accounting.
00863
•Establish, implement, and maintain a configuration management plan.
01901
•Employ the Configuration Management program.
11904
•Test network access controls for proper Configuration Management settings.
01281
•Disseminate and communicate the configuration management program to all interested personnel and affected parties.
11946
•Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities.
02132
•Establish, implement, and maintain a configuration baseline based on the least functionality principle.
00862
•Identify and document the system's Configurable Items.
02133
•Approve each system's Configurable Items (and changes to those Configurable Items).
04887
•Request an acknowledgment from the system owner of the system's configuration.
10602
•Establish, implement, and maintain a system hardening standard.
00876
•Establish, implement, and maintain configuration standards.
11953
•Apply configuration standards to all systems, as necessary.
12503
•Document and justify system hardening standard exceptions.
06845
•Establish, implement, and maintain system hardening procedures.
12001
•Configure session timeout and reauthentication settings according to organizational standards.
12460
•Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards.
04490
•Display an explicit logout message when disconnecting an authenticated communications session.
10093
•Invalidate session identifiers upon session termination.
10649
•Configure the Intrusion Detection System and Intrusion Prevention System in accordance with organizational standards.
04831
•Configure the Intrusion Detection System and the Intrusion Prevention System to detect rogue devices and unauthorized connections.
04837
•Use the latest approved version of all assets.
00897
•Install critical security updates and important security updates in a timely manner.
01696
•Change default configurations, as necessary.
00877
•Reconfigure the encryption keys from their default setting or previous setting.
06079
•Configure the system's booting configuration.
10656
•Configure the system to boot from hardware enforced read-only media.
10657
•Configure Least Functionality and Least Privilege settings to organizational standards.
07599
•Implement hardware-based write-protect for system firmware components.
10659
•Implement procedures to manually disable hardware-based write-protect to change computer firmware.
10660
•Establish, implement, and maintain idle session termination and logout capabilities.
01418
•Configure Simple Network Management Protocol (SNMP) to organizational standards.
12423
•Change the community string for Simple Network Management Protocol, as necessary.
01872
•Configure the system's storage media.
10618
•Configure the system's electronic storage media's encryption settings.
11927
•Prohibit the use of sanitization-resistant media in Information Systems.
10617
•Implement only one application or primary function per network component or server.
00879
•Remove all unnecessary functionality.
00882
•Disable all unnecessary interfaces.
04826
•Enable or disable all unused USB ports as appropriate.
06042
•Disable Autorun.
01790
•Disable all unnecessary applications unless otherwise noted in a policy exception.
04827
•Restrict and control the use of privileged utility programs.
12030
•Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary.
06681
•Disable automatic updates unless automatic updates are absolutely necessary.
01811
•Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards.
05979
•Disable all unnecessary services unless otherwise noted in a policy exception.
00880
•Disable telnet unless telnet use is absolutely necessary.
01478
•Disable any unnecessary scripting languages, as necessary.
12137
•Establish, implement, and maintain the interactive logon settings.
•Configure devices and users to re-authenticate, as necessary.
10609
•Prohibit the use of cached authenticators and credentials after a defined period of time.
10610
•Establish, implement, and maintain authenticators.
15305
•Establish, implement, and maintain an authenticator standard.
01702
•Establish, implement, and maintain an authenticator management system.
12031
•Establish, implement, and maintain authenticator procedures.
12002
•Restrict access to authentication files to authorized personnel, as necessary.
12127
•Configure authenticators to comply with organizational standards.
06412
•Configure the system to require new users to change their authenticator on first use.
05268
•Configure authenticators so that group authenticators or shared authenticators are prohibited.
00519
•Configure the system to prevent unencrypted authenticator use.
04457
•Configure the system to encrypt authenticators.
06735
•Configure the system to mask authenticators.
02037
•Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators.
05992
•Configure the "Minimum password age" to organizational standards.
01703
•Notify affected parties to keep authenticators confidential.
06787
•Change all default authenticators.
15309
•Configure each system's security alerts to organizational standards.
12113
•Configure the system to issue a security alert when an administrator account is created.
12122
•Configure the system security parameters to prevent system misuse or information misappropriation.
