•Establish, implement, and maintain a reporting methodology program.
02072
•Establish, implement, and maintain communication protocols.
12245
•Use secure communication protocols for telecommunications.
16458
•Include disseminating and communicating undesirable conduct in communication protocols.
12802
•Report to management and stakeholders on the findings and information gathered from all types of inquiries.
12797
•Establish, implement, and maintain alert procedures.
12406
•Include the capturing and alerting of compliance violations in the notification system.
12962
•Establish, implement, and maintain an internal reporting program.
12409
•Establish, implement, and maintain an external reporting program.
12876
•Include reporting to governing bodies in the external reporting plan.
12923
•Analyze organizational objectives, functions, and activities.
00598
•Analyze the business environment in which the organization operates.
12798
•Align assets with business functions and the business environment.
13681
•Identify all interested personnel and affected parties.
12845
•Establish, implement, and maintain an information classification standard.
00601
•Establish, implement, and maintain an Information and Infrastructure Architecture model.
00599
•Involve all stakeholders in the architecture review process.
16935
•Monitor regulatory trends to maintain compliance.
00604
•Monitor for new Information Security solutions.
07078
•Subscribe to a threat intelligence service to receive notification of emerging threats.
12135
•Establish, implement, and maintain a Quality Management framework.
07196
•Enforce a continuous Quality Control system.
01005
•Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures.
01008
•Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.
01241
•Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents.
00688
•Establish, implement, and maintain a policy and procedure management program.
06285
•Establish and maintain an Authority Document list.
07113
•Document organizational procedures that harmonize external requirements, including all legal requirements.
00623
•Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.
01636
•Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.
12901
•Classify controls according to their preventive, detective, or corrective status.
06436
•Approve all compliance documents.
06286
•Assign the appropriate roles to all applicable compliance documents.
06284
•Establish, implement, and maintain a compliance exception standard.
01628
•Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.
01631
•Review the compliance exceptions in the exceptions document, as necessary.
01632
•Include when exemptions expire in the compliance exception standard.
14330
•Assign the approval of compliance exceptions to the appropriate roles inside the organization.
06443
•Disseminate and communicate compliance exceptions to interested personnel and affected parties.
16945
•Disseminate and communicate compliance documents to all interested personnel and affected parties.
06282
•Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties.
06283
•Define the Information Assurance strategic roles and responsibilities.
00608
•Establish and maintain a compliance oversight committee.
00765
•Assign the review of Information Technology policies and procedures to the compliance oversight committee.
01179
•Involve the Board of Directors or senior management in Information Governance.
00609
•Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management.
12058
•Establish, implement, and maintain a strategic plan.
12784
•Determine progress toward the objectives of the strategic plan.
12944
•Establish, implement, and maintain a decision management strategy.
06913
•Include cost benefit analysis in the decision management strategy.
14014
•Establish, implement, and maintain an information technology process framework.
13648
•Establish, implement, and maintain a Strategic Information Technology Plan.
00628
•Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs.
00631
•Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.
00632
•Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.
01609
•Establish, implement, and maintain Information Technology project plans.
16944
•Submit closure reports at the conclusion of each information technology project.
16948
•Review and approve the closure report.
16947
•Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan.
06497
•Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan.
13673
•Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties.
00633
•Monitor and evaluate the implementation and effectiveness of Information Technology Plans.
00634
•Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans.
06839
•Review and approve the Strategic Information Technology Plan.
13094
•Monitoring and measurement
00636
•Monitor the usage and capacity of critical assets.
14825
•Monitor the usage and capacity of Information Technology assets.
00668
•Notify the interested personnel and affected parties before the storage unit will reach maximum capacity.
06773
•Monitor systems for errors and faults.
04544
•Compare system performance metrics to organizational standards and industry benchmarks.
00667
•Establish, implement, and maintain Security Control System monitoring and reporting procedures.
12506
•Establish, implement, and maintain logging and monitoring operations.
00637
•Establish, implement, and maintain an audit and accountability policy.
14035
•Include coordination amongst entities in the audit and accountability policy.
14102
•Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.
06312
•Establish, implement, and maintain intrusion management operations.
00580
•Establish, implement, and maintain an intrusion detection and prevention policy.
15169
•Install and maintain an Intrusion Detection System and/or Intrusion Prevention System.
00581
•Monitor systems for inappropriate usage and other security violations.
00585
•Monitor systems for access to restricted data or restricted information.
04721
•Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
06430
•Monitor systems for unauthorized mobile code.
10034
•Update the intrusion detection capabilities and the incident response capabilities regularly.
04653
•Define and assign log management roles and responsibilities.
06311
•Document and communicate the log locations to the owning entity.
12047
•Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.
00638
•Establish, implement, and maintain an event logging policy.
15217
•Establish, implement, and maintain event logging procedures.
01335
•Include the system components that generate audit records in the event logging procedures.
16426
•Include a standard to collect and interpret event logs in the event logging procedures.
00643
•Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs.
01427
•Compile the event logs of multiple components into a system-wide time-correlated audit trail.
01424
•Establish, implement, and maintain log analysis tools.
17056
•Review and update event logs and audit logs, as necessary.
00596
•Eliminate false positives in event logs and audit logs.
07047
•Follow up exceptions and anomalies identified when reviewing logs.
11925
•Document the event information to be logged in the event information log specification.
00639
•Enable logging for all systems that meet a traceability criteria.
00640
•Enable and configure logging on network access controls in accordance with organizational standards.
01963
•Analyze firewall logs for the correct capturing of data.
00549
•Synchronize system clocks to an accurate and universal time source on all devices.
01340
•Define the frequency to capture and log events.
06313
•Review and update the list of auditable events in the event logging procedures.
10097
•Monitor and evaluate system performance.
00651
•Monitor for and react to when suspicious activities are detected.
00586
•Establish, implement, and maintain network monitoring operations.
16444
•Establish, implement, and maintain a continuous monitoring program for configuration management.
06757
•Include the correlation and analysis of information obtained during testing in the continuous monitoring program.
14250
•Establish, implement, and maintain an automated configuration monitoring system.
07058
•Monitor for and report when a software configuration is updated.
06746
•Implement file integrity monitoring.
01205
•Identify unauthorized modifications during file integrity monitoring.
12096
•Monitor for software configurations updates absent authorization.
10676
•Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
12045
•Monitor and evaluate user account activity.
07066
•Develop and maintain a usage profile for each user account.
07067
•Establish, implement, and maintain a risk monitoring program.
00658
•Monitor the organization's exposure to threats, as necessary.
06494
•Monitor and evaluate environmental threats.
13481
•Establish, implement, and maintain a system security plan.
01922
•Include a description of the operational context in the system security plan.
14301
•Include the security requirements in the system security plan.
14274
•Include cryptographic key management procedures in the system security plan.
17029
•Include network diagrams in the system security plan.
14273
•Include roles and responsibilities in the system security plan.
14682
•Include backup and recovery procedures in the system security plan.
17043
•Include remote access methods in the system security plan.
16441
•Disseminate and communicate the system security plan to interested personnel and affected parties.
14275
•Include a description of the operational environment in the system security plan.
14272
•Include security controls in the system security plan.
14239
•Create specific test plans to test each system component.
00661
•Include the roles and responsibilities in the test plan.
14299
•Include the assessment environment in the test plan.
14271
•Validate all testing assumptions in the test plans.
00663
•Determine the appropriate assessment method for each testing process in the test plan.
00665
•Implement automated audit tools.
04882
•Establish, implement, and maintain a testing program.
00654
•Test security systems and associated security procedures, as necessary.
11901
•Enable security controls which were disabled to conduct testing.
17031
•Disable dedicated accounts after testing is complete.
17033
•Test the in scope system in accordance with its intended purpose.
14961
•Notify interested personnel and affected parties prior to performing testing.
17034
•Scan organizational networks for rogue devices.
00536
•Scan the network for wireless access points.
00370
•Scan wireless networks for rogue devices.
11623
•Deny network access to rogue devices until network access approval has been received.
11852
•Isolate rogue devices after a rogue device has been detected.
07061
•Establish, implement, and maintain a penetration test program.
01105
•Perform penetration tests, as necessary.
00655
•Test the system for insecure communications.
00535
•Test the system for cross-site scripting attacks.
01321
•Test the system for buffer overflows.
01322
•Test the system for injection flaws.
01323
•Establish, implement, and maintain a vulnerability management program.
15721
•Establish, implement, and maintain a vulnerability assessment program.
11636
•Perform vulnerability scans, as necessary.
11637
•Conduct scanning activities in a test environment.
17036
•Repeat vulnerability scanning, as necessary.
11646
•Identify and document security vulnerabilities.
11857
•Record the vulnerability scanning activity in the vulnerability scan report.
12097
•Disseminate and communicate the vulnerability scan results to interested personnel and affected parties.
16418
•Correlate vulnerability scan reports from the various systems.
10636
•Implement scanning tools, as necessary.
14282
•Update the vulnerability scanners' vulnerability list.
10634
•Perform external vulnerability scans, as necessary.
11624
•Employ an approved third party to perform external vulnerability scans on the organization's systems.
12467
•Perform vulnerability assessments, as necessary.
11828
•Perform penetration tests and vulnerability scans in concert, as necessary.
12111
•Test in scope systems for compliance with the Configuration Baseline Documentation Record.
12130
•Document and maintain test results.
17028
•Recommend mitigation techniques based on vulnerability scan reports.
11639
•Correct or mitigate vulnerabilities.
12497
•Establish, implement, and maintain a compliance monitoring policy.
00671
•Establish, implement, and maintain a metrics policy.
01654
•Establish, implement, and maintain an approach for compliance monitoring.
01653
•Monitor personnel and third parties for compliance to the organizational compliance framework.
04726
•Carry out disciplinary actions when a compliance violation is detected.
06675
•Establish, implement, and maintain a technical measurement metrics policy.
01655
•Establish, implement, and maintain a Configuration Management metrics program.
02077
•Establish, implement, and maintain a Security Information and Event Management metrics program.
02078
•Establish, implement, and maintain an incident management and vulnerability management metrics program.
02085
•Report on the estimated damage or loss resulting from all security incidents.
01674
•Establish, implement, and maintain a log management program.
00673
•Include transfer procedures in the log management program.
17077
•Deploy log normalization tools, as necessary.
12141
•Restrict access to logs to authorized individuals.
01342
•Back up logs according to backup procedures.
01344
•Copy logs from all predefined hosts onto a log management infrastructure.
01346
•Protect logs from unauthorized activity.
01345
•Archive the audit trail in accordance with compliance requirements.
00674
•Establish, implement, and maintain security reports.
16882
•Disseminate and communicate the security report to interested personnel and affected parties.
