Duplicate this list in my CCH Account SIGN IN
NOTE: The authority document "" has been copied to your account.
NOTE: The authority document is already in your account and can not be copied again.
Close

Portable Compliance Profile™

Authority Documents

  • Administrative Rule 471-x-1-.04, Electronic Records and Signatures
  • Guideline 605G1: Configuration Management Process
  • Guideline 611G1: Risk Assessment and Mitigation
  • Guideline 630G1: Biometric Authentication
  • Guideline 661G1: Application Security
  • Guideline 661G2: Security Engineering Principles
  • Guideline 662G1: Systems Security
  • Guideline 662G2: BIOS Protection
  • Policy 101: Information Technology (IT) Governance
  • Policy 115: Electronic Signatures
  • Policy 200: Information Technology Planning
  • Policy 220: Information Technology Budgeting
  • Policy 230: Information Technology Procurement
  • Policy 235: Off-Contract IT Purchases
  • Policy 330: Software Use
  • Policy 380: Computer Device Refresh
  • Policy 390: Equipment Disposal - DRAFT
  • Policy 400: IT Project Governance
  • Policy 410: IT Project Initiation
  • Policy 420: IT Project Planning
  • Policy 430: IT Project Execution
  • Policy 440: IT Project Closure
  • Policy 500: Statewide Information Systems Architecture
  • Policy 520: Domain Naming & Registration
  • Policy 530: Web Development
  • Policy 540: Email and Directory Services
  • Policy 560: Cloud Storage Services
  • Policy 600: Information Security
  • Policy 602: Information Security for Service Providers
  • Policy 604: Cyber Security Incident Response
  • Policy 605: Configuration Management
  • Policy 611: Risk Management
  • Policy 621: Network and Systems Access
  • Policy 622: Remote Access
  • Policy 630: Identification and Authentication
  • Policy 638: Mobile Device Access Control
  • Policy 640: Security Awareness and Training
  • Policy 641: External Connections
  • Policy 643: Wireless Security
  • Policy 651: Physical Security
  • Policy 652: Card Key Access Control
  • Policy 660: System Use
  • Policy 661: Application Security
  • Policy 662: Systems Security
  • Policy 672: Vulnerability Scanning
  • Policy 673: Backup and Recovery
  • Policy 674: Virus Protection
  • Policy 675: Vulnerability Management
  • Policy 676: Monitoring and Reporting
  • Policy 677: Log Management
  • Policy 678: System Maintenance
  • Policy 681: Information Protection
  • Policy 682: Information Release
  • Policy 683: Encryption
  • Policy 690: Disaster Recovery
  • Procedure 604P1: Incident Reporting
  • Procedure 604P2: Cyber Security Incident Handling
  • Procedure 640P1: FTI Disclosure Awareness Training
  • Standard 400S1: IT Project Governance Threshold
  • Standard 530S1: Online Privacy and Data Collection
  • Standard 530S2: Universal Accessibility
  • Standard 530S3: Online Security Statement
  • Standard 530S4: Hypertext Linking
  • Standard 560S1: Data Loss Prevention for Cloud Services
  • Standard 560S2: System Security Standards for Office 365
  • Standard 560S3: End-User Security Standards for Office 365
  • Standard 622S1: Virtual Private Networks
  • Standard 622S2: Dial-In Access/Modem Use
  • Standard 630S1: Authenticator Management
  • Standard 638S1: Mobile Device Management
  • Standard 638S2: Mobile Device Use
  • Standard 641S1: Interconnecting IT Systems
  • Standard 643S1: Wireless Networks
  • Standard 643S2: Wireless Clients
  • Standard 643S3: Bluetooth Security
  • Standard 660S1: User Rules of Behavior
  • Standard 662S1: Server Security
  • Standard 662S2: Client Systems Security
  • Standard 662S3: Point-of-Sale Systems Security
  • Standard 674S1: Virus Protection
  • Standard 677S1: Log Management
  • Standard 681S1: Information Protection
  • Standard 681S2: Protecting Personally Identifiable Information
  • Standard 681S3: Media Sanitization

State of Alabama Office of Information Technology

KEY
1341 Mandated
253 Implied
  • Control Name
    ID #
  • Leadership and high level objectives
    00597
    • Establish, implement, and maintain a reporting methodology program.
      02072
      • Establish, implement, and maintain communication protocols.
        12245
        • Use secure communication protocols for telecommunications.
          16458
        • Include disseminating and communicating undesirable conduct in communication protocols.
          12802
        • Report to management and stakeholders on the findings and information gathered from all types of inquiries.
          12797
        • Establish, implement, and maintain alert procedures.
          12406
          • Include the capturing and alerting of compliance violations in the notification system.
            12962
      • Establish, implement, and maintain an internal reporting program.
        12409
      • Establish, implement, and maintain an external reporting program.
        12876
        • Include reporting to governing bodies in the external reporting plan.
          12923
    • Analyze organizational objectives, functions, and activities.
      00598
      • Analyze the business environment in which the organization operates.
        12798
        • Align assets with business functions and the business environment.
          13681
      • Identify all interested personnel and affected parties.
        12845
      • Establish, implement, and maintain an information classification standard.
        00601
      • Establish, implement, and maintain an Information and Infrastructure Architecture model.
        00599
        • Involve all stakeholders in the architecture review process.
          16935
      • Monitor regulatory trends to maintain compliance.
        00604
        • Monitor for new Information Security solutions.
          07078
        • Subscribe to a threat intelligence service to receive notification of emerging threats.
          12135
      • Establish, implement, and maintain a Quality Management framework.
        07196
        • Enforce a continuous Quality Control system.
          01005
          • Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures.
            01008
    • Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.
      01241
      • Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents.
        00688
      • Establish, implement, and maintain a policy and procedure management program.
        06285
        • Establish and maintain an Authority Document list.
          07113
          • Document organizational procedures that harmonize external requirements, including all legal requirements.
            00623
          • Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.
            01636
            • Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.
              12901
          • Classify controls according to their preventive, detective, or corrective status.
            06436
        • Approve all compliance documents.
          06286
          • Assign the appropriate roles to all applicable compliance documents.
            06284
          • Establish, implement, and maintain a compliance exception standard.
            01628
            • Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.
              01631
            • Review the compliance exceptions in the exceptions document, as necessary.
              01632
            • Include when exemptions expire in the compliance exception standard.
              14330
            • Assign the approval of compliance exceptions to the appropriate roles inside the organization.
              06443
            • Disseminate and communicate compliance exceptions to interested personnel and affected parties.
              16945
        • Disseminate and communicate compliance documents to all interested personnel and affected parties.
          06282
          • Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties.
            06283
    • Define the Information Assurance strategic roles and responsibilities.
      00608
      • Establish and maintain a compliance oversight committee.
        00765
        • Assign the review of Information Technology policies and procedures to the compliance oversight committee.
          01179
        • Involve the Board of Directors or senior management in Information Governance.
          00609
          • Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management.
            12058
    • Establish, implement, and maintain a strategic plan.
      12784
      • Determine progress toward the objectives of the strategic plan.
        12944
      • Establish, implement, and maintain a decision management strategy.
        06913
        • Include cost benefit analysis in the decision management strategy.
          14014
      • Establish, implement, and maintain an information technology process framework.
        13648
      • Establish, implement, and maintain a Strategic Information Technology Plan.
        00628
        • Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs.
          00631
        • Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.
          00632
          • Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.
            01609
            • Establish, implement, and maintain Information Technology project plans.
              16944
              • Submit closure reports at the conclusion of each information technology project.
                16948
              • Review and approve the closure report.
                16947
              • Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan.
                06497
        • Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan.
          13673
        • Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties.
          00633
        • Monitor and evaluate the implementation and effectiveness of Information Technology Plans.
          00634
          • Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans.
            06839
        • Review and approve the Strategic Information Technology Plan.
          13094
  • Monitoring and measurement
    00636
    • Monitor the usage and capacity of critical assets.
      14825
      • Monitor the usage and capacity of Information Technology assets.
        00668
        • Notify the interested personnel and affected parties before the storage unit will reach maximum capacity.
          06773
        • Monitor systems for errors and faults.
          04544
        • Compare system performance metrics to organizational standards and industry benchmarks.
          00667
    • Establish, implement, and maintain Security Control System monitoring and reporting procedures.
      12506
    • Establish, implement, and maintain monitoring and logging operations.
      00637
      • Establish, implement, and maintain an audit and accountability policy.
        14035
        • Include coordination amongst entities in the audit and accountability policy.
          14102
      • Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.
        06312
      • Establish, implement, and maintain intrusion management operations.
        00580
        • Establish, implement, and maintain an intrusion detection and prevention policy.
          15169
        • Install and maintain an Intrusion Detection and Prevention System.
          00581
        • Monitor systems for inappropriate usage and other security violations.
          00585
          • Monitor systems for access to restricted data or restricted information.
            04721
          • Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.
            06430
          • Monitor systems for unauthorized mobile code.
            10034
        • Update the intrusion detection capabilities and the incident response capabilities regularly.