00881
•Configure the system to require a password before it unlocks the Screen saver software.
04443
•Disable or configure the e-mail server, as necessary.
06563
•Configure e-mail servers to enable receiver-side verification.
12223
•Configure the system account settings and the permission settings in accordance with the organizational standards.
01538
•Configure user accounts.
07036
•Remove unnecessary default accounts.
01539
•Disable or delete shared User IDs.
12478
•Disable or delete generic user IDs.
12479
•Disable all unnecessary user identifiers.
02185
•Configure accounts with administrative privilege.
07033
•Employ multifactor authentication for accounts with administrative privilege.
12496
•Encrypt non-console administrative access.
00883
•Configure the user account expiration date.
07101
•Implement a reference monitor to implement the Access Control policies.
10096
•Configure appropriate Partitioning schemes.
02162
•Establish, implement, and maintain network parameter modification procedures.
01517
•Configure devices to block or avoid outbound connections.
04807
•Configure devices to deny inbound connections.
04805
•Review and restrict network addresses and network protocols.
01518
•Disable wireless access if it is not necessary.
12100
•Configure wireless access to be restricted to authorized wireless networks.
12099
•Enable Network Address Translation or Port Address Translation for internal networks on all network access and control points.
00545
•Disable Bluetooth unless Bluetooth is absolutely necessary.
04476
•Assign or reserve static IP addresses in Dynamic Host Configuration Protocol.
04801
•Configure the amount of idle time required before disconnecting an idle session.
01763
•Configure firewalls in accordance with organizational standards.
01926
•Review and approve the firewall rules, as necessary.
06745
•Create an access control list on Network Access and Control Points to restrict access.
04810
•Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information.
06077
•Configure the Access Control List (ACL) so that internal network addresses cannot pass from the Internet into the Demilitarized Zone (DMZ).
06421
•Configure the Access Control List so that outbound network traffic from protected subnets can only access IP Addresses inside the Demilitarized Zone.
06422
•Configure wireless communication to be encrypted using strong cryptography.
06078
•Disable feedback on protocol format validation errors.
10646
•Configure the time server in accordance with organizational standards.
06426
•Configure the time server to synchronize with specifically designated hosts.
06427
•Restrict access to time server configuration to personnel with a business need.
06858
•Configure Wireless Access Points in accordance with organizational standards.
12477
•Configure the transmit power for wireless technologies to the lowest level possible.
04593
•Use Wireless Local Area Network Network Interface Cards that turn off or disable Peer-To-Peer Wireless Local Area Network communications.
04594
•Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users.
04595
•Enable an authorized version of Wi-Fi Protected Access.
04832
•Enable or disable all wireless interfaces, as necessary.
05755
•Configure mobile device settings in accordance with organizational standards.
04600
•Enable data-at-rest encryption on mobile devices.
04842
•Configure environmental sensors on mobile devices.
10667
•Prohibit the remote activation of environmental sensors on mobile devices.
10666
•Configure the mobile device to explicitly show when an environmental sensor is in use.
10668
•Configure the environmental sensor to report collected data to designated personnel only.
10669
•Establish, implement, and maintain virtualization configuration settings.
07110
•Execute code in confined virtual machine environments.
10648
•Configure Account settings in accordance with organizational standards.
07603
•Configure the "Account lockout threshold" to organizational standards.
07604
•Configure the "Account lockout duration" to organizational standards.
07771
•Configure system integrity settings to organizational standards.
07605
•Prohibit the use of binary code or machine code from sources with limited or no warranty absent the source code.
10681
•Do not allow processes to execute absent supervision.
10683
•Configure Logging settings in accordance with organizational standards.
07611
•Configure the storage parameters for all logs.
06330
•Configure sufficient log storage capacity and prevent the capacity from being exceeded.
01425
•Configure the security parameters for all logs.
01712
•Configure the log to capture audit log initialization, along with auditable event selection.
00649
•Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.
06331
•Configure the log to capture the user's identification.
01334
•Configure the log to capture a date and time stamp.
01336
•Configure the log to capture each auditable event's origination.
01338
•Configure the log to uniquely identify each asset.