16888
•Establish, implement, and maintain a corrective action plan.
00675
•Include actions taken to resolve issues in the corrective action plan.
16884
•Disseminate and communicate the corrective action plan to interested personnel and affected parties.
16883
•Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
00676
•Report actions taken on known security issues to interested personnel and affected parties on a regular basis.
12330
•Report known security issues to interested personnel and affected parties on a regular basis.
12329
•Protect against misusing automated audit tools.
04547
•Audits and risk management
00677
•Establish, implement, and maintain a Statement of Compliance.
12499
•Publish a Statement of Compliance for the organization's external requirements.
12350
•Define the roles and responsibilities for personnel assigned to tasks in the Audit function.
00678
•Define and assign the internal audit manager's roles and responsibilities.
00680
•Report audit findings to interested personnel and affected parties.
01152
•Establish, implement, and maintain an audit program.
00684
•Accept the attestation engagement when all preconditions are met.
13933
•Audit in scope audit items and compliance documents.
06730
•Audit policies, standards, and procedures.
12927
•Audit information systems, as necessary.
13010
•Determine if the audit assertion's in scope controls are reasonable.
06980
•Document test plans for auditing in scope controls.
06985
•Determine the effectiveness of in scope controls.
06984
•Review incident management audit logs to determine the effectiveness of in scope controls.
12157
•Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures.
06966
•Establish, implement, and maintain a risk management program.
12051
•Include the scope of risk management activities in the risk management program.
13658
•Integrate the risk management program into daily business decision-making.
13659
•Establish, implement, and maintain the risk assessment framework.
00685
•Establish, implement, and maintain a risk assessment program.
00687
•Include the information flow of restricted data in the risk assessment program.
12339
•Establish, implement, and maintain a financial plan to support the risk management strategy.
12786
•Address cybersecurity risks in the risk assessment program.
13193
•Establish, implement, and maintain Data Protection Impact Assessments.
14830
•Include a Data Protection Impact Assessment in the risk assessment program.
12630
•Establish, implement, and maintain a risk assessment policy.
14026
•Include coordination amongst entities in the risk assessment policy.
14120
•Establish, implement, and maintain risk assessment procedures.
06446
•Establish, implement, and maintain a threat and risk classification scheme.
07183
•Include security threats and vulnerabilities in the threat and risk classification scheme.
00699
•Include risks to critical personnel and assets in the threat and risk classification scheme.
00698
•Assign a probability of occurrence to all types of threats in the threat and risk classification scheme.
01173
•Perform risk assessments for all target environments, as necessary.
06452
•Approve the results of the risk assessment as documented in the risk assessment report.
07109
•Update the risk assessment upon changes to the risk profile.
11627
•Create a risk assessment report based on the risk assessment results.
15695
•Establish, implement, and maintain a risk assessment awareness and training program.
06453
•Disseminate and communicate information about risks to all interested personnel and affected parties.
06718
•Correlate the business impact of identified risks in the risk assessment report.
00686
•Conduct a Business Impact Analysis, as necessary.
01147
•Include tolerance to downtime in the Business Impact Analysis report.
01172
•Analyze and quantify the risks to in scope systems and information.
00701
•Establish and maintain a Risk Scoping and Measurement Definitions Document.
00703
•Identify the material risks in the risk assessment report.
06482
•Assess the potential level of business impact risk associated with business information of in scope systems.
06465
•Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability.
06466
•Assess the potential level of business impact risk associated with natural disasters.
06470
•Assess the potential level of business impact risk associated with control weaknesses.
06471
•Establish a risk acceptance level that is appropriate to the organization's risk appetite.
00706
•Select the appropriate risk treatment option for each identified risk in the risk register.
06483
•Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.
00704
•Prioritize and select controls based on the risk assessment findings.
00707
•Prioritize and categorize the effects of opportunities, threats and requirements on control activities.
12822
•Determine the effectiveness of risk control measures.
06601
•Develop key indicators to inform management on the effectiveness of risk control measures.
12946
•Establish, implement, and maintain a risk treatment plan.
11983
•Include roles and responsibilities in the risk treatment plan.
16991
•Include time information in the risk treatment plan.
16993
•Include allocation of resources in the risk treatment plan.
16989
•Identify the planned actions and controls that address high risk in the risk treatment plan.
12835
•Include the risk treatment strategy in the risk treatment plan.
12159
•Include requirements for monitoring and reporting in the risk treatment plan, as necessary.
13620
•Include risk assessment results in the risk treatment plan.
11978
•Integrate the corrective action plan based on the risk assessment findings with other risk management activities.
06457
•Document and communicate a corrective action plan based on the risk assessment findings.
00705
•Document residual risk in a residual risk report.
13664
•Technical security
00508
•Establish, implement, and maintain an access classification scheme.
00509
•Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.
00510
•Establish, implement, and maintain security classifications for organizational assets.
00005
•Establish the criticality of the network and systems.
00006
•Review connection requirements for all systems.
06411
•Establish, implement, and maintain a digital identity management program.
13713
•Establish, implement, and maintain digital identification procedures.
13714
•Implement digital identification processes.
13731
•Implement identity proofing processes.
13719
•Validate proof of identity during the identity proofing process.
13756
•Conduct in-person proofing with physical interactions.
13775
•Establish, implement, and maintain federated identity systems.
13837
•Authenticate all systems in a federated identity system.
13835
•Send and receive authentication assertions, as necessary.
13839
•Validate each element within the authentication assertion.
13853
•Validate the digital signature in the authentication assertion.
13869
•Establish, implement, and maintain an access control program.
11702
•Include guidance for how users should protect their authentication credentials in the access control program.
11929
•Include guidance on selecting authentication credentials in the access control program.
11928
•Establish, implement, and maintain access control policies.
00512
•Include the purpose in the access control policy.
14001
•Document the business need justification for user accounts.
15490
•Establish, implement, and maintain an instant messaging and chat system usage policy.
11815
•Establish, implement, and maintain an access rights management plan.
00513
•Identify information system users.
12081
•Review user accounts.
00525
•Identify and authenticate processes running on information systems that act on behalf of users.
12082
•Control access rights to organizational assets.
00004
•Add all devices requiring access control to the Access Control List.
06264
•Define roles for information systems.
12454
•Define access needs for each role assigned to an information system.
12455
•Define access needs for each system component of an information system.
12456
•Establish access rights based on least privilege.
01411
•Assign user permissions based on job responsibilities.
00538
•Assign user privileges after they have management sign off.
00542
•Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.
01412
•Limit concurrent sessions according to account type.
01416
•Enable access control for objects and users on each system.
04553
•Set access control for objects and users to "deny all" unless explicitly authorized.
06301
•Enable access control for objects and users to match restrictions set by the system's security classification.
04850
•Assign Information System access authorizations if implementing segregation of duties.
06323
•Enforce access restrictions for restricted data.
01921
•Establish, implement, and maintain a system use agreement for each information system.
06500
•Accept and sign the system use agreement before data or system access is enabled.
06501
•Display a logon banner and appropriate logon message before granting access to the system.
06770
•Control user privileges.
11665
•Establish and maintain a list of individuals authorized to perform privileged functions.
17005
•Review all user privileges, as necessary.
06784
•Revoke asset access when a personnel status change occurs or an individual is terminated.
00516
•Review and update accounts and access rights when notified of personnel status changes.
00788
•Establish, implement, and maintain User Access Management procedures.
00514
•Establish, implement, and maintain an authority for access authorization list.
06782
•Review and approve logical access to all assets based upon organizational policies.
06641
•Control the addition and modification of user identifiers, user credentials, or other authenticators.
00515
•Remove inactive user accounts, as necessary.
00517
•Remove temporary user accounts, as necessary.
11839
•Limit superuser accounts to designated System Administrators.
06766
•Enforce usage restrictions for superuser accounts.
07064
•Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.
00526
•Protect and manage biometric systems and biometric data.
01261
•Maintain a log of the overrides of the biometric system.
17000
•Establish, implement, and maintain access control procedures.
11663
•Implement out-of-band authentication, as necessary.
10606
•Grant access to authorized personnel or systems.
12186
•Include the user identifiers of all personnel who are authorized to access a system in the system record.
15171
•Include the user's location in the system record.
16996
•Establish, implement, and maintain an identification and authentication policy.
14033
•Include roles and responsibilities in the identification and authentication policy.
14230
•Disseminate and communicate the identification and authentication policy to interested personnel and affected parties.
14197
•Establish, implement, and maintain identification and authentication procedures.
14053
•Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms.
17002
•Include digital identification procedures in the access control program.
11841
•Employ unique identifiers.
01273
•Disseminate and communicate user identifiers and authenticators using secure communication protocols.
06791
•Include instructions to refrain from using previously used authenticators in the access control program.
11930
•Require proper authentication for user identifiers.
11785
•Assign authenticators to user accounts.
06855
•Assign authentication mechanisms for user account authentication.
06856
•Refrain from allowing individuals to share authentication mechanisms.
11932
•Require individuals to report lost or damaged authentication mechanisms.
17035
•Limit account credential reuse as a part of digital identification procedures.
12357
•Use biometric authentication for identification and authentication, as necessary.
06857
•Establish, implement, and maintain a secure enrollment process for biometric systems.
17007
•Establish, implement, and maintain a fallback mechanism for when the biometric system fails.
17006
•Prevent the disclosure of the closeness of the biometric data during the biometric verification.
17003
•Identify the user when enrolling them in the biometric system.
06882
•Disallow self-enrollment of biometric information.
11834
•Tune the biometric identification equipment, as necessary.
07077
•Identify and control all network access controls.
00529
•Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective.
04589
•Establish, implement, and maintain a network configuration standard.
00530
•Establish, implement, and maintain a network security policy.
06440
•Establish, implement, and maintain a wireless networking policy.
06732
•Maintain up-to-date network diagrams.
00531
•Maintain up-to-date data flow diagrams.
10059
•Establish, implement, and maintain a sensitive information inventory.
13736
•Manage all internal network connections.
06329
•Establish, implement, and maintain separate virtual private networks to transport sensitive information.
12124
•Establish, implement, and maintain separate virtual local area networks for untrusted devices.
12095
•Manage all external network connections.
11842
•Prohibit systems from connecting directly to external networks.
08709
•Secure the Domain Name System.
00540
•Configure the network to limit zone transfers to trusted servers.
01876
•Register all Domain Names associated with the organization to the organization and not an individual.
07210
•Establish, implement, and maintain a Boundary Defense program.
00544
•Segregate systems in accordance with organizational standards.
12546
•Implement gateways between security domains.
16493
•Implement resource-isolation mechanisms in organizational networks.
16438
•Segregate servers that contain restricted data or restricted information from direct public access.