          04653
      • Define and assign log management roles and responsibilities.
        06311
      • Document and communicate the log locations to the owning entity.
        12047
      • Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.
        00638
        • Establish, implement, and maintain an event logging policy.
          15217
        • Establish, implement, and maintain event logging procedures.
          01335
          • Include the system components that generate audit records in the event logging procedures.
            16426
          • Include a standard to collect and interpret event logs in the event logging procedures.
            00643
            • Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs.
              01427
            • Compile the event logs of multiple components into a system-wide time-correlated audit trail.
              01424
            • Establish, implement, and maintain log analysis tools.
              17056
            • Review and update event logs and audit logs, as necessary.
              00596
              • Eliminate false positives in event logs and audit logs.
                07047
              • Follow up exceptions and anomalies identified when reviewing logs.
                11925
        • Document the event information to be logged in the event information log specification.
          00639
        • Enable logging for all systems that meet a traceability criteria.
          00640
          • Enable and configure logging on network access controls in accordance with organizational standards.
            01963
            • Analyze firewall logs for the correct capturing of data.
              00549
          • Synchronize system clocks to an accurate and universal time source on all devices.
            01340
        • Define the frequency to capture and log events.
          06313
        • Review and update the list of auditable events in the event logging procedures.
          10097
      • Monitor and evaluate system performance.
        00651
      • Monitor for and react to when suspicious activities are detected.
        00586
      • Establish, implement, and maintain network monitoring operations.
        16444
      • Establish, implement, and maintain a continuous monitoring program for configuration management.
        06757
        • Include the correlation and analysis of information obtained during testing in the continuous monitoring program.
          14250
        • Establish, implement, and maintain an automated configuration monitoring system.
          07058
        • Monitor for and report when a software configuration is updated.
          06746
          • Implement file integrity monitoring.
            01205
            • Identify unauthorized modifications during file integrity monitoring.
              12096
              • Monitor for software configurations updates absent authorization.
                10676
            • Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.
              12045
        • Monitor and evaluate user account activity.
          07066
          • Develop and maintain a usage profile for each user account.
            07067
    • Establish, implement, and maintain a risk monitoring program.
      00658
      • Monitor the organization's exposure to threats, as necessary.
        06494
        • Monitor and evaluate environmental threats.
          13481
      • Establish, implement, and maintain a system security plan.
        01922
        • Include a description of the operational context in the system security plan.
          14301
        • Include the security requirements in the system security plan.
          14274
        • Include cryptographic key management procedures in the system security plan.
          17029
        • Include network diagrams in the system security plan.
          14273
        • Include roles and responsibilities in the system security plan.
          14682
        • Include backup and recovery procedures in the system security plan.
          17043
        • Include remote access methods in the system security plan.
          16441
        • Disseminate and communicate the system security plan to interested personnel and affected parties.
          14275
        • Include a description of the operational environment in the system security plan.
          14272
        • Include security controls in the system security plan.
          14239
        • Create specific test plans to test each system component.
          00661
          • Include the roles and responsibilities in the test plan.
            14299
          • Include the assessment environment in the test plan.
            14271
        • Validate all testing assumptions in the test plans.
          00663
          • Determine the appropriate assessment method for each testing process in the test plan.
            00665
            • Implement automated audit tools.
              04882
    • Establish, implement, and maintain a testing program.
      00654
      • Test security systems and associated security procedures, as necessary.
        11901
      • Enable security controls which were disabled to conduct testing.
        17031
      • Disable dedicated accounts after testing is complete.
        17033
      • Test the in scope system in accordance with its intended purpose.
        14961
      • Notify interested personnel and affected parties prior to performing testing.
        17034
      • Scan organizational networks for rogue devices.
        00536
        • Scan the network for wireless access points.
          00370
          • Scan wireless networks for rogue devices.
            11623
        • Deny network access to rogue devices until network access approval has been received.
          11852
          • Isolate rogue devices after a rogue device has been detected.
            07061
      • Establish, implement, and maintain a penetration test program.
        01105
        • Perform penetration tests, as necessary.
          00655
          • Test the system for insecure communications.
            00535
          • Test the system for cross-site scripting attacks.
            01321
          • Test the system for buffer overflows.
            01322
          • Test the system for injection flaws.
            01323
      • Establish, implement, and maintain a vulnerability management program.
        15721
        • Establish, implement, and maintain a vulnerability assessment program.
          11636
          • Perform vulnerability scans, as necessary.
            11637
            • Conduct scanning activities in a test environment.
              17036
            • Repeat vulnerability scanning, as necessary.
              11646
            • Identify and document security vulnerabilities.
              11857
            • Record the vulnerability scanning activity in the vulnerability scan report.
              12097
              • Disseminate and communicate the vulnerability scan results to interested personnel and affected parties.
                16418
            • Correlate vulnerability scan reports from the various systems.
              10636
            • Implement scanning tools, as necessary.
              14282
            • Update the vulnerability scanners' vulnerability list.
              10634
            • Perform external vulnerability scans, as necessary.
              11624
              • Employ an approved third party to perform external vulnerability scans on the organization's systems.
                12467
          • Perform vulnerability assessments, as necessary.
            11828
      • Perform penetration tests and vulnerability scans in concert, as necessary.
        12111
      • Test in scope systems for compliance with the Configuration Baseline Documentation Record.
        12130
      • Document and maintain test results.
        17028
      • Recommend mitigation techniques based on vulnerability scan reports.
        11639
      • Correct or mitigate vulnerabilities.
        12497
    • Establish, implement, and maintain a compliance monitoring policy.
      00671
      • Establish, implement, and maintain a metrics policy.
        01654
        • Establish, implement, and maintain an approach for compliance monitoring.
          01653
          • Monitor personnel and third parties for compliance to the organizational compliance framework.
            04726
            • Carry out disciplinary actions when a compliance violation is detected.
              06675
      • Establish, implement, and maintain a technical measurement metrics policy.
        01655
        • Establish, implement, and maintain a Configuration Management metrics program.
          02077
        • Establish, implement, and maintain a Security Information and Event Management metrics program.
          02078
        • Establish, implement, and maintain an incident management and vulnerability management metrics program.
          02085
          • Report on the estimated damage or loss resulting from all security incidents.
            01674
      • Establish, implement, and maintain a log management program.
        00673
        • Include transfer procedures in the log management program.
          17077
        • Deploy log normalization tools, as necessary.
          12141
        • Restrict access to logs to authorized individuals.
          01342
        • Back up logs according to backup procedures.
          01344
        • Copy logs from all predefined hosts onto a log management infrastructure.
          01346
        • Protect logs from unauthorized activity.
          01345
        • Archive the audit trail in accordance with compliance requirements.
          00674
    • Establish, implement, and maintain security reports.
      16882
      • Disseminate and communicate the security report to interested personnel and affected parties.
        16888
    • Establish, implement, and maintain a corrective action plan.
      00675
      • Include actions taken to resolve issues in the corrective action plan.
        16884
      • Disseminate and communicate the corrective action plan to interested personnel and affected parties.
        16883
    • Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.
      00676
    • Report actions taken on known security issues to interested personnel and affected parties on a regular basis.
      12330
    • Report known security issues to interested personnel and affected parties on a regular basis.
      12329
    • Protect against misusing automated audit tools.
      04547
  • Audits and risk management
    00677
    • Establish, implement, and maintain a Statement of Compliance.
      12499
      • Publish a Statement of Compliance for the organization's external requirements.
        12350
    • Define the roles and responsibilities for personnel assigned to tasks in the Audit function.
      00678
      • Define and assign the internal audit manager's roles and responsibilities.
        00680
        • Report audit findings to interested personnel and affected parties.
          01152
    • Establish, implement, and maintain an audit program.
      00684
      • Accept the attestation engagement when all preconditions are met.
        13933
        • Audit in scope audit items and compliance documents.
          06730
          • Audit policies, standards, and procedures.
            12927
          • Audit information systems, as necessary.
            13010
          • Determine if the audit assertion's in scope controls are reasonable.
            06980
            • Document test plans for auditing in scope controls.
              06985
              • Determine the effectiveness of in scope controls.
                06984
                • Review incident management audit logs to determine the effectiveness of in scope controls.
                  12157
      • Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures.
        06966
    • Establish, implement, and maintain a risk management program.
      12051
      • Include the scope of risk management activities in the risk management program.
        13658
      • Integrate the risk management program into daily business decision-making.
        13659
      • Establish, implement, and maintain the risk assessment framework.
        00685
        • Establish, implement, and maintain a risk assessment program.
          00687
          • Include the information flow of restricted data in the risk assessment program.
            12339
          • Establish, implement, and maintain a financial plan to support the risk management strategy.
            12786
          • Address cybersecurity risks in the risk assessment program.
            13193
          • Establish, implement, and maintain Data Protection Impact Assessments.
            14830
            • Include a Data Protection Impact Assessment in the risk assessment program.
              12630
          • Establish, implement, and maintain a risk assessment policy.
            14026
            • Include coordination amongst entities in the risk assessment policy.