01339
•Configure the log to capture the type of each event.
06423
•Configure the log to capture each event's success or failure indication.
06424
•Configure all logs to capture auditable events or actionable events.
06332
•Configure the log to capture all malicious code that has been discovered, quarantined, and/or eradicated.
00577
•Configure the log to capture all URL requests.
12138
•Configure the log to capture logons, logouts, logon attempts, and logout attempts.
01915
•Configure system accounting/system events.
01529
•Configure the log to capture access to restricted data or restricted information.
00644
•Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
00645
•Configure the log to capture identification and authentication mechanism use.
00648
•Configure the log to capture all access to the audit trail.
00646
•Configure the log to capture Object access to key directories or key files.
01697
•Configure the log to capture system level object creation and deletion.
00650
•Configure the log to capture configuration changes.
06881
•Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.
01698
•Configure the event log settings for specific Operating System functions.
06337
•Enable or disable auditing at boot time, as appropriate.
06031
•Generate an alert when an audit log failure occurs.
06737
•Configure additional log settings.
06333
•Configure the log to send alerts for each auditable events success or failure.
01337
•Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.
07621
•Configure the "Maximum password age" to organizational standards.
07688
•Configure the "Minimum password length" to organizational standards.
07711
•Configure the "Password must meet complexity requirements" to organizational standards.
07743
•Configure the "Enforce password history" to organizational standards.
07877
•Configure the proxy server to organizational standards.
12115
•Configure the proxy server to log Transmission Control Protocol sessions.
12123
•Configure security and protection software according to Organizational Standards.
11917
•Configure security and protection software to automatically run at startup.
12443
•Configure security and protection software to check for up-to-date signature files.
00576
•Configure security and protection software to enable automatic updates.
11945
•Configure security and protection software to check e-mail messages.
00578
•Configure security and protection software to check e-mail attachments.
11860
•Configure dedicated systems used for system management according to organizational standards.
12132
•Configure dedicated systems used for system management to prohibit them from composing documents.
12161
•Configure dedicated systems used for system management so they are prohibited from accessing e-mail.
12160
•Configure the Domain Name System in accordance with organizational standards.
12202
•Configure the Domain Name System query logging to organizational standards.
12210
•Configure the secure name/address resolution service (recursive or caching resolver).
01625
•Configure the secure name/address resolution service (authoritative source).
01624
•Configure File Integrity Monitoring Software to Organizational Standards.
11923
•Configure the file integrity monitoring software to perform critical file comparisons, as necessary.
11924
•Configure systems to protect against unauthorized data mining.
10095
•Implement safeguards to prevent unauthorized code execution.
10686
•Configure network switches to organizational standards.
12120
•Enable Virtual Local Area Networks on network switches, as necessary.
12129
•Establish, implement, and maintain a Configuration Baseline Documentation Record.
02130
•Document and approve any changes to the Configuration Baseline Documentation Record.
12104
•Create a hardened image of the baseline configuration to be used for building new systems.
07063
•Store master images on securely configured servers.
12089
•Update the security configuration of hardened images, as necessary.
12088
•Records management
00902
•Establish, implement, and maintain records management policies.
00903
•Establish, implement, and maintain a record classification scheme.
00914
•Establish, implement, and maintain a records authentication system.
11648
•Associate records with their security attributes.
06764
•Reconfigure the security attributes of records as the information changes.
06765
•Define each system's preservation requirements for records and logs.
00904
•Establish, implement, and maintain a data retention program.
00906
•Select the appropriate format for archived data and records.
06320
•Archive appropriate records, logs, and database tables.
06321
•Determine how long to keep records and logs before disposing them.
11661
•Retain records in accordance with applicable requirements.
00968
•Establish, implement, and maintain storage media disposition and destruction procedures.
11657
•Sanitize electronic storage media in accordance with organizational standards.
16464
•Sanitize all electronic storage media before disposing a system or redeploying a system.
01643
•Degauss as a method of sanitizing electronic storage media.
00973
•Destroy electronic storage media following the storage media disposition and destruction procedures.
00970
•Maintain media sanitization equipment in operational condition.
00721
•Define each system's disposition requirements for records and logs.