00533
•Restrict outbound network traffic out of the Demilitarized Zone.
16881
•Restrict inbound network traffic into the Demilitarized Zone.
01285
•Establish, implement, and maintain a network access control standard.
00546
•Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.
11821
•Place firewalls between security domains and between any Demilitarized Zone and internal network zones.
01274
•Place firewalls between all security domains and between any secure subnet and internal network zones.
11784
•Separate the wireless access points and wireless bridges from the wired network via a firewall.
04588
•Establish, implement, and maintain a firewall and router configuration standard.
00541
•Include testing and approving all network connections through the firewall in the firewall and router configuration standard.
01270
•Include restricting inbound network traffic in the firewall and router configuration standard.
11960
•Include restricting outbound network traffic in the firewall and router configuration standard.
11961
•Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.
12426
•Include a protocols, ports, applications, and services list in the firewall and router configuration standard.
00537
•Configure network ports to organizational standards.
14007
•Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties.
17089
•Install and configure firewalls to be enabled on all mobile devices, if possible.
00550
•Configure network access and control points to protect restricted information and restricted functions.
01284
•Configure firewalls to deny all traffic by default, except explicitly designated traffic.
00547
•Allow Internet Control Message Protocol exceptions on the firewall, as necessary.
01959
•Allow protocol port exceptions on the firewall, as necessary.
01965
•Establish, implement, and maintain internet protocol address filters on the firewall, as necessary
01287
•Configure firewalls to perform dynamic packet filtering.
01288
•Configure firewall filtering to only permit established connections into the network.
12482
•Synchronize and secure all router configuration files.
01291
•Configure firewalls to generate an audit log.
12038
•Configure firewalls to generate an alert when a potential security incident is detected.
12165
•Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.
01646
•Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access.
01648
•Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points.
00605
•Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.
04830
•Remove all unauthorized wireless access points.
11856
•Enforce information flow control.
11781
•Establish, implement, and maintain information flow control configuration standards.
01924
•Restrict traffic or information flow based on the origination address.
16484
•Require the system to identify and authenticate approved devices before establishing a connection.
01429
•Monitor and report on the organization's interconnectivity risk.
13172
•Perform content filtering scans on network traffic.
06761
•Constrain the information flow of restricted data or restricted information.
06763
•Quarantine data that fails security tests.
16500
•Restrict access to restricted data and restricted information on a need to know basis.
12453
•Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
06310
•Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
01410
•Establish, implement, and maintain information exchange procedures.
11782
•Include the connected Information Technology assets in the information exchange procedures.
17025
•Include connection termination procedures in the information exchange procedures.
17027
•Include the data sensitivity levels in the information exchange procedures.
17024
•Include communication requirements in the information exchange procedures.
17026
•Include roles and responsibilities in the information exchange procedures.
17023
•Include implementation procedures in the information exchange procedures.
17022
•Include security controls in the information exchange procedures.
17021
•Include testing procedures in the information exchange procedures.
17020
•Include measurement criteria in the information exchange procedures.
17019
•Include training requirements in the information exchange procedures.
17017
•Protect data from modification or loss while transmitting between separate parts of the system.
04554
•Review and approve information exchange system connections.
07143
•Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services.
13104
•Establish, implement, and maintain whitelists and blacklists of domain names.
07097
•Establish, implement, and maintain whitelists and blacklists of web content.
15234
•Establish, implement, and maintain whitelists and blacklists of software.
11780
•Establish, implement, and maintain a data loss prevention program.
13050
•Include the data loss prevention strategy as part of the data loss prevention program.
13051
•Secure access to each system component operating system.
00551
•Enforce privileged accounts and non-privileged accounts for system access.
00558
•Control all methods of remote access and teleworking.
00559
•Establish, implement, and maintain a remote access and teleworking program.
04545
•Control remote administration in accordance with organizational standards.
04459
•Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved.
00560
•Control remote access through a network access control.
01421
•Employ multifactor authentication for remote access to the organization's network.
12505
•Implement multifactor authentication techniques.
00561
•Protect remote access accounts with encryption.
00562
•Monitor and evaluate all remote access usage.
00563
•Manage the use of encryption controls and cryptographic controls.
00570
•Comply with the encryption laws of the local country.
16377
•Employ cryptographic controls that comply with applicable requirements.
12491
•Establish, implement, and maintain digital signatures.
13828
•Establish, implement, and maintain an encryption management and cryptographic controls policy.
04546
•Encrypt in scope data or in scope information, as necessary.
04824
•Digitally sign records and data, as necessary.
16507
•Define and assign cryptographic, encryption and key management roles and responsibilities.
15470
•Establish, implement, and maintain cryptographic key management procedures.
00571
•Include cryptographic key expiration in the cryptographic key management procedures.
17079
•Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys.
01301
•Generate strong cryptographic keys.
01299
•Generate unique cryptographic keys for each user.
12169
•Include the establishment of cryptographic keys in the cryptographic key management procedures.
06540
•Disseminate and communicate cryptographic keys securely.
01300
•Store cryptographic keys securely.
01298
•Restrict access to cryptographic keys.
01297
•Change cryptographic keys in accordance with organizational standards.
01302
•Notify interested personnel and affected parties upon cryptographic key supersession.
17084
•Destroy cryptographic keys promptly after the retention period.
•Establish, implement, and maintain Public Key certificate application procedures.
07079
•Establish a Root Certification Authority to support the Public Key Infrastructure.
07084
•Establish, implement, and maintain Public Key certificate procedures.
07085
•Include signing and issuing Public Key certificates in the Public Key certificate procedures.
11817
•Use strong data encryption to transmit in scope data or in scope information, as necessary.
00564
•Ensure restricted data or restricted information are encrypted prior to or at the time of transmission.
01749
•Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.
12492
•Encrypt traffic over networks with trusted cryptographic keys.
12490
•Implement non-repudiation for transactions.
00567
•Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.
00568
•Establish, implement, and maintain a malicious code protection program.
00574
•Establish, implement, and maintain malicious code protection procedures.
15483
•Establish, implement, and maintain a malicious code protection policy.
15478
•Restrict downloading to reduce malicious code attacks.
04576
•Install security and protection software, as necessary.
00575
•Install and maintain container security solutions.
16178
•Scan for malicious code, as necessary.
11941
•Test all removable storage media for viruses and malicious code.
11861
•Test all untrusted files or unverified files for viruses and malicious code.
01311
•Remove malware when malicious code is discovered.
13691
•Notify interested personnel and affected parties when malware is detected.
13689
•Protect the system against replay attacks.
04552
•Establish, implement, and maintain a malicious code outbreak recovery plan.
01310
•Log and react to all malicious code activity.
07072
•Lock antivirus configurations.
10047
•Establish, implement, and maintain an organizational website program.
14815
•Include the hyperlink requirements in the website program.
16949
•Control the information that is posted or processed on publicly accessible information systems.
16737
•Restrict advertisements on the organization's websites, as necessary.
17042
•Establish, implement, and maintain an application security policy.
06438
•Approve the application security policy.
17065
•Disseminate and communicate the application security policy to interested personnel and affected parties.
17064
•Conduct application security reviews, as necessary.
06298
•Establish, implement, and maintain a virtual environment and shared resources security program.
06551
•Establish, implement, and maintain procedures for provisioning shared resources.
12181
•Establish, implement, and maintain a shared resources management program.
07096
•Sanitize customer data from all shared resources upon agreement termination.
12175
•Physical and environmental protection
00709
•Establish, implement, and maintain a physical security program.
11757
•Establish, implement, and maintain physical security plans.
13307
•Establish, implement, and maintain physical security procedures.
13076
•Establish, implement, and maintain a facility physical security program.
00711
•Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data.
12050
•Protect the facility from crime.
06347
•Define communication methods for reporting crimes.
06349
•Protect facilities from eavesdropping.
02222
•Identify and document physical access controls for all physical entry points.
01637
•Control physical access to (and within) the facility.
01329
•Secure physical entry points with physical access controls or security guards.
01640
•Establish, implement, and maintain a visitor access permission policy.
06699
•Escort visitors within the facility, as necessary.
06417
•Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.
01436
•Authorize physical access to sensitive areas based on job functions.
12462
•Change access requirements to organizational assets for personnel and visitors, as necessary.
12463
•Escort uncleared personnel who need to work in or access controlled access areas.
00747
•Establish, implement, and maintain physical identification procedures.
00713
•Implement physical identification processes.
13715
•Issue photo identification badges to all employees.
12326
•Establish, implement, and maintain lost or damaged identification card procedures, as necessary.
14819
•Report lost badges, stolen badges, and broken badges to the Security Manager.
12334
•Manage constituent identification inside the facility.
02215
•Direct each employee to be responsible for their identification card or badge.
12332
•Establish, implement, and maintain identification issuance procedures for identification cards or badges.
06598
•Include an identity registration process in the identification issuance procedures.
11671
•Restrict access to the badge system to authorized personnel.
12043
•Assign employees the responsibility for controlling their identification badges.
12333
•Establish, implement, and maintain identification re-issuing procedures for identification cards or badges.
06596
•Charge a fee for replacement of identification cards or badges, as necessary.
17001
•Establish, implement, and maintain identification mechanism termination procedures.
06306
•Use locks to protect against unauthorized physical access.
06342
•Use locks with electronic authentication systems or cipher locks, as necessary.
06650
•Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.
00748
•Change cipher lock codes, as necessary.
06651
•Establish a security room, if necessary.
00738
•Implement physical security standards for mainframe rooms or data centers.
00749
•Secure systems in lockable equipment cabinets, as necessary.
06716
•Monitor for unauthorized physical access at physical entry points and physical exit points.
01638
•Establish and maintain a visitor log.
00715
•Record the visitor's name in the visitor log.
00557
•Record the visitor's organization in the visitor log.
12121
•Record the onsite personnel authorizing physical access for the visitor in the visitor log.
12466
•Retain all records in the visitor log as prescribed by law.
00572
•Establish, implement, and maintain physical security controls for distributed assets.
00718
•Control the transiting and internal distribution or external distribution of assets.
00963
•Restrict physical access to distributed assets.
11865
•House network hardware in lockable rooms or lockable equipment cabinets.
01873
•Establish, implement, and maintain removable storage media controls.
06680
•Control access to restricted storage media.
04889
•Physically secure all electronic storage media that store restricted data or restricted information.
11664
•Control the storage of restricted storage media.
00965
•Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults.
00717
•Protect distributed assets against theft.
06799
•Establish, implement, and maintain asset removal procedures or asset decommissioning procedures.
04540
•Prohibit assets from being taken off-site absent prior authorization.
12027
•Control the delivery of assets through physical entry points and physical exit points.