              14120
          • Establish, implement, and maintain risk assessment procedures.
            06446
            • Establish, implement, and maintain a threat and risk classification scheme.
              07183
              • Include security threats and vulnerabilities in the threat and risk classification scheme.
                00699
              • Include risks to critical personnel and assets in the threat and risk classification scheme.
                00698
              • Assign a probability of occurrence to all types of threats in the threat and risk classification scheme.
                01173
          • Perform risk assessments for all target environments, as necessary.
            06452
            • Approve the results of the risk assessment as documented in the risk assessment report.
              07109
            • Update the risk assessment upon changes to the risk profile.
              11627
            • Create a risk assessment report based on the risk assessment results.
              15695
          • Establish, implement, and maintain a risk assessment awareness and training program.
            06453
            • Disseminate and communicate information about risks to all interested personnel and affected parties.
              06718
        • Correlate the business impact of identified risks in the risk assessment report.
          00686
          • Conduct a Business Impact Analysis, as necessary.
            01147
            • Include tolerance to downtime in the Business Impact Analysis report.
              01172
          • Analyze and quantify the risks to in scope systems and information.
            00701
            • Establish and maintain a Risk Scoping and Measurement Definitions Document.
              00703
              • Identify the material risks in the risk assessment report.
                06482
              • Assess the potential level of business impact risk associated with business information of in scope systems.
                06465
              • Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability.
                06466
              • Assess the potential level of business impact risk associated with natural disasters.
                06470
              • Assess the potential level of business impact risk associated with control weaknesses.
                06471
            • Establish a risk acceptance level that is appropriate to the organization's risk appetite.
              00706
              • Select the appropriate risk treatment option for each identified risk in the risk register.
                06483
        • Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.
          00704
          • Prioritize and select controls based on the risk assessment findings.
            00707
            • Prioritize and categorize the effects of opportunities, threats and requirements on control activities.
              12822
          • Determine the effectiveness of risk control measures.
            06601
            • Develop key indicators to inform management on the effectiveness of risk control measures.
              12946
        • Establish, implement, and maintain a risk treatment plan.
          11983
          • Include roles and responsibilities in the risk treatment plan.
            16991
          • Include time information in the risk treatment plan.
            16993
          • Include allocation of resources in the risk treatment plan.
            16989
          • Identify the planned actions and controls that address high risk in the risk treatment plan.
            12835
          • Include the risk treatment strategy in the risk treatment plan.
            12159
          • Include requirements for monitoring and reporting in the risk treatment plan, as necessary.
            13620
          • Include risk assessment results in the risk treatment plan.
            11978
        • Integrate the corrective action plan based on the risk assessment findings with other risk management activities.
          06457
        • Document and communicate a corrective action plan based on the risk assessment findings.
          00705
      • Document residual risk in a residual risk report.
        13664
  • Technical security
    00508
    • Establish, implement, and maintain an access classification scheme.
      00509
      • Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.
        00510
      • Establish, implement, and maintain security classifications for organizational assets.
        00005
        • Establish the criticality of the network and systems.
          00006
        • Review connection requirements for all systems.
          06411
    • Establish, implement, and maintain a digital identity management program.
      13713
      • Establish, implement, and maintain digital identification procedures.
        13714
        • Implement digital identification processes.
          13731
          • Implement identity proofing processes.
            13719
            • Validate proof of identity during the identity proofing process.
              13756
            • Conduct in-person proofing with physical interactions.
              13775
      • Establish, implement, and maintain federated identity systems.
        13837
        • Authenticate all systems in a federated identity system.
          13835
          • Send and receive authentication assertions, as necessary.
            13839
            • Validate each element within the authentication assertion.
              13853
              • Validate the digital signature in the authentication assertion.
                13869
    • Establish, implement, and maintain an access control program.
      11702
      • Include guidance for how users should protect their authentication credentials in the access control program.
        11929
      • Include guidance on selecting authentication credentials in the access control program.
        11928
      • Establish, implement, and maintain access control policies.
        00512
        • Include the purpose in the access control policy.
          14001
          • Document the business need justification for user accounts.
            15490
        • Establish, implement, and maintain an instant messaging and chat system usage policy.
          11815
      • Establish, implement, and maintain an access rights management plan.
        00513
        • Identify information system users.
          12081
          • Review user accounts.
            00525
          • Identify and authenticate processes running on information systems that act on behalf of users.
            12082
        • Control access rights to organizational assets.
          00004
          • Add all devices requiring access control to the Access Control List.
            06264
          • Define roles for information systems.
            12454
            • Define access needs for each role assigned to an information system.
              12455
              • Define access needs for each system component of an information system.
                12456
          • Establish access rights based on least privilege.
            01411
            • Assign user permissions based on job responsibilities.
              00538
            • Assign user privileges after they have management sign off.
              00542
          • Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.
            01412
          • Limit concurrent sessions according to account type.
            01416
          • Enable access control for objects and users on each system.
            04553
            • Set access control for objects and users to "deny all" unless explicitly authorized.
              06301
            • Enable access control for objects and users to match restrictions set by the system's security classification.
              04850
          • Assign Information System access authorizations if implementing segregation of duties.
            06323
            • Enforce access restrictions for restricted data.
              01921
          • Establish, implement, and maintain a system use agreement for each information system.
            06500
            • Accept and sign the system use agreement before data or system access is enabled.
              06501
          • Display a logon banner and appropriate logon message before granting access to the system.
            06770
        • Control user privileges.
          11665
          • Establish and maintain a list of individuals authorized to perform privileged functions.
            17005
          • Review all user privileges, as necessary.
            06784
            • Revoke asset access when a personnel status change occurs or an individual is terminated.
              00516
            • Review and update accounts and access rights when notified of personnel status changes.
              00788
        • Establish, implement, and maintain User Access Management procedures.
          00514
          • Establish, implement, and maintain an authority for access authorization list.
            06782
            • Review and approve logical access to all assets based upon organizational policies.
              06641
          • Control the addition and modification of user identifiers, user credentials, or other authenticators.
            00515
          • Remove inactive user accounts, as necessary.
            00517
          • Remove temporary user accounts, as necessary.
            11839
          • Limit superuser accounts to designated System Administrators.
            06766
            • Enforce usage restrictions for superuser accounts.
              07064
        • Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.
          00526
        • Protect and manage biometric systems and biometric data.
          01261
          • Maintain a log of the overrides of the biometric system.
            17000
      • Establish, implement, and maintain access control procedures.
        11663
        • Implement out-of-band authentication, as necessary.
          10606
        • Grant access to authorized personnel or systems.
          12186
          • Include the user identifiers of all personnel who are authorized to access a system in the system record.
            15171
          • Include the user's location in the system record.
            16996
      • Establish, implement, and maintain an identification and authentication policy.
        14033
        • Include roles and responsibilities in the identification and authentication policy.
          14230
        • Disseminate and communicate the identification and authentication policy to interested personnel and affected parties.
          14197
        • Establish, implement, and maintain identification and authentication procedures.
          14053
          • Implement alternative authentication mechanisms when individuals cannot utilize primary authentication mechanisms.
            17002
      • Include digital identification procedures in the access control program.
        11841
        • Employ unique identifiers.
          01273
        • Disseminate and communicate user identifiers and authenticators using secure communication protocols.
          06791
        • Include instructions to refrain from using previously used authenticators in the access control program.
          11930
        • Require proper authentication for user identifiers.
          11785
          • Assign authenticators to user accounts.
            06855
          • Assign authentication mechanisms for user account authentication.
            06856
            • Refrain from allowing individuals to share authentication mechanisms.
              11932
            • Require individuals to report lost or damaged authentication mechanisms.
              17035
            • Limit account credential reuse as a part of digital identification procedures.
              12357
          • Use biometric authentication for identification and authentication, as necessary.
            06857
            • Establish, implement, and maintain a secure enrollment process for biometric systems.
              17007
            • Establish, implement, and maintain a fallback mechanism for when the biometric system fails.
              17006
            • Prevent the disclosure of the closeness of the biometric data during the biometric verification.
              17003
            • Identify the user when enrolling them in the biometric system.
              06882
            • Disallow self-enrollment of biometric information.
              11834
            • Tune the biometric identification equipment, as necessary.
              07077
    • Identify and control all network access controls.
      00529
      • Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective.
        04589
      • Establish, implement, and maintain a network configuration standard.
        00530
        • Establish, implement, and maintain a network security policy.
          06440
          • Establish, implement, and maintain a wireless networking policy.
            06732
        • Maintain up-to-date network diagrams.
          00531
        • Maintain up-to-date data flow diagrams.
          10059
          • Establish, implement, and maintain a sensitive information inventory.
            13736
      • Manage all internal network connections.
        06329
        • Establish, implement, and maintain separate virtual private networks to transport sensitive information.
          12124
        • Establish, implement, and maintain separate virtual local area networks for untrusted devices.
          12095
      • Manage all external network connections.
        11842
        • Prohibit systems from connecting directly to external networks.
          08709
      • Secure the Domain Name System.
        00540
        • Configure the network to limit zone transfers to trusted servers.