11651
•Establish, implement, and maintain records disposition procedures.
00971
•Manage the disposition status for all records.
00972
•Remove and/or destroy records according to the records' retention event and retention period schedule.
06621
•Place printed records awaiting destruction into secure containers.
12464
•Destroy printed records so they cannot be reconstructed.
11779
•Automate a programmatic process to remove stored data and records that exceed retention requirements.
06082
•Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures.
11962
•Establish, implement, and maintain records management procedures.
11619
•Establish, implement, and maintain data input and data access authorization tracking.
00920
•Capture the records required by organizational compliance requirements.
00912
•Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity.
04720
•Include record integrity techniques in the records management procedures.
06418
•Control error handling when data is being inputted.
00922
•Establish, implement, and maintain data processing integrity controls.
00923
•Establish, implement, and maintain Automated Data Processing validation checks and editing checks.
00924
•Establish, implement, and maintain Automated Data Processing error handling procedures.
00925
•Establish, implement, and maintain Automated Data Processing error handling reporting.
11659
•Establish, implement, and maintain document security requirements for the output of records.
11656
•Establish, implement, and maintain document handling procedures for paper documents.
00926
•Establish, implement, and maintain electronic storage media management procedures.
00931
•Establish, implement, and maintain security label procedures.
06747
•Label restricted storage media appropriately.
00966
•Label printed output for specific record categories as directed by the organization's information classification standard.
01420
•Establish and maintain access controls for all records.
00371
•Establish, implement, and maintain a records lifecycle management program.
00951
•Establish, implement, and maintain information preservation procedures.
06277
•Implement and maintain backups and duplicate copies of organizational records.
00953
•Establish, implement, and maintain online storage controls.
00942
•Establish, implement, and maintain security controls appropriate to the record types and electronic storage media.
00943
•Store records on non-rewritable, non-erasable storage media formats, as necessary.
00944
•Provide encryption for different types of electronic storage media.
00945
•Implement electronic storage media integrity controls.
00946
•Provide audit trails for all pertinent records.
00372
•Establish, implement, and maintain storage media downgrading procedures.
10619
•Identify electronic storage media that require downgrading.
10620
•Downgrade electronic storage media, as necessary.
10621
•Document all actions taken when downgrading electronic storage media.
10622
•Test the storage media downgrade for correct performance.
10623
•Establish, implement, and maintain document retention procedures.
11660
•Establish, implement, and maintain paper document integrity requirements for the output of records.
00930
•Protect records from loss in accordance with applicable requirements.
12007
•Systems design, build, and implementation
00989
•Establish, implement, and maintain a System Development Life Cycle program.
11823
•Initiate the System Development Life Cycle planning phase.
06266
•Establish, implement, and maintain system design principles and system design guidelines.
01057
•Establish, implement, and maintain a security controls definition document.
01080
•Define and assign the system development project team roles and responsibilities.
01061
•Restrict system architects from being assigned as Administrators.
01064
•Restrict the development team from having access to the production environment.
01066
•Establish, implement, and maintain a system use training plan.
01089
•Train the affected users during system development life cycle projects.
01091
•Establish and maintain System Development Life Cycle documentation.
12079
•Establish, implement, and maintain a system design project management framework.
00990
•Identify system design strategies.
01046
•Establish, implement, and maintain project management standards.
00992
•Perform a risk assessment for each system development project.
01000
•Separate the design and development environment from the production environment.
06088
•Specify appropriate tools for the system development project.
06830
•Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
06267
•Develop systems in accordance with the system design specifications and system design standards.
01094
•Establish, implement, and maintain outsourced development procedures.
01141
•Supervise and monitor outsourced development projects.
01096
•Develop new products based on best practices.
01095
•Establish, implement, and maintain a system design specification.
04557
•Document the system architecture in the system design specification.
12287
•Include a description of each module and asset in the system design specification.
11734
•Include security requirements in the system design specification.
06826
•Establish, implement, and maintain access control procedures for the test environment that match those of the production environment.
06793
•Include anti-tamper technologies and anti-tamper techniques in the system design specification.
10639
•Establish, implement, and maintain identification card or badge architectural designs.