01441
•Control the removal of assets through physical entry points and physical exit points.
11681
•Maintain records of all system components entering and exiting the facility.
14304
•Establish, implement, and maintain missing asset reporting procedures.
06336
•Attach asset location technologies to distributed assets.
10626
•Employ asset location technologies in accordance with applicable laws and regulations.
10627
•Monitor the location of distributed assets.
11684
•Remote wipe any distributed asset reported lost or stolen.
12197
•Establish, implement, and maintain end user computing device security guidelines.
00719
•Establish, implement, and maintain a locking screen saver policy.
06717
•Secure workstations to desks with security cables.
04724
•Establish, implement, and maintain a mobile device management program.
15212
•Establish, implement, and maintain a mobile device management policy.
15214
•Disseminate and communicate the mobile device management policy to interested personnel and affected parties.
16998
•Establish, implement, and maintain mobile device activation procedures.
16999
•Establish, implement, and maintain mobile device security guidelines.
04723
•Include a "Return to Sender" text file on mobile devices.
17075
•Include usage restrictions for untrusted networks in the mobile device security guidelines.
17076
•Require users to refrain from leaving mobile devices unattended.
16446
•Include the use of privacy filters in the mobile device security guidelines.
16452
•Refrain from pairing Bluetooth devices in unsecured areas.
12429
•Encrypt information stored on mobile devices.
01422
•Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.
00722
•Establish, implement, and maintain asset return procedures.
04537
•Require the return of all assets upon notification an individual is terminated.
06679
•Provide a physical disconnect of collaborative computing devices in a way that supports ease of use.
06769
•Establish, implement, and maintain an environmental control program.
00724
•House system components in areas where the physical damage potential is minimized.
01623
•Establish, implement, and maintain a fire prevention and fire suppression standard.
06695
•Install and maintain fire protection equipment.
00728
•Install and maintain fire suppression systems.
00729
•Employ environmental protections.
12570
•Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.
00727
•Install and maintain an environment control monitoring system.
06370
•Install and maintain a moisture control system as a part of the climate control system.
06694
•Protect physical assets from water damage.
00730
•Install and maintain water detection devices.
11678
•Operational and Systems Continuity
00731
•Establish, implement, and maintain a business continuity program.
13210
•Establish, implement, and maintain a continuity framework.
00732
•Coordinate continuity planning with other business units responsible for related plans.
01386
•Establish, implement, and maintain a continuity plan.
00752
•Include the system description in the continuity plan.
16241
•Restore systems and environments to be operational.
13476
•Include roles and responsibilities in the continuity plan, as necessary.
13254
•Implement alternate security mechanisms when the means of implementing the security function is unavailable.
10605
•Document the uninterrupted power requirements for all in scope systems.
06707
•Install an Uninterruptible Power Supply sized to support all critical systems.
00725
•Establish, implement, and maintain a recovery plan.
13288
•Include procedures to verify completion of the data backup procedure in the recovery plan.
13297
•Include the backup procedures for information necessary to recover functionality in the recovery plan.
13294
•Test the recovery plan, as necessary.
13290
•Document lessons learned from testing the recovery plan or an actual event.
13301
•Include restoration procedures in the continuity plan.
01169
•Include risk prioritized recovery procedures for each business unit in the recovery plan.
01166
•Disseminate and communicate continuity requirements to interested personnel and affected parties.
17045
•Establish, implement, and maintain system continuity plan strategies.
00735
•Include the protection of personnel in the continuity plan.
06378
•Establish, implement, and maintain a critical personnel list.
00739
•Identify alternate personnel for each person on the critical personnel list.
12771
•Establish, implement, and maintain a critical resource list.
00740
•Define and maintain continuity Service Level Agreements for all critical resources.
00741
•Include emergency power continuity procedures in the continuity plan.
01254
•Include technical preparation considerations for backup operations in the continuity plan.
01250
•Establish, implement, and maintain backup procedures for in scope systems.
01258
•Document the backup method and backup frequency on a case-by-case basis in the backup procedures.
01384
•Establish and maintain off-site electronic media storage facilities.
00957
•Separate the off-site electronic media storage facilities from the primary facility through geographic separation.
01390
•Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.
01393
•Store backup media at an off-site electronic media storage facility.
01332
•Store backup media in a fire-rated container which is not collocated with the operational system.
14289
•Perform backup procedures for in scope systems.
11692
•Perform full backups in accordance with organizational standards.
16376
•Back up all records.
11974
•Test each restored system for media integrity and information integrity.
01920
•Include emergency communications procedures in the continuity plan.
00750
•Identify who can speak to the media in the emergency communications procedures.
12761
•Disseminate and communicate the business continuity program to interested personnel and affected parties.
17080
•Prepare the alternate facility for an emergency offsite relocation.
00744
•Establish, implement, and maintain Service Level Agreements for all alternate facilities.
00745
•Establish, implement, and maintain a business continuity plan testing program.
14829
•Establish, implement, and maintain a continuity test plan.
04896
•Include recovery procedures in the continuity test plan.
14876
•Include test scenarios in the continuity test plan.
13506
•Human Resources management
00763
•Establish, implement, and maintain high level operational roles and responsibilities.
00806
•Define and assign the head of Information Security's roles and responsibilities.
06091
•Designate an alternate for each organizational leader.
12053
•Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.
13112
•Define and assign the Chief Information Officer's roles and responsibilities.
00808
•Define and assign the Information Technology staff's roles and responsibilities.
00809
•Define and assign the security staff roles and responsibilities.
11750
•Define and assign the Public Information Officer's roles and responsibilities.
17059
•Establish and maintain an Information Technology steering committee.
12706
•Assign a contact person to all business units.
07144
•Define and assign workforce roles and responsibilities.
13267
•Define and assign roles and responsibilities for the biometric system.
17004
•Define and assign roles and responsibilities for those involved in risk management.
13660
•Assign the roles and responsibilities for the change control program.
13118
•Establish, implement, and maintain a personnel management program.
14018
•Establish, implement, and maintain personnel status change and termination procedures.
06549
•Terminate user accounts when notified that an individual is terminated.
11614
•Terminate access rights when notified of a personnel status change or an individual is terminated.
11826
•Notify all interested personnel and affected parties when personnel status changes or an individual is terminated.
06677
•Notify terminated individuals of applicable, legally binding post-employment requirements.
10630
•Establish and maintain the staff structure in line with the strategic plan.
00764
•Assign and staff all roles appropriately.
00784
•Implement segregation of duties in roles and responsibilities.
00774
•Train all personnel and third parties, as necessary.
00785
•Provide new hires limited network access to complete computer-based training.
17008
•Establish, implement, and maintain an education methodology.
06671
•Tailor training to be taught at each person's level of responsibility.
06674
•Document all training in a training record.
01423
•Conduct tests and evaluate training.
06672
•Hire third parties to conduct training, as necessary.
13167
•Establish, implement, and maintain training plans.
00828
•Include ethical culture in the security awareness program.
12801
•Include insider threats in the security awareness program.
16963
•Include duties and responsibilities in the training plan, as necessary.
12800
•Conduct bespoke roles and responsibilities training, as necessary.
13192
•Include risk management in the security awareness program.
13040
•Include cloud security in the security awareness program.
13039
•Establish, implement, and maintain a security awareness program.
11746
•Complete security awareness training prior to being granted access to information systems or data.
17009
•Include media protection in the security awareness program.
16368
•Document security awareness requirements.
12146
•Include safeguards for information systems in the security awareness program.
13046
•Include identity and access management in the security awareness program.
17013
•Include the encryption process in the security awareness program.
17014
•Include security policies and security standards in the security awareness program.
13045
•Include physical security in the security awareness program.
16369
•Include data management in the security awareness program.
17010
•Include e-mail and electronic messaging in the security awareness program.
17012
•Include mobile device security guidelines in the security awareness program.
11803
•Include updates on emerging issues in the security awareness program.
13184
•Include cybersecurity in the security awareness program.
13183
•Include social networking in the security awareness program.
17011
•Include the acceptable use policy in the security awareness program.
15487
•Include training based on the participants' level of responsibility and access level in the security awareness program.
11802
•Include a requirement to train all new hires and interested personnel in the security awareness program.
11800
•Include remote access in the security awareness program.
13892
•Disseminate and communicate the security awareness program to all interested personnel and affected parties.
00823
•Train all personnel and third parties on how to recognize and report security incidents.
01211
•Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.
01363
•Monitor and measure the effectiveness of security awareness.
06262
•Conduct secure coding and development training for developers.
06822
•Establish, implement, and maintain an occupational health and safety management system.
16201
•Establish, implement, and maintain an occupational health and safety policy.
00716
•Establish, implement, and maintain a travel program for all personnel.
10597
•Refrain from loaning mobile devices to unauthorized personnel.
15218
•Establish, implement, and maintain a Code of Conduct.
04897
•Implement a sanctions process for personnel who fail to comply to the organizational compliance program.
01442
•Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.
06664
•Establish, implement, and maintain a legal support program.
13710
•Establish, implement, and maintain an ethics program.
11496
•Establish mechanisms for whistleblowers to report compliance violations.
06806
•Operational management
00805
•Establish, implement, and maintain a capacity management plan.
11751
•Align critical Information Technology resource availability planning with capacity planning.
01618
•Limit any effects of a Denial of Service attack.
06754
•Manage cloud services.
13144
•Establish, implement, and maintain cloud management procedures.
13149
•Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another.
16384
•Establish, implement, and maintain a cloud service usage standard.
13143
•Use strong data encryption when storing information within a cloud service.
16411
•Monitor managing cloud services.
13150
•Establish, implement, and maintain a Governance, Risk, and Compliance framework.
01406
•Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties.
06955
•Establish, implement, and maintain security requirements based on applicable regulations.
16283
•Assign accountability for maintaining the Governance, Risk, and Compliance framework.
12523
•Establish, implement, and maintain a compliance policy.
14807
•Include roles and responsibilities in the compliance policy.
14811
•Establish, implement, and maintain a governance policy.
15587
•Conduct governance meetings, as necessary.
16946
•Include governance threshold requirements in the governance policy.
16933
•Establish, implement, and maintain an internal control framework.
00820
•Assign resources to implement the internal control framework.
00816
•Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework.
07146
•Establish, implement, and maintain a baseline of internal controls.
12415
•Include vulnerability management and risk assessment in the internal control framework.
13102
•Automate vulnerability management, as necessary.
11730
•Authorize and document all exceptions to the internal control framework.
06781
•Establish, implement, and maintain an information security program.
00812
•Include a continuous monitoring program in the information security program.
14323
•Include change management procedures in the continuous monitoring plan.
16227
•Include risk management in the information security program.
12378
•Establish, implement, and maintain an information security policy.