          01876
        • Register all Domain Names associated with the organization to the organization and not an individual.
          07210
      • Establish, implement, and maintain a Boundary Defense program.
        00544
        • Segregate systems in accordance with organizational standards.
          12546
          • Implement gateways between security domains.
            16493
          • Implement resource-isolation mechanisms in organizational networks.
            16438
          • Segregate servers that contain restricted data or restricted information from direct public access.
            00533
            • Restrict outbound network traffic out of the Demilitarized Zone.
              16881
            • Restrict inbound network traffic into the Demilitarized Zone.
              01285
        • Establish, implement, and maintain a network access control standard.
          00546
          • Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.
            11821
            • Place firewalls between security domains and between any Demilitarized Zone and internal network zones.
              01274
            • Place firewalls between all security domains and between any secure subnet and internal network zones.
              11784
            • Separate the wireless access points and wireless bridges from the wired network via a firewall.
              04588
        • Establish, implement, and maintain a firewall and router configuration standard.
          00541
          • Include testing and approving all network connections through the firewall in the firewall and router configuration standard.
            01270
          • Include restricting inbound network traffic in the firewall and router configuration standard.
            11960
          • Include restricting outbound network traffic in the firewall and router configuration standard.
            11961
          • Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.
            12426
          • Include a protocols, ports, applications, and services list in the firewall and router configuration standard.
            00537
            • Configure network ports to organizational standards.
              14007
            • Disseminate and communicate the protocols, ports, applications, and services list to interested personnel and affected parties.
              17089
        • Install and configure firewalls to be enabled on all mobile devices, if possible.
          00550
        • Configure network access and control points to protect restricted information and restricted functions.
          01284
          • Configure firewalls to deny all traffic by default, except explicitly designated traffic.
            00547
            • Allow Internet Control Message Protocol exceptions on the firewall, as necessary.
              01959
            • Allow protocol port exceptions on the firewall, as necessary.
              01965
          • Establish, implement, and maintain internet protocol address filters on the firewall, as necessary.
            01287
          • Configure firewalls to perform dynamic packet filtering.
            01288
            • Configure firewall filtering to only permit established connections into the network.
              12482
          • Synchronize and secure all router configuration files.
            01291
          • Configure firewalls to generate an audit log.
            12038
          • Configure firewalls to generate an alert when a potential security incident is detected.
            12165
      • Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.
        01646
        • Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access.
          01648
        • Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points.
          00605
        • Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.
          04830
        • Remove all unauthorized wireless access points.
          11856
    • Enforce information flow control.
      11781
      • Establish, implement, and maintain information flow control configuration standards.
        01924
        • Restrict traffic or information flow based on the origination address.
          16484
        • Require the system to identify and authenticate approved devices before establishing a connection.
          01429
        • Monitor and report on the organization's interconnectivity risk.
          13172
        • Perform content filtering scans on network traffic.
          06761
        • Constrain the information flow of restricted data or restricted information.
          06763
          • Quarantine data that fails security tests.
            16500
          • Restrict access to restricted data and restricted information on a need to know basis.
            12453
          • Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control.
            06310
      • Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.
        01410
        • Establish, implement, and maintain information exchange procedures.
          11782
          • Include the connected Information Technology assets in the information exchange procedures.
            17025
          • Include connection termination procedures in the information exchange procedures.
            17027
          • Include the data sensitivity levels in the information exchange procedures.
            17024
          • Include communication requirements in the information exchange procedures.
            17026
          • Include roles and responsibilities in the information exchange procedures.
            17023
          • Include implementation procedures in the information exchange procedures.
            17022
          • Include security controls in the information exchange procedures.
            17021
          • Include testing procedures in the information exchange procedures.
            17020
          • Include measurement criteria in the information exchange procedures.
            17019
          • Include training requirements in the information exchange procedures.
            17017
          • Protect data from modification or loss while transmitting between separate parts of the system.
            04554
          • Review and approve information exchange system connections.
            07143
        • Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services.
          13104
          • Establish, implement, and maintain allowlists and denylists of domain names.
            07097
          • Establish, implement, and maintain allowlists and denylists of web content.
            15234
        • Establish, implement, and maintain allowlists and denylists of software.
          11780
    • Establish, implement, and maintain a data loss prevention program.
      13050
      • Include the data loss prevention strategy as part of the data loss prevention program.
        13051
    • Secure access to each system component operating system.
      00551
      • Enforce privileged and non-privileged accounts for system access.
        00558
    • Control all methods of remote access and teleworking.
      00559
      • Establish, implement, and maintain a remote access and teleworking program.
        04545
      • Control remote administration in accordance with organizational standards.
        04459
      • Scan the system to verify modems are disabled or removed, except the modems that are explicitly approved.
        00560
      • Control remote access through a network access control.
        01421
        • Employ multifactor authentication for remote access to the organization's network.
          12505
      • Implement multifactor authentication techniques.
        00561
      • Protect remote access accounts with encryption.
        00562
      • Monitor and evaluate all remote access usage.
        00563
    • Manage the use of encryption controls and cryptographic controls.
      00570
      • Comply with the encryption laws of the local country.
        16377
      • Employ cryptographic controls that comply with applicable requirements.
        12491
      • Establish, implement, and maintain digital signatures.
        13828
      • Establish, implement, and maintain an encryption management and cryptographic controls policy.
        04546
        • Encrypt in scope data or in scope information, as necessary.
          04824
        • Digitally sign records and data, as necessary.
          16507
      • Define and assign cryptographic, encryption and key management roles and responsibilities.
        15470
      • Establish, implement, and maintain cryptographic key management procedures.
        00571
        • Include cryptographic key expiration in the cryptographic key management procedures.
          17079
        • Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys.
          01301
        • Generate strong cryptographic keys.
          01299
          • Generate unique cryptographic keys for each user.
            12169
        • Include the establishment of cryptographic keys in the cryptographic key management procedures.
          06540
        • Disseminate and communicate cryptographic keys securely.
          01300
        • Store cryptographic keys securely.
          01298
          • Restrict access to cryptographic keys.
            01297
        • Change cryptographic keys in accordance with organizational standards.
          01302
        • Notify interested personnel and affected parties upon cryptographic key supersession.
          17084
        • Destroy cryptographic keys promptly after the retention period.
          01303
        • Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys.
          06852
        • Establish, implement, and maintain Public Key certificate application procedures.
          07079
        • Establish a Root Certification Authority to support the Public Key Infrastructure.
          07084
          • Establish, implement, and maintain Public Key certificate procedures.
            07085
          • Include signing and issuing Public Key certificates in the Public Key certificate procedures.
            11817
      • Use strong data encryption to transmit in scope data or in scope information, as necessary.
        00564
        • Ensure restricted data or restricted information are encrypted prior to or at the time of transmission.
          01749
        • Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.
          12492
        • Encrypt traffic over networks with trusted cryptographic keys.
          12490
        • Implement non-repudiation for transactions.
          00567
        • Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.
          00568
    • Establish, implement, and maintain a malicious code protection program.
      00574
      • Establish, implement, and maintain malicious code protection procedures.
        15483
      • Establish, implement, and maintain a malicious code protection policy.
        15478
      • Restrict downloading to reduce malicious code attacks.
        04576
      • Install security and protection software, as necessary.
        00575
        • Install and maintain container security solutions.
          16178
      • Scan for malicious code, as necessary.
        11941
        • Test all removable storage media for viruses and malicious code.
          11861
        • Test all untrusted files or unverified files for viruses and malicious code.
          01311
        • Remove malware when malicious code is discovered.
          13691
        • Notify interested personnel and affected parties when malware is detected.
          13689
      • Protect the system against replay attacks.
        04552
      • Establish, implement, and maintain a malicious code outbreak recovery plan.
        01310
      • Log and react to all malicious code activity.
        07072
      • Lock antivirus configurations.
        10047
    • Establish, implement, and maintain an organizational website program.
      14815
      • Include the hyperlink requirements in the website program.
        16949
      • Control the information that is posted or processed on publicly accessible information systems.
        16737
      • Restrict advertisements on the organization's websites, as necessary.
        17042
    • Establish, implement, and maintain an application security policy.
      06438
      • Approve the application security policy.
        17065
      • Disseminate and communicate the application security policy to interested personnel and affected parties.
        17064
      • Conduct application security reviews, as necessary.
        06298
    • Establish, implement, and maintain a virtual environment and shared resources security program.
      06551
      • Establish, implement, and maintain procedures for provisioning shared resources.
        12181
      • Establish, implement, and maintain a shared resources management program.
        07096
      • Sanitize customer data from all shared resources upon agreement termination.
        12175
  • Physical and environmental protection
    00709
    • Establish, implement, and maintain a physical security program.
      11757
      • Establish, implement, and maintain physical security plans.
        13307
      • Establish, implement, and maintain physical security procedures.
        13076
      • Establish, implement, and maintain a facility physical security program.
        00711
        • Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data.
          12050
        • Protect the facility from crime.
          06347
          • Define communication methods for reporting crimes.
            06349
        • Protect facilities from eavesdropping.