06591
•Include measurable system performance requirements in the system design specification.
08667
•Implement security controls when developing systems.
06270
•Establish, implement, and maintain session security coding standards.
04584
•Establish and maintain a cryptographic architecture document.
12476
•Include the algorithms used in the cryptographic architecture document.
12483
•Include an inventory of all protected areas in the cryptographic architecture document.
12486
•Include a description of the key usage for each key in the cryptographic architecture document.
12484
•Include descriptions of all cryptographic keys in the cryptographic architecture document.
12487
•Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document.
12488
•Include each cryptographic key's expiration date in the cryptographic architecture document.
12489
•Include the protocols used in the cryptographic architecture document.
12485
•Analyze and minimize attack surfaces when developing systems.
06828
•Follow security design requirements when developing systems.
06827
•Use randomly generated session identifiers.
07074
•Establish, implement, and maintain a system implementation representation document.
04558
•Design the security architecture.
06269
•Limit the embedding of data types inside other data types.
06759
•Protect system libraries.
01097
•Conduct a design review at each milestone or quality gate.
01087
•Perform source code analysis at each milestone or quality gate.
06832
•Establish and maintain system security documentation.
06271
•Document the procedures and environment used to create the system or software.
06609
•Establish and maintain access rights to source code based upon least privilege.
06962
•Develop new products based on secure coding techniques.
11733
•Establish and maintain a coding manual for secure coding techniques.
11863
•Protect applications from improper access control through secure coding techniques in source code.
11959
•Protect applications from improper error handling through secure coding techniques in source code.
11937
•Protect applications from insecure communications through secure coding techniques in source code.
11936
•Protect applications from injection flaws through secure coding techniques in source code.
11944
•Control user account management through secure coding techniques in source code.
11909
•Restrict direct access of databases to the database administrator through secure coding techniques in source code.
11933
•Protect applications from buffer overflows through secure coding techniques in source code.
11943
•Protect applications from cross-site scripting through secure coding techniques in source code.
11899
•Protect against coding vulnerabilities through secure coding techniques in source code.
11897
•Protect applications from broken authentication and session management through secure coding techniques in source code.
11896
•Protect applications from insecure cryptographic storage through secure coding techniques in source code.
11935
•Protect applications from cross-site request forgery through secure coding techniques in source code.
11895
•Refrain from displaying error messages to end users through secure coding techniques in source code.
12166
•Address known coding vulnerabilities as a part of secure coding techniques.
12493
•Include all confidentiality, integrity, and availability functions in the system design specification.
04556
•Establish, implement, and maintain a security policy model document.
04560
•Establish and maintain the overall system development project management roles and responsibilities.
00991
•Assign the role of information security management as a part of developing systems.
06823
•Perform Quality Management on all newly developed or modified systems.
01100
•Evaluate system development projects for compliance with the system requirements specifications.
06903
•Establish, implement, and maintain a system testing policy.
01102
•Configure the test environment similar to the production environment.
06837
•Establish, implement, and maintain system testing procedures.
11744
•Restrict production data from being used in the test environment.
01103
•Protect test data in the development environment.
12014
•Control the test data used in the development environment.
12013
•Select the test data carefully.
12011
•Test all software changes before promoting the system to a production environment.
01106
•Test security functionality during the development process.
12015
•Review and test custom code to identify potential coding vulnerabilities.
01316
•Assign the review of custom code changes to individuals other than the code author.
06291
•Correct code anomalies and code deficiencies in custom code and retest before release.
06292
•Approve all custom code test results before code is released.
06293
•Develop the system in a timely manner and cost-effective way.
06908
•Change the scope, definition, and work breakdown of the system development project after corrective actions are taken.
06910
•Initiate the System Development Life Cycle implementation phase.
06268
•Establish, implement, and maintain a system implementation standard.
01111
•Establish, implement, and maintain system implementation procedures to ensure product conformity.
06617
•Manage the system implementation process.
01115
•Establish, implement, and maintain promoting the system to a production environment procedures.
01119
•Remove test accounts prior to promoting the system to a production environment.
12495
•Remove test data prior to promoting the system to a production environment.