11740
•Establish, implement, and maintain information security procedures.
12006
•Disseminate and communicate the information security procedures to all interested personnel and affected parties.
16303
•Assign ownership of the information security program to the appropriate role.
00814
•Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.
11884
•Assign information security responsibilities to interested personnel and affected parties in the information security program.
11885
•Establish, implement, and maintain a social media governance program.
06536
•Require social media users to clarify that their communications do not represent the organization.
17046
•Require social media users to identify themselves when communicating on behalf of the organization.
17044
•Include explicit restrictions in the social media acceptable use policy.
06655
•Establish, implement, and maintain operational control procedures.
00831
•Establish, implement, and maintain a Standard Operating Procedures Manual.
00826
•Include maintenance measures in the standard operating procedures manual.
14986
•Establish, implement, and maintain the Acceptable Use Policy.
01350
•Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
01351
•Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy.
11894
•Include Bring Your Own Device agreements in the Acceptable Use Policy.
15703
•Include the obligations of users in the Bring Your Own Device agreement.
15708
•Include a web usage policy in the Acceptable Use Policy.
16496
•Include asset use policies in the Acceptable Use Policy.
01355
•Include a removable storage media use policy in the Acceptable Use Policy.
06772
•Correlate the Acceptable Use Policy with the network security policy.
01356
•Correlate the Acceptable Use Policy with the approved product list.
01357
•Include disciplinary actions in the Acceptable Use Policy.
00296
•Include usage restrictions in the Acceptable Use Policy.
15311
•Include a software installation policy in the Acceptable Use Policy.
06749
•Require interested personnel and affected parties to sign Acceptable Use Policies.
06661
•Establish, implement, and maintain an Intellectual Property Right program.
00821
•Establish, implement, and maintain domain name registration and renewal procedures.
07075
•Establish, implement, and maintain an e-mail policy.
06439
•Establish, implement, and maintain a Global Address List.
16934
•Include roles and responsibilities in the e-mail policy.
17040
•Include content requirements in the e-mail policy.
17041
•Include the personal use of business e-mail in the e-mail policy.
17037
•Include usage restrictions in the e-mail policy.
17039
•Include business use of personal e-mail in the e-mail policy.
14381
•Include message format requirements in the e-mail policy.
17038
•Identify the sender in all electronic messages.
13996
•Protect policies, standards, and procedures from unauthorized modification or disclosure.
10603
•Establish, implement, and maintain nondisclosure agreements.
04536
•Require interested personnel and affected parties to sign nondisclosure agreements.
06667
•Implement and comply with the Governance, Risk, and Compliance framework.
00818
•Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework.
11747
•Comply with all implemented policies in the organization's compliance framework.
06384
•Review systems for compliance with organizational information security policies.
12004
•Establish, implement, and maintain a network management program.
13123
•Establish, implement, and maintain network documentation.
16497
•Establish, implement, and maintain an Asset Management program.
06630
•Establish, implement, and maintain administrative controls over all assets.
16400
•Establish, implement, and maintain classification schemes for all systems and assets.
01902
•Apply security controls to each level of the information classification standard.
01903
•Classify assets according to the Asset Classification Policy.
07186
•Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.
07184
•Establish, implement, and maintain an asset inventory.
06631
•Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails.
00689
•Establish, implement, and maintain a hardware asset inventory.
00691
•Include network equipment in the Information Technology inventory.
00693
•Include mobile devices that store restricted data or restricted information in the Information Technology inventory.
04719
•Include software in the Information Technology inventory.
00692
•Establish and maintain a list of authorized software and versions required for each system.
12093
•Establish, implement, and maintain a storage media inventory.
00694
•Record a unique name for each asset in the asset inventory.
16305
•Record software license information for each asset in the asset inventory.
11736
•Establish, implement, and maintain a software accountability policy.
00868
•Establish, implement, and maintain software asset management procedures.
00895
•Establish, implement, and maintain software distribution procedures.
00894
•Establish, implement, and maintain software license management procedures.
06639
•Establish, implement, and maintain a system redeployment program.
06276
•Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed.
06400
•Wipe all data on systems prior to when the system is redeployed or the system is disposed.
06401
•Reset systems to the default configuration prior to when the system is redeployed or the system is disposed.
16968
•Establish, implement, and maintain a system disposal program.
14431
•Establish, implement, and maintain asset sanitization procedures.
16511
•Establish, implement, and maintain a system preventive maintenance program.
00885
•Establish and maintain maintenance reports.
11749
•Include a list of assets that were removed or replaced during maintenance in the maintenance report.
17088
•Include a description of the maintenance performed in the maintenance report.
17087
•Include roles and responsibilities in the maintenance report.
17086
•Include the date and time of maintenance in the maintenance report.
17085
•Establish, implement, and maintain a system maintenance policy.
14032
•Establish, implement, and maintain system maintenance procedures.
14059
•Establish, implement, and maintain a technology refresh plan.
13061
•Establish, implement, and maintain a technology refresh schedule.
16940
•Provide advice regarding the establishment and implementation of an information technology refresh plan.
16938
•Plan and conduct maintenance so that it does not interfere with scheduled operations.
06389
•Maintain contact with the device manufacturer or component manufacturer for maintenance requests.
06388
•Obtain justification for the continued use of system components when third party support is no longer available.
10645
•Control and monitor all maintenance tools.
01432
•Control remote maintenance according to the system's asset classification.
01433
•Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption.
10614
•Approve all remote maintenance sessions.
10615
•Log the performance of all remote maintenance.
13202
•Terminate remote maintenance sessions when the remote maintenance is complete.
12083
•Conduct maintenance with authorized personnel.
01434
•Respond to maintenance requests inside the organizationally established time frame.
04878
•Establish and maintain an archive of maintenance reports in a maintenance log.
06202
•Acquire spare parts prior to when maintenance requests are scheduled.
11833
•Perform periodic maintenance according to organizational standards.
01435
•Control granting access to appropriate parties performing maintenance on organizational assets.
11873
•Identify and authenticate appropriate parties prior to granting access to maintain assets.
11874
•Establish, implement, and maintain an end-of-life management process.
16540
•Disseminate and communicate end-of-life information for system components to interested personnel and affected parties.
16937
•Review each system's operational readiness.
06275
•Establish and maintain an unauthorized software list.
10601
•Establish, implement, and maintain a customer service program.
00846
•Establish, implement, and maintain an Incident Management program.
00853
•Define the characteristics of the Incident Management program.
00855
•Include the criteria for an incident in the Incident Management program.
12173
•Include incident monitoring procedures in the Incident Management program.
01207
•Categorize the incident following an incident response.
13208
•Determine the incident severity level when assessing the security incidents.
01650
•Require personnel to monitor for and report known or suspected compromise of assets.
16453
•Identify root causes of incidents that force system changes.
13482
•Respond to and triage when an incident is detected.
06942
•Document the incident and any relevant evidence in the incident report.
08659
•Include support from law enforcement authorities when conducting incident response activities, as necessary.
13197
•Respond to all alerts from security systems in a timely manner.
06434
•Coordinate incident response activities with interested personnel and affected parties.
13196
•Contain the incident to prevent further loss.
01751
•Refrain from accessing compromised systems.
01752
•Isolate compromised systems from the network.
01753
•Change authenticators after a security incident has been detected.
06789
•Record actions taken by investigators during a forensic investigation in the forensic investigation report.
07095
•Include the investigation methodology in the forensic investigation report.
17071
•Include corrective actions in the forensic investigation report.
17070
•Include the investigation results in the forensic investigation report.
17069
•Assess all incidents to determine what information was accessed.
01226
•Check the precursors and indicators when assessing the security incidents.
01761
•Analyze the incident response process following an incident response.
13179
•Share incident information with interested personnel and affected parties.
01212
•Share data loss event information with interconnected system owners.
01209
•Redact restricted data before sharing incident information.
16994
•Report data loss event information to breach notification organizations.
01210
•Include data loss event notifications in the Incident Response program.
00364
•Notify interested personnel and affected parties of the privacy breach that affects their personal data.
00365
•Include information required by law in incident response notifications.
00802
•Include a "What We Are Doing" heading in the breach notification.
12982
•Include what the organization is offering or has already done to assist affected parties in incident response notifications.
04737
•Establish, implement, and maintain a containment strategy.
13480
•Include incident recovery procedures in the Incident Management program.
01758
•Eradicate the cause of the incident after the incident has been contained.
01757
•Analyze security violations in Suspicious Activity Reports.
00591
•Include lessons learned from analyzing security violations in the Incident Management program.
01234
•Update the incident response procedures using the lessons learned.
01233
•Include incident response procedures in the Incident Management program.
01218
•Include incident management procedures in the Incident Management program.
12689
•Establish, implement, and maintain temporary and emergency access authorization procedures.
00858
•Establish, implement, and maintain temporary and emergency access revocation procedures.
15334
•Include after-action analysis procedures in the Incident Management program.
01219
•Conduct incident investigations, as necessary.
13826
•Identify the affected parties during incident investigations.
16781
•Destroy investigative materials, as necessary.
17082
•Establish, implement, and maintain incident management audit logs.
13514
•Log incidents in the Incident Management audit log.
00857
•Include who the incident was reported to in the incident management audit log.
16487
•Include the information that was exchanged in the incident management audit log.
16995
•Include incident reporting procedures in the Incident Management program.
11772
•Establish, implement, and maintain a customer service business function.
00847
•Establish, implement, and maintain help desk query clearance procedures.
00850
•Provide customer security advice, as necessary.
13674
•Establish, implement, and maintain an Incident Response program.
00579
•Create an incident response report.
12700
•Include how the incident was discovered in the incident response report.
16987
•Include the categories of data that were compromised in the incident response report.
16985
•Include costs associated with the incident in the incident response report.
12725
•Include information on all affected assets in the incident response report.
12718
•Include when the incident occurred in the incident response report.
12709
•Include corrective action taken to eradicate the incident in the incident response report.
12708
•Include an executive summary of the incident in the incident response report.
12702
•Submit the incident response report to the proper authorities in a timely manner.
12705
•Analyze and respond to security alerts.
12504
•Mitigate reported incidents.
12973
•Establish, implement, and maintain an incident response plan.
12056
•Include addressing information sharing in the incident response plan.
13349
•Include a definition of reportable incidents in the incident response plan.
14303
•Include the management support needed for incident response in the incident response plan.
14300
•Include how incident response fits into the organization in the incident response plan.
14294
•Include the resources needed for incident response in the incident response plan.
14292
•Establish, implement, and maintain a cyber incident response plan.
13286
•Include incident response team structures in the Incident Response program.
01237
•Include the incident response team member's roles and responsibilities in the Incident Response program.