          02222
        • Identify and document physical access controls for all physical entry points.
          01637
          • Control physical access to (and within) the facility.
            01329
            • Secure physical entry points with physical access controls or security guards.
              01640
            • Establish, implement, and maintain a visitor access permission policy.
              06699
              • Escort visitors within the facility, as necessary.
                06417
            • Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.
              01436
              • Authorize physical access to sensitive areas based on job functions.
                12462
              • Change access requirements to organizational assets for personnel and visitors, as necessary.
                12463
              • Escort uncleared personnel who need to work in or access controlled access areas.
                00747
            • Establish, implement, and maintain physical identification procedures.
              00713
              • Implement physical identification processes.
                13715
                • Issue photo identification badges to all employees.
                  12326
              • Establish, implement, and maintain lost or damaged identification card procedures, as necessary.
                14819
                • Report lost badges, stolen badges, and broken badges to the Security Manager.
                  12334
              • Manage constituent identification inside the facility.
                02215
                • Direct each employee to be responsible for their identification card or badge.
                  12332
              • Establish, implement, and maintain identification issuance procedures for identification cards or badges.
                06598
                • Include an identity registration process in the identification issuance procedures.
                  11671
              • Restrict access to the badge system to authorized personnel.
                12043
              • Assign employees the responsibility for controlling their identification badges.
                12333
              • Establish, implement, and maintain identification re-issuing procedures for identification cards or badges.
                06596
                • Charge a fee for replacement of identification cards or badges, as necessary.
                  17001
              • Establish, implement, and maintain identification mechanism termination procedures.
                06306
          • Use locks to protect against unauthorized physical access.
            06342
            • Use locks with electronic authentication systems or cipher locks, as necessary.
              06650
              • Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.
                00748
              • Change cipher lock codes, as necessary.
                06651
        • Establish a security room, if necessary.
          00738
        • Implement physical security standards for mainframe rooms or data centers.
          00749
          • Secure systems in lockable equipment cabinets, as necessary.
            06716
        • Monitor for unauthorized physical access at physical entry points and physical exit points.
          01638
          • Establish and maintain a visitor log.
            00715
            • Record the visitor's name in the visitor log.
              00557
            • Record the visitor's organization in the visitor log.
              12121
            • Record the onsite personnel authorizing physical access for the visitor in the visitor log.
              12466
            • Retain all records in the visitor log as prescribed by law.
              00572
      • Establish, implement, and maintain physical security controls for distributed assets.
        00718
        • Control the transiting and internal distribution or external distribution of assets.
          00963
        • Restrict physical access to distributed assets.
          11865
          • House network hardware in lockable rooms or lockable equipment cabinets.
            01873
        • Establish, implement, and maintain removable storage media controls.
          06680
          • Control access to restricted storage media.
            04889
          • Physically secure all electronic storage media that store restricted data or restricted information.
            11664
          • Control the storage of restricted storage media.
            00965
            • Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults.
              00717
        • Protect distributed assets against theft.
          06799
          • Establish, implement, and maintain asset removal procedures or asset decommissioning procedures.
            04540
            • Prohibit assets from being taken off-site absent prior authorization.
              12027
          • Control the delivery of assets through physical entry points and physical exit points.
            01441
          • Control the removal of assets through physical entry points and physical exit points.
            11681
          • Maintain records of all system components entering and exiting the facility.
            14304
          • Establish, implement, and maintain missing asset reporting procedures.
            06336
          • Attach asset location technologies to distributed assets.
            10626
            • Employ asset location technologies in accordance with applicable laws and regulations.
              10627
          • Monitor the location of distributed assets.
            11684
          • Remote wipe any distributed asset reported lost or stolen.
            12197
        • Establish, implement, and maintain end user computing device security guidelines.
          00719
          • Establish, implement, and maintain a locking screen saver policy.
            06717
          • Secure workstations to desks with security cables.
            04724
        • Establish, implement, and maintain a mobile device management program.
          15212
          • Establish, implement, and maintain a mobile device management policy.
            15214
            • Disseminate and communicate the mobile device management policy to interested personnel and affected parties.
              16998
          • Establish, implement, and maintain mobile device activation procedures.
            16999
        • Establish, implement, and maintain mobile device security guidelines.
          04723
          • Include a "Return to Sender" text file on mobile devices.
            17075
          • Include usage restrictions for untrusted networks in the mobile device security guidelines.
            17076
          • Require users to refrain from leaving mobile devices unattended.
            16446
          • Include the use of privacy filters in the mobile device security guidelines.
            16452
          • Refrain from pairing Bluetooth devices in unsecured areas.
            12429
          • Encrypt information stored on mobile devices.
            01422
        • Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.
          00722
        • Establish, implement, and maintain asset return procedures.
          04537
          • Require the return of all assets upon notification an individual is terminated.
            06679
        • Provide a physical disconnect of collaborative computing devices in a way that supports ease of use.
          06769
    • Establish, implement, and maintain an environmental control program.
      00724
      • House system components in areas where the physical damage potential is minimized.
        01623
      • Establish, implement, and maintain a fire prevention and fire suppression standard.
        06695
        • Install and maintain fire protection equipment.
          00728
        • Install and maintain fire suppression systems.
          00729
      • Employ environmental protections.
        12570
        • Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.
          00727
          • Install and maintain an environment control monitoring system.
            06370
          • Install and maintain a moisture control system as a part of the climate control system.
            06694
        • Protect physical assets from water damage.
          00730
          • Install and maintain water detection devices.
            11678
  • Operational and Systems Continuity
    00731
    • Establish, implement, and maintain a business continuity program.
      13210
      • Establish, implement, and maintain a continuity framework.
        00732
        • Coordinate continuity planning with other business units responsible for related plans.
          01386
      • Establish, implement, and maintain a continuity plan.
        00752
        • Include the system description in the continuity plan.
          16241
        • Restore systems and environments to be operational.
          13476
        • Include roles and responsibilities in the continuity plan, as necessary.
          13254
        • Implement alternate security mechanisms when the means of implementing the security function is unavailable.
          10605
        • Document the uninterrupted power requirements for all in scope systems.
          06707
          • Install an Uninterruptible Power Supply sized to support all critical systems.
            00725
        • Establish, implement, and maintain a recovery plan.
          13288
          • Include procedures to verify completion of the data backup procedure in the recovery plan.
            13297
          • Include the backup procedures for information necessary to recover functionality in the recovery plan.
            13294
          • Test the recovery plan, as necessary.
            13290
            • Document lessons learned from testing the recovery plan or an actual event.
              13301
        • Include restoration procedures in the continuity plan.
          01169
          • Include risk prioritized recovery procedures for each business unit in the recovery plan.
            01166
        • Disseminate and communicate continuity requirements to interested personnel and affected parties.
          17045
      • Establish, implement, and maintain system continuity plan strategies.
        00735
        • Include the protection of personnel in the continuity plan.
          06378
          • Establish, implement, and maintain a critical personnel list.
            00739
            • Identify alternate personnel for each person on the critical personnel list.
              12771
        • Establish, implement, and maintain a critical resource list.
          00740
          • Define and maintain continuity Service Level Agreements for all critical resources.
            00741
        • Include emergency power continuity procedures in the continuity plan.
          01254
        • Include technical preparation considerations for backup operations in the continuity plan.
          01250
          • Establish, implement, and maintain backup procedures for in scope systems.
            01258
            • Document the backup method and backup frequency on a case-by-case basis in the backup procedures.
              01384
            • Establish and maintain off-site electronic media storage facilities.
              00957
              • Separate the off-site electronic media storage facilities from the primary facility through geographic separation.
                01390
              • Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.
                01393
              • Store backup media at an off-site electronic media storage facility.
                01332
              • Store backup media in a fire-rated container which is not collocated with the operational system.
                14289
          • Perform backup procedures for in scope systems.
            11692
            • Perform full backups in accordance with organizational standards.
              16376
            • Back up all records.
              11974
            • Test each restored system for media integrity and information integrity.
              01920
        • Include emergency communications procedures in the continuity plan.
          00750
          • Identify who can speak to the media in the emergency communications procedures.
            12761
      • Disseminate and communicate the business continuity program to interested personnel and affected parties.
        17080
    • Prepare the alternate facility for an emergency offsite relocation.
      00744
      • Establish, implement, and maintain Service Level Agreements for all alternate facilities.
        00745
    • Establish, implement, and maintain a business continuity plan testing program.
      14829
      • Establish, implement, and maintain a continuity test plan.
        04896
        • Include recovery procedures in the continuity test plan.
          14876
        • Include test scenarios in the continuity test plan.
          13506
  • Human Resources management
    00763
    • Establish, implement, and maintain high level operational roles and responsibilities.
      00806
      • Define and assign the head of Information Security's roles and responsibilities.
        06091
      • Designate an alternate for each organizational leader.
        12053
      • Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.
        13112
      • Define and assign the Chief Information Officer's roles and responsibilities.
        00808
      • Define and assign the Information Technology staff's roles and responsibilities.