12494
•Approve and authorize the newly implemented system.
06274
•Archive release records related to the newly implemented system.
06834
•Develop and maintain an operating strategy for newly implemented systems.
06932
•Establish and maintain end user support communications.
06615
•Acquisition or sale of facilities, technology, and services
01123
•Establish, implement, and maintain payment and settlement functions for selling products and services.
13538
•Establish, implement, and maintain an electronic commerce program.
08617
•Establish, implement, and maintain payment transaction security measures.
13088
•Protect the integrity of application service transactions.
12017
•Plan for acquiring facilities, technology, or services.
06892
•Allocate sufficient resources to protect Information Systems during capital planning.
01444
•Establish, implement, and maintain system acquisition contracts.
14758
•Include security requirements in system acquisition contracts.
01124
•Obtain system documentation before acquiring products and services.
01445
•Provide a Configuration Management plan by the Information System developer for all newly acquired assets.
01446
•Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets.
01447
•Conduct an acquisition feasibility study prior to acquiring assets.
01129
•Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study.
01135
•Establish, implement, and maintain a product and services acquisition strategy.
01133
•Establish, implement, and maintain a product and services acquisition program.
01136
•Prohibit the use of Personal Electronic Devices, absent approval.
04599
•Acquire products or services.
11450
•Discourage the modification of vendor-supplied software.
12016
•Establish, implement, and maintain an anti-counterfeit program for acquiring new systems.
10641
•Establish, implement, and maintain anti-counterfeit procedures.
11498
•Scan for potential counterfeit parts and potential counterfeit components.
10643
•Create and distribute a counterfeit product report.
10642
•Establish, implement, and maintain facilities, assets, and services acceptance procedures.
01144
•Test new hardware or upgraded hardware and software for implementation of security controls.
06743
•Test new software or upgraded software for security vulnerabilities.
01898
•Test new hardware or upgraded hardware for security vulnerabilities.
01899
•Establish, implement, and maintain a consumer complaint management program.
04570
•Establish, implement, and maintain consumer complaint escalation procedures.
07208
•Privacy protection for information and data
00008
•Establish, implement, and maintain a privacy framework that protects restricted data.
11850
•Establish, implement, and maintain a personal data transparency program.
00375
•Establish and maintain privacy notices, as necessary.
13443
•Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice.
13503
•Include the right to opt out of personal data disclosure in the privacy notice.
13460
•Include instructions on how to opt out of personal data disclosure in the privacy notice.
13461
•Notify data subjects about the organization's external requirements relevant to the privacy program.
12354
•Notify data subjects about their privacy rights.
12989
•Establish, implement, and maintain adequate openness procedures.
00377
•Publish a description of processing activities in an official register.
00379
•Establish and maintain a records request manual.
00381
•Register with public bodies and notify the Data Commissioner before processing personal data.
00383
•Provide the data subject with the name, title, and address of the individual accountable for the organizational policies.
00394
•Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes.
00398
•Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
00393
•Provide the data subject with the means of gaining access to personal data held by the organization.
00396
•Provide the data subject with the data protection officer's contact information.
12573
•Provide the data subject with what personal data is made available to related organizations or subsidiaries.
00399
•Establish and maintain a disclosure accounting record.
13022
•Include what information was disclosed and to whom in the disclosure accounting record.
04680
•Include the disclosure date in the disclosure accounting record.
07133
•Include the disclosure recipient in the disclosure accounting record.
07134
•Include the disclosure purpose in the disclosure accounting record.
07135
•Establish, implement, and maintain a privacy policy.
06281
•Define what is included in the privacy policy.
00404
•Include other organizations that personal data is being disclosed to in the privacy policy.
00409
•Include how to gain access to personal data held by the organization in the privacy policy.
00410
•Post the privacy policy in an easily seen location.
00401
•Establish, implement, and maintain a personal data accountability program.
13432
•Require data controllers to be accountable for their actions.
00470
•Notify the supervisory authority.
00472
•Establish, implement, and maintain a personal data use limitation program.
13428
•Establish, implement, and maintain a personal data use purpose specification.
00093
•Display or print the least amount of personal data necessary.