01652
•Include the incident response point of contact's roles and responsibilities in the Incident Response program.
01877
•Notify interested personnel and affected parties that a security breach was detected.
11788
•Include the head of information security's roles and responsibilities in the Incident Response program.
01878
•Include the organizational legal counsel's roles and responsibilities in the Incident Response program.
01882
•Assign the distribution of security alerts to the appropriate role in the incident response program.
11887
•Include personnel contact information in the event of an incident in the Incident Response program.
06385
•Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program.
11789
•Include procedures for providing updated status information to the crisis management team in the incident response plan.
12776
•Include log management procedures in the incident response program.
17081
•Include coverage of all system components in the Incident Response program.
11955
•Prepare for incident response notifications.
00584
•Include incident response team services in the Incident Response program.
11766
•Include the incident response training program in the Incident Response program.
06750
•Conduct incident response training.
11889
•Establish, implement, and maintain an incident response policy.
14024
•Include coordination amongst entities in the incident response policy.
14107
•Include roles and responsibilities in the incident response policy.
14105
•Disseminate and communicate the incident response policy to interested personnel and affected parties.
14099
•Establish, implement, and maintain incident response procedures.
01206
•Respond when an integrity violation is detected, as necessary.
10678
•Establish, implement, and maintain a digital forensic evidence framework.
08652
•Retain collected evidence for potential future legal actions.
01235
•Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence.
08686
•Include time information in the chain of custody.
17068
•Include actions performed on evidence in the chain of custody.
17067
•Include individuals who had custody of evidence in the chain of custody.
17066
•Define the business scenarios that require digital forensic evidence.
08653
•Define the circumstances for collecting digital forensic evidence.
08657
•Conduct forensic investigations in the event of a security compromise.
11951
•Contact affected parties to participate in forensic investigations, as necessary.
12343
•Establish, implement, and maintain a digital forensic evidence collection program.
08655
•Establish, implement, and maintain secure storage and handling of evidence procedures.
08656
•Prepare digital forensic equipment.
08688
•Collect evidence from the incident scene.
02236
•Refrain from altering the state of compromised systems when collecting digital forensic evidence.
08671
•Disseminate and communicate the incident response procedures to all interested personnel and affected parties.
01215
•Test the incident response procedures.
01216
•Document the results of incident response tests and provide them to senior management.
14857
•Establish, implement, and maintain a performance management standard.
•Configure the system to log all access attempts to all systems.
00554
•Include the date and time that access was granted in the system record.
15174
•Include the access level granted in the system record.
15173
•Include when access is withdrawn in the system record.
15172
•Configure devices and users to re-authenticate, as necessary.
10609
•Prohibit the use of cached authenticators and credentials after a defined period of time.
10610
•Establish, implement, and maintain authenticators.
15305
•Establish, implement, and maintain an authenticator standard.
01702
•Establish, implement, and maintain an authenticator management system.
12031
•Establish, implement, and maintain a repository of authenticators.
16372
•Establish, implement, and maintain authenticator procedures.
12002
•Configure authenticator activation codes in accordance with organizational standards.
17032
•Configure authenticators to comply with organizational standards.
06412
•Configure the system to require new users to change their authenticator on first use.
05268
•Disable store passwords using reversible encryption.
01708
•Configure the system to encrypt authenticators.
06735
•Configure the system to mask authenticators.
02037
•Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators.
05992
•Configure the "minimum number of digits required for new passwords" setting to organizational standards.
08717
•Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards.
08718
•Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards.
08719
•Configure the "minimum number of special characters required for new passwords" setting to organizational standards.
08720
•Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards.
08722
•Configure the "password reuse" setting to organizational standards.
08724
•Configure the "Disable Remember Password" setting.
05270
•Configure the "Minimum password age" to organizational standards.
01703
•Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate.
05993
•Configure the authenticator policy to ban or allow authenticators as proper names, as necessary.
17030
•Notify affected parties to keep authenticators confidential.
06787
•Protect authenticators or authentication factors from unauthorized modification and disclosure.
15317
•Obscure authentication information during the login process.
15316
•Issue temporary authenticators, as necessary.
17062
•Renew temporary authenticators, as necessary.
17061
•Disable authenticators, as necessary.
17060
•Change authenticators, as necessary.
15315
•Implement safeguards to protect authenticators from unauthorized access.
15310
•Change all default authenticators.
15309
•Configure each system's security alerts to organizational standards.
12113
•Configure the system security parameters to prevent system misuse or information misappropriation.
00881
•Configure the default locking Screen saver timeout to a predetermined time period.
01570
•Configure the "Display Error Notification" setting to organizational standards.
04335
•Digitally sign and encrypt e-mail, as necessary.
04493
•Verify all files are owned by an existing account and group.
05295
•Disable The "proxy ARP" configurable item on all interfaces.
06570
•Configure the "Enable Keep-Alive Messages" setting to organizational standards.
10083
•Disable or configure the e-mail server, as necessary.
06563
•Configure the system account settings and the permission settings in accordance with the organizational standards.
01538
•Remove unnecessary accounts.
16476
•Configure user accounts.
07036
•Change default usernames, as necessary.
14661
•Remove unnecessary default accounts.
01539
•Configure accounts with administrative privilege.
07033
•Employ multifactor authentication for accounts with administrative privilege.
12496
•Rename or disable the Administrator Account.
01721
•Configure User Rights.
07034
•Configure the "Lock Inactive User Accounts" setting to organizational standards.
09921
•Configure file permissions and directory permissions to organizational standards.
07035
•Verify that there are no accounts with empty password fields.
01579
•Use standards-based encryption for encryption, hashing, and signing.
01583
•Configure the Data Definition Language permissions to organizational standards.
09261
•Configure the "restore database data or other DBMS configurations, features or objects" permissions to organizational standards.
09267
•Configure the "Do not allow connections without IPSec" setting to organizational standards.
10900
•Establish, implement, and maintain appropriate shutdown procedures.
01778
•Establish, implement, and maintain network parameter modification procedures.
01517
•Configure network elements to organizational standards.
16361
•Configure devices having access to network elements to organizational standards.
16408
•Configure devices to block or avoid outbound connections.
04807
•Configure devices to deny inbound connections.
04805
•Review and restrict network addresses and network protocols.
01518
•Establish, implement, and maintain a network addressing plan.
16399
•Configure wireless access to be restricted to authorized wireless networks.
12099
•Configure Network Address Translation to organizational standards.
16395
•Disable DHCP Server unless DHCP Server is absolutely necessary.
01482
•Disable Simple Network Management Protocol unless it is absolutely necessary.
01491
•Disable Internet Protocol version 6 unless it is absolutely necessary.
01493
•Disable IP Routing unless it is absolutely necessary.
02170
•Disable Boot Protocol unless it is absolutely necessary.
04809
•Configure syslog to only accept messages from authorized devices and networks.
01562
•Enable digital encryption or digital signatures of secure channel data.
01736
•Configure the amount of idle time required before disconnecting an idle session.
01763
•Configure firewalls in accordance with organizational standards.
01926
•Establish, implement, and maintain firewall rules in accordance with organizational standards.
16353
•Create an access control list on Network Access and Control Points to restrict access.
04810
•Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information.
06077
•Configure the SSH server in accordance with organizational standards.
04843
•Disable Secure Shell version 1 and use Secure Shell version 2.
04465
•Allow or deny inbound connections to the secure shell port, as appropriate.
05746
•Set the SSH authentication log retry limit.
05750
•Use Secure Shell for remote logins and file transfers.
06562
•Configure Network Time Protocol.
04844
•Disallow Internet Protocol (IP) directed broadcasts.
06571
•Configure the time server in accordance with organizational standards.
06426
•Configure the time server to synchronize with specifically designated hosts.
06427
•Configure Wireless Access Points in accordance with organizational standards.
12477
•Configure the transmit power for wireless technologies to the lowest level possible.
04593
•Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users.
04595
•Disable unnecessary applications, ports, and protocols on Wireless Access Points.
04835
•Enable or disable all wireless interfaces, as necessary.
05755
•Configure mobile device settings in accordance with organizational standards.
04600
•Configure mobile devices to enable remote wipe.
12212
•Configure mobile devices to organizational standards.
04639
•Configure mobile devices to separate organizational data from personal data.
16463
•Configure the mobile device properties to organizational standards.
04640
•Enable content protection on mobile devices.
04609
•Enable data-at-rest encryption on mobile devices.
04842
•Configure Cisco-specific applications and service in accordance with organizational standards.
06557
•Disable Cisco Discovery Protocol service unless the Cisco Discovery Protocol service is absolutely necessary.
06556
•Configure e-mail security settings in accordance with organizational standards.
07055
•Configure Services settings to organizational standards.
07434
•Configure the "Extensible Authentication Protocol" to organizational standards.
07476
•Configure the "Encrypting File System (EFS)" to organizational standards.
07498
•Configure the "Simple Mail Transport Protocol (SMTP)" to organizational standards.
07527
•Configure the "DNS Server" to organizational standards.
07591
•Configure the "IPSEC Services" to organizational standards.
08233
•Configure Account settings in accordance with organizational standards.
07603
•Configure the "Account lockout threshold" to organizational standards.
07604
•Configure the "Account lockout duration" to organizational standards.
07771
•Configure Protocol Configuration settings to organizational standards.
07607
•Configure Logging settings in accordance with organizational standards.
07611
•Configure the storage parameters for all logs.
06330
•Configure sufficient log storage capacity and prevent the capacity from being exceeded.
01425
•Configure the security parameters for all logs.
01712
•Configure the log to capture audit log initialization, along with auditable event selection.
00649
•Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.
06331
•Configure the log to capture the user's identification.
01334
•Configure the log to capture a date and time stamp.
01336
•Configure the log to capture each auditable event's origination.
01338
•Configure the log to uniquely identify each asset.
01339
•Configure the log to capture the type of each event.
06423
•Configure the log to capture the details of electronic signature transactions.
16910
•Configure the log to uniquely identify each accessed record.
16909
•Configure the log to capture each event's success or failure indication.
06424
•Configure all logs to capture auditable events or actionable events.
06332
•Configure the log to capture startups and shutdowns.
16491
•Configure the log to capture user queries and searches.
16479
•Configure the log to capture Internet Protocol addresses.
16495
•Configure the log to capture account lockouts.
16470
•Configure the log to capture execution events.
16469
•Configure the log to capture attempts to bypass or circumvent security controls.
17078
•Configure the log to capture Identity and Access Management policy changes.
15442
•Configure the log to capture changes to encryption keys.
15432
•Configure the "logging level" to organizational standards.
14456
•Configure the log to capture hardware and software access attempts.