        00809
      • Define and assign the security staff roles and responsibilities.
        11750
      • Define and assign the Public Information Officer's roles and responsibilities.
        17059
      • Establish and maintain an Information Technology steering committee.
        12706
      • Assign a contact person to all business units.
        07144
    • Define and assign workforce roles and responsibilities.
      13267
      • Define and assign roles and responsibilities for the biometric system.
        17004
      • Define and assign roles and responsibilities for those involved in risk management.
        13660
      • Assign the roles and responsibilities for the change control program.
        13118
    • Establish, implement, and maintain a personnel management program.
      14018
      • Establish, implement, and maintain personnel status change and termination procedures.
        06549
        • Terminate user accounts when notified that an individual is terminated.
          11614
        • Terminate access rights when notified of a personnel status change or an individual is terminated.
          11826
        • Notify all interested personnel and affected parties when personnel status changes or an individual is terminated.
          06677
        • Notify terminated individuals of applicable, legally binding post-employment requirements.
          10630
    • Establish and maintain the staff structure in line with the strategic plan.
      00764
      • Assign and staff all roles appropriately.
        00784
      • Implement segregation of duties in roles and responsibilities.
        00774
    • Train all personnel and third parties, as necessary.
      00785
      • Provide new hires limited network access to complete computer-based training.
        17008
      • Establish, implement, and maintain an education methodology.
        06671
        • Tailor training to be taught at each person's level of responsibility.
          06674
        • Document all training in a training record.
          01423
      • Conduct tests and evaluate training.
        06672
        • Hire third parties to conduct training, as necessary.
          13167
      • Establish, implement, and maintain training plans.
        00828
        • Include ethical culture in the security awareness program.
          12801
        • Include insider threats in the security awareness program.
          16963
        • Include duties and responsibilities in the training plan, as necessary.
          12800
          • Conduct bespoke roles and responsibilities training, as necessary.
            13192
        • Include risk management in the security awareness program.
          13040
        • Include cloud security in the security awareness program.
          13039
        • Establish, implement, and maintain a security awareness program.
          11746
          • Complete security awareness training prior to being granted access to information systems or data.
            17009
          • Include media protection in the security awareness program.
            16368
          • Document security awareness requirements.
            12146
            • Include safeguards for information systems in the security awareness program.
              13046
            • Include identity and access management in the security awareness program.
              17013
            • Include the encryption process in the security awareness program.
              17014
            • Include security policies and security standards in the security awareness program.
              13045
            • Include physical security in the security awareness program.
              16369
            • Include data management in the security awareness program.
              17010
            • Include e-mail and electronic messaging in the security awareness program.
              17012
            • Include mobile device security guidelines in the security awareness program.
              11803
            • Include updates on emerging issues in the security awareness program.
              13184
            • Include cybersecurity in the security awareness program.
              13183
            • Include social networking in the security awareness program.
              17011
            • Include the acceptable use policy in the security awareness program.
              15487
            • Include training based on the participants' level of responsibility and access level in the security awareness program.
              11802
            • Include a requirement to train all new hires and interested personnel in the security awareness program.
              11800
          • Include remote access in the security awareness program.
            13892
          • Disseminate and communicate the security awareness program to all interested personnel and affected parties.
            00823
            • Train all personnel and third parties on how to recognize and report security incidents.
              01211
            • Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.
              01363
          • Monitor and measure the effectiveness of security awareness.
            06262
        • Conduct secure coding and development training for developers.
          06822
    • Establish, implement, and maintain an occupational health and safety management system.
      16201
      • Establish, implement, and maintain an occupational health and safety policy.
        00716
        • Establish, implement, and maintain a travel program for all personnel.
          10597
          • Refrain from loaning mobile devices to unauthorized personnel.
            15218
    • Establish, implement, and maintain a Code of Conduct.
      04897
      • Implement a sanctions process for personnel who fail to comply to the organizational compliance program.
        01442
      • Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.
        06664
    • Establish, implement, and maintain a legal support program.
      13710
    • Establish, implement, and maintain an ethics program.
      11496
      • Establish mechanisms for whistleblowers to report compliance violations.
        06806
  • Operational management
    00805
    • Establish, implement, and maintain a capacity management plan.
      11751
      • Align critical Information Technology resource availability planning with capacity planning.
        01618
        • Limit any effects of a Denial of Service attack.
          06754
    • Manage cloud services.
      13144
      • Establish, implement, and maintain cloud management procedures.
        13149
        • Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another.
          16384
      • Establish, implement, and maintain a cloud service usage standard.
        13143
        • Use strong data encryption when storing information within a cloud service.
          16411
      • Monitor managing cloud services.
        13150
    • Establish, implement, and maintain a Governance, Risk, and Compliance framework.
      01406
      • Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties.
        06955
      • Establish, implement, and maintain security requirements based on applicable regulations.
        16283
      • Assign accountability for maintaining the Governance, Risk, and Compliance framework.
        12523
      • Establish, implement, and maintain a compliance policy.
        14807
        • Include roles and responsibilities in the compliance policy.
          14811
      • Establish, implement, and maintain a governance policy.
        15587
        • Conduct governance meetings, as necessary.
          16946
        • Include governance threshold requirements in the governance policy.
          16933
      • Establish, implement, and maintain an internal control framework.
        00820
        • Assign resources to implement the internal control framework.
          00816
          • Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework.
            07146
        • Establish, implement, and maintain a baseline of internal controls.
          12415
        • Include vulnerability management and risk assessment in the internal control framework.
          13102
          • Automate vulnerability management, as necessary.
            11730
        • Authorize and document all exceptions to the internal control framework.
          06781
      • Establish, implement, and maintain an information security program.
        00812
        • Include a continuous monitoring program in the information security program.
          14323
          • Include change management procedures in the continuous monitoring plan.
            16227
        • Include risk management in the information security program.
          12378
        • Establish, implement, and maintain an information security policy.
          11740
          • Establish, implement, and maintain information security procedures.
            12006
            • Disseminate and communicate the information security procedures to all interested personnel and affected parties.
              16303
        • Assign ownership of the information security program to the appropriate role.
          00814
          • Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.
            11884
          • Assign information security responsibilities to interested personnel and affected parties in the information security program.
            11885
        • Establish, implement, and maintain a social media governance program.
          06536
          • Require social media users to clarify that their communications do not represent the organization.
            17046
          • Require social media users to identify themselves when communicating on behalf of the organization.
            17044
          • Include explicit restrictions in the social media acceptable use policy.
            06655
        • Establish, implement, and maintain operational control procedures.
          00831
          • Establish, implement, and maintain a Standard Operating Procedures Manual.
            00826
            • Include maintenance measures in the standard operating procedures manual.
              14986
        • Establish, implement, and maintain the Acceptable Use Policy.
          01350
          • Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.
            01351
          • Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy.
            11894
          • Include Bring Your Own Device agreements in the Acceptable Use Policy.
            15703
            • Include the obligations of users in the Bring Your Own Device agreement.
              15708
          • Include a web usage policy in the Acceptable Use Policy.
            16496
          • Include asset use policies in the Acceptable Use Policy.
            01355
            • Include a removable storage media use policy in the Acceptable Use Policy.
              06772
          • Correlate the Acceptable Use Policy with the network security policy.
            01356
          • Correlate the Acceptable Use Policy with the approved product list.
            01357
          • Include disciplinary actions in the Acceptable Use Policy.
            00296
          • Include usage restrictions in the Acceptable Use Policy.
            15311
          • Include a software installation policy in the Acceptable Use Policy.
            06749
          • Require interested personnel and affected parties to sign Acceptable Use Policies.
            06661
        • Establish, implement, and maintain an Intellectual Property Right program.
          00821
          • Establish, implement, and maintain domain name registration and renewal procedures.
            07075
        • Establish, implement, and maintain an e-mail policy.
          06439
          • Establish, implement, and maintain a Global Address List.
            16934
          • Include roles and responsibilities in the e-mail policy.
            17040
          • Include content requirements in the e-mail policy.
            17041
          • Include the personal use of business e-mail in the e-mail policy.
            17037
          • Include usage restrictions in the e-mail policy.
            17039
          • Include business use of personal e-mail in the e-mail policy.
            14381
          • Include message format requirements in the e-mail policy.
            17038
          • Identify the sender in all electronic messages.
            13996
        • Protect policies, standards, and procedures from unauthorized modification or disclosure.
          10603
      • Establish, implement, and maintain nondisclosure agreements.
        04536
        • Require interested personnel and affected parties to sign nondisclosure agreements.
          06667
      • Implement and comply with the Governance, Risk, and Compliance framework.
        00818
        • Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework.
          11747
        • Comply with all implemented policies in the organization's compliance framework.
          06384
        • Review systems for compliance with organizational information security policies.
          12004
    • Establish, implement, and maintain a network management program.
      13123
      • Establish, implement, and maintain network documentation.
        16497
    • Establish, implement, and maintain an Asset Management program.
      06630
      • Establish, implement, and maintain administrative controls over all assets.
        16400
      • Establish, implement, and maintain classification schemes for all systems and assets.