04643
•Notify the data subject of the collection purpose.
00095
•Refrain from using restricted data collected for research and statistics for other purposes.
00096
•Document the law that requires restricted data to be collected.
00103
•Notify the data subject of the consequences for not providing personal data.
00104
•Obtain the data subject's consent when the personal data use changes.
11832
•Dispose of media and restricted data in a timely manner.
00125
•Establish, implement, and maintain data access procedures.
00414
•Provide individuals with information about disclosure of their personal data.
00417
•Respond to data access requests in a timely manner.
00421
•Establish, implement, and maintain restricted data use limitation procedures.
00128
•Notify the data subject after personal data is used or disclosed.
06247
•Refrain from disclosing personal data absent consent of the individual or for defined exceptions.
11967
•Establish, implement, and maintain restricted data retention procedures.
00167
•Establish, implement, and maintain personal data disposition procedures.
13498
•Remove personal data from records after receiving a personal data removal request.
11972
•Establish, implement, and maintain data disclosure procedures.
00133
•Disseminate and communicate personal data to the individual that it relates to.
00428
•Provide data at a cost that is not excessive.
00430
•Establish, implement, and maintain a personal data collection program.
06487
•Establish, implement, and maintain personal data collection limitation boundaries.
00507
•Obtain the data subject's consent and acknowledgment before collecting data.
00012
•Document each individual's personal data collection consent preferences.
06945
•Establish and maintain a personal data definition.
00028
•Include an individual's name in the personal data definition.
04710
•Include an individual's name combined with other personal data in the personal data definition.
04709
•Include an individual's electronic identification name or number in the personal data definition.
04694
•Include an individual's driver's license number or an individual's state identification card number in the personal data definition.
04691
•Include an individual's Social Security Number or Personal Identification Number in the personal data definition.
04690
•Include an individual's payment card information in the personal data definition.
04751
•Include an individual's Individually Identifiable Health Information in the personal data definition.
04700
•Include an individual's medical history in the personal data definition.
04701
•Include an individual's medical treatment in the personal data definition.
04702
•Include an individual's medical diagnosis in the personal data definition.
04703
•Include an individual's mental condition or an individual's physical condition in the personal data definition.
04704
•Include an individual's health insurance information in the personal data definition.
04705
•Include an individual's health insurance policy number in the personal data definition.
04706
•Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition.
04707
•Refrain from including publicly available information in the personal data definition.
13084
•Establish, implement, and maintain a personal data collection policy.
00029
•Collect personal data directly from the data subject.
00011
•Collect the minimum amount of restricted data necessary.
00078
•Collect and record restricted data for specific, explicit, and legitimate purposes.
00027
•Provide the data subject with information about the data controller during the collection process.
00023
•Disseminate and communicate the data collector's name and contact information to all interested personnel.
13760
•Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data.
00026
•Establish, implement, and maintain a data handling program.
13427
•Establish, implement, and maintain data handling policies.
00353
•Establish, implement, and maintain data and information confidentiality policies.
00361
•Prohibit personal data from being sent by e-mail or instant messaging.
00565
•Protect electronic messaging information.
12022
•Establish, implement, and maintain record structures to support information confidentiality.
00360
•Include passwords, Personal Identification Numbers, and card security codes in the personal data definition.
04699
•Refrain from storing data elements containing payment card full magnetic stripe data.
04757
•Refrain from storing data elements containing sensitive authentication data after authorization is approved.
04758
•Render unrecoverable sensitive authentication data after authorization is approved.
11952
•Encrypt, truncate, or tokenize data fields, as necessary.
06850
•Limit data leakage.
00356
•Conduct personal data risk assessments.
00357
•Search the Internet for evidence of data leakage.
10419
•Review monitored websites for data leakage.
10593
•Establish, implement, and maintain de-identifying and re-identifying procedures.
07126
•Establish, implement, and maintain data handling procedures.
11756
•Define personal data that falls under breach notification rules.
00800
•Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules.
04662
•Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules.
04657
•Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules.
04658
•Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules.
04660
•Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules.
04752
•Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules.
04661
•Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules.
04673
•Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules.
04674
•Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules.
04675
•Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules.