01220
•Configure the log to capture logons, logouts, logon attempts, and logout attempts.
01915
•Configure the privilege use auditing setting.
01699
•Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts.
01919
•Configure the log to capture access to restricted data or restricted information.
00644
•Configure the log to capture user identifier, address, port blocking or blacklisting.
01918
•Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
00645
•Configure the log to capture identification and authentication mechanism use.
00648
•Configure the log to capture Object access to key directories or key files.
01697
•Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories.
01916
•Configure the log to capture failed transactions.
06334
•Configure the log to capture successful transactions.
06335
•Configure the log to capture configuration changes.
06881
•Log, monitor, and review all changes to time settings on critical systems.
11608
•Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.
01698
•Configure the log to capture user authenticator changes.
01917
•Configure the event log settings for specific Operating System functions.
06337
•Enable or disable the logging of "martian" packets (impossible addresses), as appropriate.
05601
•Generate an alert when an audit log failure occurs.
06737
•Configure additional log settings.
06333
•Configure the log to send alerts for each auditable events success or failure.
•Perform file system logging and file system journaling.
05615
•Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.
07621
•Configure the "Maximum password age" to organizational standards.
07688
•Configure the "Minimum password length" to organizational standards.
07711
•Configure the "Password must meet complexity requirements" to organizational standards.
07743
•Configure the "Enforce password history" to organizational standards.
07877
•Configure the "Password Expiration" to organizational standards.
08576
•Configure Virus and Malware Protection settings in accordance with organizational standards.
07906
•Configure the "Allow cut, copy or paste operations from the clipboard via script" to organizational standards.
07997
•Configure Security settings in accordance with organizational standards.
08469
•Configure the proxy server to organizational standards.
12115
•Configure Red Hat Enterprise Linux to Organizational Standards.
08713
•Configure the Secure Shell setting to organizational standards.
08790
•Configure Polycom HDX to Organizational Standards.
08986
•Configure ICMP destination unreachable messages to organizational standards.
17052
•Configure the "SNMP community name" setting to organizational standards.
09715
•Configure Microsoft SQL Server to Organizational Standards.
08989
•Configure the "encrypt custom and Government Off-The-Shelf application code" setting to organizational standards.
09259
•Configure the "Access to DBMS software files and directories" setting to organizational standards.
09264
•Configure the "Passwords for DBMS default accounts" setting to organizational standards.
09269
•Configure the "Remote DBMS administration" setting to organizational standards.
09270
•Configure the "clear residual data from memory, data objects or files, or other storage locations" setting to organizational standards.
09296
•Configure security and protection software according to Organizational Standards.
11917
•Configure security and protection software to automatically run at startup.
12443
•Configure security and protection software to check for up-to-date signature files.
00576
•Configure security and protection software to enable automatic updates.
11945
•Configure security and protection software to check e-mail messages.
00578
•Configure security and protection software to check e-mail attachments.
11860
•Configure security and protection software to check for phishing attacks.
04569
•Configure Application Programming Interfaces in accordance with organizational standards.
12170
•Configure the Domain Name System in accordance with organizational standards.
12202
•Configure the secure name/address resolution service (authoritative source).
01624
•Configure DNS records in accordance with organizational standards.
17083
•Configure Bluetooth settings according to organizational standards.
12422
•Refrain from using unit keys on Bluetooth devices.
12541
•Perform vulnerability testing before final installation.
00884
•Implement safeguards to prevent unauthorized code execution.
10686
•Configure initial system hardening according to the secure configuration baseline.
13824
•Lock configurations to prevent circumventing security measures.
12187
•Establish, implement, and maintain a Configuration Baseline Documentation Record.
02130
•Create a hardened image of the baseline configuration to be used for building new systems.
07063
•Store master images on securely configured servers.
12089
•Protect master copies of Configurable Items using secure methods or mechanisms.
02131
•Audit the configuration of organizational assets, as necessary.
13653
•Audit assets after maintenance was performed.
13657
•Records management
00902
•Establish, implement, and maintain an information management program.
14315
•Establish, implement, and maintain records management policies.
00903
•Establish, implement, and maintain a record classification scheme.
00914
•Establish, implement, and maintain an electronic signature policy.
16907
•Include roles and responsibilities in the electronic signature policy.
16912
•Implement electronic signature systems.
16911
•Implement mobile platform compatibility in electronic signature systems.
16914
•Allow electronic signatures to satisfy requirements for written signatures, as necessary.
11807
•Establish, implement, and maintain electronic signature requirements.
06219
•Provide the signer a duplicate original document after the electronic signature transaction is complete.
16908
•Require acknowledgment of reading the document prior to allowing an electronic signature.
16906
•Define each system's preservation requirements for records and logs.
00904
•Establish, implement, and maintain a data retention program.
00906
•Store records and data in accordance with organizational standards.
16439
•Archive appropriate records, logs, and database tables.
06321
•Maintain continued integrity for all stored data and stored records.
00969
•Determine how long to keep records and logs before disposing them.
11661
•Retain records in accordance with applicable requirements.
00968
•Define which documents and records the organization may capture.
00905
•Establish, implement, and maintain storage media disposition and destruction procedures.
11657
•Perform destruction at authorized facilities.
17074
•Sanitize electronic storage media in accordance with organizational standards.
16464
•Sanitize all electronic storage media before disposing a system or redeploying a system.
01643
•Degauss as a method of sanitizing electronic storage media.
00973
•Destroy electronic storage media following the storage media disposition and destruction procedures.
00970
•Maintain media sanitization equipment in operational condition.
00721
•Use approved media sanitization equipment for destruction.
16459
•Define each system's disposition requirements for records and logs.
11651
•Establish, implement, and maintain records disposition procedures.
00971
•Manage the disposition status for all records.
00972
•Require authorized individuals be present to witness records disposition.
12313
•Remove and/or destroy records according to the records' retention event and retention period schedule.
06621
•Destroy printed records so they cannot be reconstructed.
11779
•Automate a programmatic process to remove stored data and records that exceed retention requirements.
06082
•Maintain disposal records or redeployment records.
01644
•Include the sanitization method in the disposal record.
17073
•Include time information in the disposal record.
17072
•Establish, implement, and maintain secure record transaction standards with third parties.
06093
•Establish, implement, and maintain records management procedures.
11619
•Capture the records required by organizational compliance requirements.
00912
•Assign the appropriate information classification to records imported into the Records Management system.
04555
•Establish, implement, and maintain a recordkeeping system.
15709
•Log the date and time each item is accessed in the recordkeeping system.
15711
•Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity.
04720
•Establish, implement, and maintain Electronic Document and Records Management systems.
16913
•Include record integrity techniques in the records management procedures.
06418
•Control error handling when data is being inputted.
00922
•Establish, implement, and maintain data processing integrity controls.
00923
•Sanitize user input in accordance with organizational standards.
16856
•Establish, implement, and maintain Automated Data Processing validation checks and editing checks.
00924
•Establish, implement, and maintain Automated Data Processing error handling procedures.
00925
•Establish, implement, and maintain electronic storage media management procedures.
00931
•Establish, implement, and maintain security label procedures.
06747
•Label restricted storage media appropriately.
00966
•Establish and maintain access controls for all records.
00371
•Establish, implement, and maintain a records lifecycle management program.
00951
•Implement and maintain high availability storage, as necessary.
00952
•Implement and maintain backups and duplicate copies of organizational records.
00953
•Establish, implement, and maintain a transparent storage media strategy.
00932
•Establish, implement, and maintain online storage monitoring and reporting capabilities.
00935
•Establish, implement, and maintain online storage controls.
00942
•Establish, implement, and maintain security controls appropriate to the record types and electronic storage media.
00943
•Provide encryption for different types of electronic storage media.
00945
•Establish, implement, and maintain document retention procedures.
11660
•Maintain electronic records in an equivalent manner as printed records, as necessary.
11806
•Convert hard copy records to electronic records, as necessary.
16927
•Protect records from loss in accordance with applicable requirements.
12007
•Establish, implement, and maintain an e-discovery program.
00976
•Establish, implement, and maintain e-discovery record and log preparation procedures.
00907
•Retain indexes for all electronic storage media.
00908
•Establish, implement, and maintain an indexing system for records and images.
00909
•Systems design, build, and implementation
00989
•Establish, implement, and maintain a System Development Life Cycle program.
11823
•Include information security throughout the system development life cycle.
12042
•Initiate the System Development Life Cycle planning phase.
06266
•Establish, implement, and maintain system design principles and system design guidelines.
01057
•Include naming conventions in system design guidelines.
13656
•Define and assign the system development project team roles and responsibilities.
01061
•Restrict system architects from being assigned as Administrators.
01064
•Restrict the development team from having access to the production environment.
01066
•Redesign business activities to support the system implementation.
01067
•Establish and maintain an input requirements definition document.
01071
•Establish, implement, and maintain security design principles.
14718
•Include reduced complexity of systems or system components in the security design principles.
14753
•Include modularity and layering of systems or system components in the security design principles.
14750
•Include least privilege of systems or system components in the security design principles.
14742
•Include minimized security elements in systems or system components in the security design principles.
14739
•Include minimization of systems or system components in the security design principles.
14733
•Include accountability and traceability of systems or system components in the security design principles.
14727
•Establish, implement, and maintain a system use training plan.
01089
•Establish and maintain System Development Life Cycle documentation.
12079
•Define and document organizational structures for the System Development Life Cycle program.
12549
•Include system operation responsibilities in the System Development Life Cycle documentation.
12563
•Establish, implement, and maintain a full set of system procedures.
01074
•Establish, implement, and maintain a database management standard.
01079
•Establish, implement, and maintain system design requirements.
06618
•Design and develop built-in redundancies, as necessary.
13064
•Identify and document the system boundaries of the system design project.
06924
•Include performance criteria in the system requirements specification.
11540
•Include product upgrade methodologies in the system requirements specification.
11563
•Establish, implement, and maintain a system design project management framework.
00990
•Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems.
01028
•Analyze the business activity risk for system design projects.
01034
•Identify system design strategies.
01046
•Investigate the range of alternative system design strategies available.
01047
•Establish, implement, and maintain a system requirements specification.
01035
•Include the threats and risks associated with the system development project in the project feasibility study.
11797
•Establish, implement, and maintain project management standards.
00992
•Establish, implement, and maintain a project program documentation standard.
00995
•Formally approve the initiation of each project phase.
00997
•Establish, implement, and maintain a project control program.
01612
•Separate the design and development environment from the production environment.
06088
•Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
06267
•Develop systems in accordance with the system design specifications and system design standards.
01094
•Develop new products based on best practices.
01095
•Establish, implement, and maintain a system design specification.
04557
•Include security requirements in the system design specification.