        01902
        • Apply security controls to each level of the information classification standard.
          01903
        • Classify assets according to the Asset Classification Policy.
          07186
          • Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.
            07184
      • Establish, implement, and maintain an asset inventory.
        06631
        • Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails.
          00689
          • Establish, implement, and maintain a hardware asset inventory.
            00691
            • Include network equipment in the Information Technology inventory.
              00693
            • Include mobile devices that store restricted data or restricted information in the Information Technology inventory.
              04719
          • Include software in the Information Technology inventory.
            00692
            • Establish and maintain a list of authorized software and versions required for each system.
              12093
          • Establish, implement, and maintain a storage media inventory.
            00694
        • Record a unique name for each asset in the asset inventory.
          16305
        • Record software license information for each asset in the asset inventory.
          11736
      • Establish, implement, and maintain a software accountability policy.
        00868
        • Establish, implement, and maintain software asset management procedures.
          00895
        • Establish, implement, and maintain software distribution procedures.
          00894
        • Establish, implement, and maintain software license management procedures.
          06639
      • Establish, implement, and maintain a system redeployment program.
        06276
        • Notify interested personnel and affected parties prior to when the system is redeployed or the system is disposed.
          06400
        • Wipe all data on systems prior to when the system is redeployed or the system is disposed.
          06401
        • Reset systems to the default configuration prior to when the system is redeployed or the system is disposed.
          16968
      • Establish, implement, and maintain a system disposal program.
        14431
        • Establish, implement, and maintain asset sanitization procedures.
          16511
      • Establish, implement, and maintain a system preventive maintenance program.
        00885
        • Establish and maintain maintenance reports.
          11749
          • Include a list of assets that were removed or replaced during maintenance in the maintenance report.
            17088
          • Include a description of the maintenance performed in the maintenance report.
            17087
          • Include roles and responsibilities in the maintenance report.
            17086
          • Include the date and time of maintenance in the maintenance report.
            17085
        • Establish, implement, and maintain a system maintenance policy.
          14032
          • Establish, implement, and maintain system maintenance procedures.
            14059
        • Establish, implement, and maintain a technology refresh plan.
          13061
          • Establish, implement, and maintain a technology refresh schedule.
            16940
          • Provide advice regarding the establishment and implementation of an information technology refresh plan.
            16938
        • Plan and conduct maintenance so that it does not interfere with scheduled operations.
          06389
        • Maintain contact with the device manufacturer or component manufacturer for maintenance requests.
          06388
          • Obtain justification for the continued use of system components when third party support is no longer available.
            10645
        • Control and monitor all maintenance tools.
          01432
        • Control remote maintenance according to the system's asset classification.
          01433
          • Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption.
            10614
          • Approve all remote maintenance sessions.
            10615
          • Log the performance of all remote maintenance.
            13202
          • Terminate remote maintenance sessions when the remote maintenance is complete.
            12083
        • Conduct maintenance with authorized personnel.
          01434
        • Respond to maintenance requests inside the organizationally established time frame.
          04878
          • Establish and maintain an archive of maintenance reports in a maintenance log.
            06202
        • Acquire spare parts prior to when maintenance requests are scheduled.
          11833
        • Perform periodic maintenance according to organizational standards.
          01435
          • Control granting access to appropriate parties performing maintenance on organizational assets.
            11873
            • Identify and authenticate appropriate parties prior to granting access to maintain assets.
              11874
      • Establish, implement, and maintain an end-of-life management process.
        16540
        • Disseminate and communicate end-of-life information for system components to interested personnel and affected parties.
          16937
      • Review each system's operational readiness.
        06275
      • Establish and maintain an unauthorized software list.
        10601
    • Establish, implement, and maintain a customer service program.
      00846
      • Establish, implement, and maintain an Incident Management program.
        00853
        • Define the characteristics of the Incident Management program.
          00855
          • Include the criteria for an incident in the Incident Management program.
            12173
        • Include incident monitoring procedures in the Incident Management program.
          01207
          • Categorize the incident following an incident response.
            13208
            • Determine the incident severity level when assessing the security incidents.
              01650
          • Require personnel to monitor for and report known or suspected compromise of assets.
            16453
          • Identify root causes of incidents that force system changes.
            13482
          • Respond to and triage when an incident is detected.
            06942
            • Document the incident and any relevant evidence in the incident report.
              08659
            • Include support from law enforcement authorities when conducting incident response activities, as necessary.
              13197
            • Respond to all alerts from security systems in a timely manner.
              06434
            • Coordinate incident response activities with interested personnel and affected parties.
              13196
          • Contain the incident to prevent further loss.
            01751
            • Refrain from accessing compromised systems.
              01752
            • Isolate compromised systems from the network.
              01753
            • Change authenticators after a security incident has been detected.
              06789
            • Record actions taken by investigators during a forensic investigation in the forensic investigation report.
              07095
              • Include the investigation methodology in the forensic investigation report.
                17071
              • Include corrective actions in the forensic investigation report.
                17070
              • Include the investigation results in the forensic investigation report.
                17069
          • Assess all incidents to determine what information was accessed.
            01226
            • Check the precursors and indicators when assessing the security incidents.
              01761
          • Analyze the incident response process following an incident response.
            13179
          • Share incident information with interested personnel and affected parties.
            01212
            • Share data loss event information with interconnected system owners.
              01209
            • Redact restricted data before sharing incident information.
              16994
            • Report data loss event information to breach notification organizations.
              01210
          • Include data loss event notifications in the Incident Response program.
            00364
            • Notify interested personnel and affected parties of the privacy breach that affects their personal data.
              00365
              • Include information required by law in incident response notifications.
                00802
                • Include a "What We Are Doing" heading in the breach notification.
                  12982
                  • Include what the organization is offering or has already done to assist affected parties in incident response notifications.
                    04737
          • Establish, implement, and maintain a containment strategy.
            13480
          • Include incident recovery procedures in the Incident Management program.
            01758
            • Eradicate the cause of the incident after the incident has been contained.
              01757
          • Analyze security violations in Suspicious Activity Reports.
            00591
            • Include lessons learned from analyzing security violations in the Incident Management program.
              01234
            • Update the incident response procedures using the lessons learned.
              01233
        • Include incident response procedures in the Incident Management program.
          01218
        • Include incident management procedures in the Incident Management program.
          12689
          • Establish, implement, and maintain temporary and emergency access authorization procedures.
            00858
          • Establish, implement, and maintain temporary and emergency access revocation procedures.
            15334
        • Include after-action analysis procedures in the Incident Management program.
          01219
        • Conduct incident investigations, as necessary.
          13826
          • Identify the affected parties during incident investigations.
            16781
          • Destroy investigative materials, as necessary.
            17082
        • Establish, implement, and maintain incident management audit logs.
          13514
          • Log incidents in the Incident Management audit log.
            00857
            • Include who the incident was reported to in the incident management audit log.
              16487
            • Include the information that was exchanged in the incident management audit log.
              16995
        • Include incident reporting procedures in the Incident Management program.
          11772
      • Establish, implement, and maintain a customer service business function.
        00847
      • Establish, implement, and maintain help desk query clearance procedures.
        00850
      • Provide customer security advice, as necessary.
        13674
    • Establish, implement, and maintain an Incident Response program.
      00579
      • Create an incident response report.
        12700
        • Include how the incident was discovered in the incident response report.
          16987
        • Include the categories of data that were compromised in the incident response report.
          16985
        • Include costs associated with the incident in the incident response report.
          12725
        • Include information on all affected assets in the incident response report.
          12718
        • Include when the incident occurred in the incident response report.
          12709
        • Include corrective action taken to eradicate the incident in the incident response report.
          12708
        • Include an executive summary of the incident in the incident response report.
          12702
        • Submit the incident response report to the proper authorities in a timely manner.
          12705
      • Analyze and respond to security alerts.
        12504
      • Mitigate reported incidents.
        12973
      • Establish, implement, and maintain an incident response plan.
        12056
        • Include addressing information sharing in the incident response plan.
          13349
        • Include a definition of reportable incidents in the incident response plan.
          14303
        • Include the management support needed for incident response in the incident response plan.
          14300
        • Include how incident response fits into the organization in the incident response plan.
          14294
        • Include the resources needed for incident response in the incident response plan.
          14292
      • Establish, implement, and maintain a cyber incident response plan.
        13286
      • Include incident response team structures in the Incident Response program.
        01237
        • Include the incident response team member's roles and responsibilities in the Incident Response program.
          01652
          • Include the incident response point of contact's roles and responsibilities in the Incident Response program.
            01877
            • Notify interested personnel and affected parties that a security breach was detected.
              11788
          • Include the head of information security's roles and responsibilities in the Incident Response program.
            01878
          • Include the organizational legal counsel's roles and responsibilities in the Incident Response program.
            01882
          • Assign the distribution of security alerts to the appropriate role in the incident response program.
            11887
        • Include personnel contact information in the event of an incident in the Incident Response program.
          06385
        • Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program.
          11789
        • Include procedures for providing updated status information to the crisis management team in the incident response plan.