04676
•Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules.
04682
•Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules.
04681
•Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules.
04683
•Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules.
04684
•Define an out of scope privacy breach.
04677
•Include personal data that is publicly available information as an out of scope privacy breach.
04678
•Establish, implement, and maintain a personal data transfer program.
00307
•Include procedures for transferring personal data to third parties in the personal data transfer program.
00333
•Require transferees to implement adequate data protection levels for the personal data.
00335
•Develop remedies and sanctions for privacy policy violations.
00474
•Change or destroy any personal data that is incorrect.
00462
•Notify the data subject of changes made to personal data as the result of a dispute.
00463
•Establish, implement, and maintain a privacy dispute resolution program.
12526
•Provide the data subject with the name, title, and address to whom complaints are forwarded.
00395
•Notify individuals of their right to challenge personal data.
00457
•Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections.
00467
•Establish, implement, and maintain a Customer Information Management program.
00084
•Establish, implement, and maintain customer data authentication procedures.
13187
•Check the accuracy of restricted data.
00088
•Record restricted data correctly.
00089
•Check that restricted data is complete.
00090
•Keep restricted data up-to-date and valid.
00091
•Harmonization Methods and Manual of Style
06095
•Establish, implement, and maintain organizational documents.
16202
•Organize all compliance documents.
06096
•Organize all compliance documents to fit the message.
06097
•Define the structure for compliance documents and governance documents.
06111
•Third Party and supply chain oversight
08807
•Establish, implement, and maintain a supply chain management program.
11742
•Formalize client and third party relationships with contracts or nondisclosure agreements.
00794
•Establish, implement, and maintain information flow agreements with all third parties.
04543
•Include a description of the data or information to be covered in third party contracts.
06510
•Include text about access, use, disclosure, and transfer of data or information in third party contracts.
11610
•Include text that organizations must meet organizational compliance requirements in third party contracts.
06506
•Include compliance with the organization's access policy as a requirement in third party contracts.
06507
•Include compliance with the organization's privacy policy in third party contracts.
06518
•Include change control clauses in third party contracts, as necessary.
06523
•Include third party requirements for personnel security in third party contracts.
00790
•Establish, implement, and maintain third party transaction authentication procedures.
00791
•Include third party acknowledgment of their data protection responsibilities in third party contracts.
01364
•Include auditing third party security controls and compliance controls in third party contracts.
01366
•Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data.
04264
•Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements.
06087
•Document the organization's supply chain in the supply chain management program.
09958
•Establish and maintain a Third Party Service Provider list.
12480
•Include the services provided by each supplier in the Third Party Service Provider list.
12481
•Document supply chain transactions in the supply chain management program.
08857
•Document the supply chain's critical paths in the supply chain management program.
10032
•Establish, implement, and maintain Service Level Agreements with the organization's supply chain.
00838
•Approve all Service Level Agreements.
00843
•Categorize all suppliers in the supply chain management program.
00792
•Include risk management procedures in the supply chain management policy.
08811
•Perform risk assessments of third parties, as necessary.
06454
•Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report.
10029
•Establish, implement, and maintain a supply chain management policy.
08808
•Include the third party selection process in the supply chain management policy.
13132
•Select suppliers based on their qualifications.
00795
•Include a clear management process in the supply chain management policy.
08810
•Use third parties that are compliant with the applicable requirements.
08818
•Conduct all parts of the supply chain due diligence process.
08854
•Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements.
00359
•Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information.
13353
•Assess third parties' compliance environment during due diligence.
13134
•Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members.
11888
•Request attestation of compliance from third parties.
12067
•Document the third parties compliance with the organization's system hardening framework.
04263
•Validate the third parties' compliance to organizationally mandated compliance requirements.
08819
•Assess the effectiveness of third party services provided to the organization.
13142
•Monitor third parties for performance and effectiveness, as necessary.
00799
•Review the supply chain's service delivery on a regular basis.
12010
•Establish, implement, and maintain a product inventory.
08955
•Include a unique reference identifier on products for sale.
Starter Accounts cannot add duplicated lists to their account. Please upgrade your
account to paid, then revisit the list page to copy the list to your account.