06826
•Establish, implement, and maintain a CAPTCHA design specification.
17092
•Establish, implement, and maintain human interface guidelines.
08662
•Provide labels or instructions when content requires user input.
15077
•Ensure the purpose of links can be determined through the link text.
15157
•Implement security controls when developing systems.
06270
•Require successful authentication before granting access to system functionality via network interfaces.
14926
•Analyze and minimize attack surfaces when developing systems.
06828
•Establish, implement, and maintain secure update mechanisms.
14923
•Implement cryptographic mechanisms to authenticate software updates before installation.
14925
•Automate secure update mechanisms, as necessary.
14933
•Design the security architecture.
06269
•Protect system libraries.
01097
•Digitally sign software components.
16490
•Establish and maintain access rights to source code based upon least privilege.
06962
•Develop new products based on secure coding techniques.
11733
•Establish and maintain a coding manual for secure coding techniques.
11863
•Protect applications from improper access control through secure coding techniques in source code.
11959
•Protect applications from improper error handling through secure coding techniques in source code.
11937
•Protect applications from insecure communications through secure coding techniques in source code.
11936
•Protect applications from format string attacks through secure coding techniques in source code.
17091
•Refrain from hard-coding security parameters in source code.
14917
•Refrain from hard-coding authenticators in source code.
11829
•Protect applications from injection flaws through secure coding techniques in source code.
11944
•Protect applications from buffer overflows through secure coding techniques in source code.
11943
•Protect applications from cross-site scripting through secure coding techniques in source code.
11899
•Protect against coding vulnerabilities through secure coding techniques in source code.
11897
•Protect databases from unauthorized database management actions through secure coding techniques in source code.
12049
•Refrain from displaying error messages to end users through secure coding techniques in source code.
12166
•Include all confidentiality, integrity, and availability functions in the system design specification.
04556
•Establish, implement, and maintain a security policy model document.
04560
•Perform Quality Management on all newly developed or modified systems.
01100
•Establish, implement, and maintain a system testing policy.
01102
•Configure the test environment similar to the production environment.
06837
•Establish, implement, and maintain system testing procedures.
11744
•Restrict production data from being used in the test environment.
01103
•Include security controls in the scope of system testing.
12623
•Review and test custom code to identify potential coding vulnerabilities.
01316
•Review and test source code.
01086
•Assign the review of custom code changes to individuals other than the code author.
06291
•Establish, implement, and maintain sandboxes.
14946
•Execute unauthorized code within a sandbox.
16509
•Initiate the System Development Life Cycle implementation phase.
06268
•Establish, implement, and maintain a system implementation standard.
01111
•Deploy applications based on best practices.
12738
•Plan and document the Certification and Accreditation process.
11767
•Submit the information system's security authorization package to the appropriate stakeholders, as necessary.
13987
•Perform a final system test prior to implementing a new system.
01108
•Conduct a final security audit prior to implementing a new system.
06833
•Manage the system implementation process.
01115
•Establish, implement, and maintain promoting the system to a production environment procedures.
01119
•Remove test data prior to promoting the system to a production environment.
12494
•Evaluate and determine whether or not the newly developed system meets users' system design requirements.
01120
•Acquisition or sale of facilities, technology, and services
01123
•Establish, implement, and maintain a product upgrade program.
12216
•Establish, implement, and maintain product update procedures.
12218
•Plan for acquiring facilities, technology, or services.
06892
•Perform a due diligence assessment on bidding suppliers prior to acquiring assets.
15714
•Establish, implement, and maintain system acquisition contracts.
14758
•Include audit record generation capabilities in system acquisition contracts.
16427
•Conduct an acquisition feasibility study prior to acquiring assets.
01129
•Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study.
01135
•Establish, implement, and maintain a product and services acquisition program.
01136
•Establish, implement, and maintain a product and services acquisition policy.
14028
•Include compliance requirements in the product and services acquisition policy.
14163
•Establish, implement, and maintain the requirements for competitive bid documents.
16936
•Establish, implement, and maintain the requirements for off-contract purchases.
16929
•Require prior approval from the appropriate authority for any off-contract purchases.
16928
•Establish, implement, and maintain a software product acquisition methodology.
01138
•Review software licensing agreements to ensure compliance.
01140
•Establish and maintain a register of approved third parties, technologies and tools.
06836
•Install software that originates from approved third parties.
12184
•Acquire products or services.
11450
•Acquire products and services that meet useful life requirements.
16939
•Register new systems with the program office or other applicable stakeholder.
13986
•Establish, implement, and maintain facilities, assets, and services acceptance procedures.
01144
•Test new hardware or upgraded hardware and software against predefined performance requirements.
06740
•Test new hardware or upgraded hardware and software for implementation of security controls.
06743
•Test new software or upgraded software for security vulnerabilities.
01898
•Test new hardware or upgraded hardware for compatibility with the current system.
11655
•Privacy protection for information and data
00008
•Establish, implement, and maintain a privacy framework that protects restricted data.
11850
•Establish, implement, and maintain a personal data transparency program.
00375
•Establish and maintain privacy notices, as necessary.
13443
•Include contact information in the privacy notice.
14432
•Deliver privacy notices to data subjects, as necessary.
13444
•Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
00393
•Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data.
12585
•Establish, implement, and maintain a privacy policy.
06281
•Document privacy policies in clearly written and easily understood language.
00376
•Define what is included in the privacy policy.
00404
•Define the information being collected in the privacy policy.
13115
•Post the privacy policy in an easily seen location.
00401
•Establish, implement, and maintain personal data choice and consent program.
12569
•Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data.
00391
•Establish, implement, and maintain a personal data accountability program.
13432
•Require data controllers to be accountable for their actions.
00470
•Notify the supervisory authority.
00472
•Establish, implement, and maintain approval applications.
16778
•Submit approval applications to the supervisory authority.
16627
•Provide the supervisory authority with any information requested by the supervisory authority.
12606
•Respond to questions about submissions in a timely manner.
16930
•Establish, implement, and maintain a personal data use limitation program.
13428
•Establish, implement, and maintain a personal data use purpose specification.
00093
•Dispose of media and restricted data in a timely manner.
00125
•Establish, implement, and maintain data disclosure procedures.
00133
•Include cookie management in the privacy framework.
13809
•Establish, implement, and maintain cookie management procedures.
13810
•Refrain from using cookies unless legitimate reasons have been defined.
16953
•Include the acceptable uses of cookies in the cookie management procedures.
16952
•Establish, implement, and maintain a personal data collection program.
06487
•Establish, implement, and maintain personal data collection limitation boundaries.
00507
•Manage Personal Identification Numbers and PIN verification code numbers.
00058
•Employ a random number generator to create authenticators.
13782
•Establish, implement, and maintain a personal data collection policy.
00029
•Collect and record restricted data for specific, explicit, and legitimate purposes.
00027
•Validate the business need for maintaining collected restricted data.
17090
•Establish, implement, and maintain a data handling program.
13427
•Establish, implement, and maintain data handling policies.
00353
•Establish, implement, and maintain data and information confidentiality policies.
00361
•Establish, implement, and maintain record structures to support information confidentiality.
00360
•Limit data leakage.
00356
•Conduct personal data risk assessments.
00357
•Search the Internet for evidence of data leakage.
10419
•Establish, implement, and maintain call metadata controls.
04790
•Disseminate and communicate the data handling policy to all interested personnel and affected parties.
15465
•Establish, implement, and maintain data handling procedures.
11756
•Establish, implement, and maintain a personal data transfer program.
00307
•Establish, implement, and maintain Internet interactivity data transfer procedures.
06949
•Obtain consent prior to downloading software to an individual's computer.
06951
•Remove or uninstall software from an individual's computer, as necessary.
13998
•Establish, implement, and maintain a privacy impact assessment.
13712
•Include data handling procedures in the privacy impact assessment.
15516
•Develop remedies and sanctions for privacy policy violations.
00474
•Define the organization's liability based on the applicable law.
00504
•Define the sanctions and fines available for privacy rights violations based on applicable law.
00505
•Establish, implement, and maintain an anti-spam policy.
00283
•Refrain from sending unsolicited commercial electronic messages under predetermined conditions.
13993
•Harmonization Methods and Manual of Style
06095
•Establish, implement, and maintain terminological resources.
13317
•Establish and maintain terminological entries and their definitions.
13318
•Establish and maintain definitions for terminological entries.
13319
•Use definition types that fit the purpose of the term definition.
13422
•Create partitive definitions, as necessary.
13392
•Begin partitive definitions with formulations that indicate the partitive relationship.
13405
•Third Party and supply chain oversight
08807
•Establish, implement, and maintain a supply chain management program.
11742
•Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts.
00796
•Review and update all contracts, as necessary.
11612
•Formalize client and third party relationships with contracts or nondisclosure agreements.
00794
•Establish, implement, and maintain information flow agreements with all third parties.
04543
•Include the purpose in the information flow agreement.
17016
•Include the costs in the information flow agreement.
17018
•Include the security requirements in the information flow agreement.
14244
•Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts.
06528
•Include proof of license documentation for the third parties with access to in scope systems in third party contracts.
06529
•Include a description of the data or information to be covered in third party contracts.
06510
•Include text about data ownership in third party contracts.
06502
•Include cryptographic keys in third party contracts.
16179
•Include text that organizations must meet organizational compliance requirements in third party contracts.
06506
•Include compliance with the organization's data usage policies in third party contracts.
16413
•Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts.
06516
•Include location requirements in third party contracts.
16915
•Include a termination provision clause in third party contracts.
01367
•Include end-of-life information in third party contracts.
15265
•Include third party acknowledgment of their data protection responsibilities in third party contracts.
01364
•Include auditing third party security controls and compliance controls in third party contracts.
01366
•Document the organization's supply chain in the supply chain management program.
09958
•Establish and maintain a Third Party Service Provider list.
12480
•Include required information in the Third Party Service Provider list.
14429
•Include contact information of the Service Provider in the Third Party Service Provider list.
14430
•Include the services provided by each supplier in the Third Party Service Provider list.
12481
•Include the location of services provided in the Third Party Service Provider list.
14423
•Establish, implement, and maintain a supply chain management policy.
08808
•Use third parties that are compliant with the applicable requirements.
08818
•Conduct all parts of the supply chain due diligence process.
08854
•Assess third parties' business continuity capabilities during due diligence.
12077
•Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements.
00359
•Assess third parties' compliance environment during due diligence.
13134
•Request attestation of compliance from third parties.
12067
•Validate the third parties' compliance to organizationally mandated compliance requirements.
Starter Accounts cannot add duplicated lists to their account. Please upgrade your
account to paid, then revisit the list page to copy the list to your account.