          12776
      • Include log management procedures in the incident response program.
        17081
      • Include coverage of all system components in the Incident Response program.
        11955
      • Prepare for incident response notifications.
        00584
      • Include incident response team services in the Incident Response program.
        11766
        • Include the incident response training program in the Incident Response program.
          06750
          • Conduct incident response training.
            11889
      • Establish, implement, and maintain an incident response policy.
        14024
        • Include coordination amongst entities in the incident response policy.
          14107
        • Include roles and responsibilities in the incident response policy.
          14105
        • Disseminate and communicate the incident response policy to interested personnel and affected parties.
          14099
      • Establish, implement, and maintain incident response procedures.
        01206
        • Respond when an integrity violation is detected, as necessary.
          10678
      • Establish, implement, and maintain a digital forensic evidence framework.
        08652
        • Retain collected evidence for potential future legal actions.
          01235
          • Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence.
            08686
            • Include time information in the chain of custody.
              17068
            • Include actions performed on evidence in the chain of custody.
              17067
            • Include individuals who had custody of evidence in the chain of custody.
              17066
        • Define the business scenarios that require digital forensic evidence.
          08653
          • Define the circumstances for collecting digital forensic evidence.
            08657
            • Conduct forensic investigations in the event of a security compromise.
              11951
        • Contact affected parties to participate in forensic investigations, as necessary.
          12343
        • Establish, implement, and maintain a digital forensic evidence collection program.
          08655
        • Establish, implement, and maintain secure storage and handling of evidence procedures.
          08656
        • Prepare digital forensic equipment.
          08688
        • Collect evidence from the incident scene.
          02236
          • Refrain from altering the state of compromised systems when collecting digital forensic evidence.
            08671
      • Disseminate and communicate the incident response procedures to all interested personnel and affected parties.
        01215
      • Test the incident response procedures.
        01216
        • Document the results of incident response tests and provide them to senior management.
          14857
    • Establish, implement, and maintain a performance management standard.
      01615
      • Utilize resource availability management controls.
        00940
        • Establish, implement, and maintain a remediation plan for deviations in the resource management process.
          13679
      • Establish, implement, and maintain rate limits, as necessary.
        06883
        • Establish, implement, and maintain rate limits for connection attempts.
          16986
    • Establish, implement, and maintain a cost management program.
      13638
      • Establish, implement, and maintain cost management procedures.
        00873
      • Identify and allocate departmental costs.
        00871
        • Establish, implement, and maintain an Information Technology financial management framework.
          01610
        • Prepare an Information Technology budget, as necessary.
          00872
          • Review and approve the Information Technology budget.
            13644
        • Justify the system's cost and benefit.
          00874
    • Establish, implement, and maintain a change control program.
      00886
      • Include version control in the change control program.
        13119
      • Separate the production environment from development environment or test environment for the change control process.
        11864
      • Integrate configuration management procedures into the change control program.
        13646
      • Establish, implement, and maintain a back-out plan.
        13623
      • Manage change requests.
        00887
        • Include documentation of the impact level of proposed changes in the change request.
          11942
        • Establish and maintain a change request approver list.
          06795
        • Document all change requests in change request forms.
          06794
        • Test proposed changes prior to their approval.
          00548
        • Examine all changes to ensure they correspond with the change request.
          12345
        • Approve tested change requests.
          11783
          • Disseminate and communicate proposed changes to all interested personnel and affected parties.
            06807
      • Establish, implement, and maintain emergency change procedures.
        00890
      • Perform risk assessments prior to approving change requests.
        00888
      • Implement changes according to the change control program.
        11776
        • Provide audit trails for all approved changes.
          13120
      • Establish, implement, and maintain a patch management program.
        00896
        • Implement patch management software, as necessary.
          12094
        • Establish, implement, and maintain a patch log.
          01642
        • Perform a patch test prior to deploying a patch.
          00898
        • Prioritize deploying patches according to vulnerability risk metrics.
          06796
        • Deploy software patches in accordance with organizational standards.
          07032
          • Patch software.
            11825
          • Patch the operating system, as necessary.
            11824
        • Update computer firmware, as necessary.
          11755
          • Implement cryptographic mechanisms to authenticate software and computer firmware before installation.
            10682
      • Establish, implement, and maintain approved change acceptance testing procedures.
        06391
        • Test the system's operational functionality after implementing approved changes.
          06294
        • Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred.
          04541
      • Update associated documentation after the system configuration has been changed.
        00891
        • Establish, implement, and maintain a configuration change log.
          08710
        • Document approved configuration deviations.
          08711
    • Establish, implement, and maintain a disability accessibility program.
      06191
      • Establish, implement, and maintain web content accessibility guidelines.
        14949
        • Conduct web accessibility testing in accordance with organizational standards.
          16950
        • Provide users with alternative methods to inputting data in online forms.
          16951
        • Display website content without loss of information or functionality and without requiring scrolling in two dimensions.
          15134
        • Provide alternative forms of CAPTCHA, as necessary.
          15121
        • Configure non-text content to be ignored by assistive technology when it is pure decoration or not presented to users.
          15118
        • Configure non-text content with a descriptive identification.
          15117
        • Provide text alternatives for non-text content, as necessary.
          15078
        • Configure content to be presentable in a manner that is clear and conspicuous to all users.
          15066
        • Configure non-text content that is a control or accepts user input with a name that describes its purpose.
          15065
  • System hardening through configuration management
    00860
    • Establish, implement, and maintain a Configuration Management program.
      00867
      • Establish, implement, and maintain configuration control and Configuration Status Accounting.
        00863
        • Establish, implement, and maintain appropriate system labeling.
          01900
      • Establish, implement, and maintain a configuration management policy.
        14023
        • Establish, implement, and maintain configuration management procedures.
          14074
        • Include coordination amongst entities in the configuration management policy.
          14071
        • Include roles and responsibilities in the configuration management policy.
          14069
        • Include the scope in the configuration management policy.
          14068
      • Establish, implement, and maintain a configuration management plan.
        01901
        • Include configuration management procedures in the configuration management plan.
          14248
        • Include roles and responsibilities in the configuration management plan.
          14247
      • Employ the Configuration Management program.
        11904
      • Record Configuration Management items in the Configuration Management database.
        00861
      • Test network access controls for proper Configuration Management settings.
        01281
      • Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities.
        02132
      • Establish, implement, and maintain a configuration baseline based on the least functionality principle.
        00862
      • Include backup procedures in the Configuration Management policy.
        01314
    • Identify and document the system's Configurable Items.
      02133
      • Approve each system's Configurable Items (and changes to those Configurable Items).
        04887
    • Establish, implement, and maintain a system hardening standard.
      00876
      • Establish, implement, and maintain configuration standards.
        11953
        • Apply configuration standards to all systems, as necessary.
          12503
        • Document and justify system hardening standard exceptions.
          06845
        • Configure security parameter settings on all system components appropriately.
          12041
    • Establish, implement, and maintain system hardening procedures.
      12001
      • Configure session timeout and reauthentication settings according to organizational standards.
        12460
        • Configure automatic logoff to terminate the sessions based on inactivity according to organizational standards.
          04490
      • Configure “Docker” to organizational standards.
        14457
        • Configure the "volume" argument to organizational standards.
          14533
      • Configure the Intrusion Detection System and Intrusion Prevention System in accordance with organizational standards.
        04831
      • Block and/or remove unnecessary software and unauthorized software.
        00865
      • Use the latest approved version of all assets.
        00897
        • Install critical security updates and important security updates in a timely manner.
          01696
      • Change default configurations, as necessary.
        00877
      • Configure Least Functionality and Least Privilege settings to organizational standards.
        07599
        • Configure the "Synchronize directory service data" to organizational standards.
          07897
      • Establish, implement, and maintain idle session termination and logout capabilities.
        01418
        • Configure Session Configuration settings in accordance with organizational standards.
          07698
      • Configure virtual networks in accordance with the information security policy.
        13165
      • Configure Simple Network Management Protocol (SNMP) to organizational standards.
        12423
        • Change the community string for Simple Network Management Protocol, as necessary.
          01872
        • Use different SNMP community strings across devices to support least privilege.
          17053
      • Configure the system's storage media.
        10618
      • Remove all unnecessary functionality.
        00882
        • Disable all unnecessary interfaces.
          04826
          • Set the Bluetooth Security Mode to the organizational standard.
            00587
          • Verify wireless peripherals meet organizational security requirements.
            00657
        • Disable all unnecessary applications unless otherwise noted in a policy exception.
          04827
          • Configure the Trivial FTP Daemon service to organizational standards.
            01484
          • Disable finger unless finger is absolutely necessary.
            01505
          • Configure the "FTP server" package to organizational standards.
            09938
          • Configure the "HTTP Proxy Server" package to organizational standards.
            09939
        • Remove all demonstration applications on the system.
          01875
        • Disable all unnecessary services unless otherwise noted in a policy exception.
          00880
          • Configure syslog to organizational standards.
            04949
      • Establish, implement, and maintain the interactive logon settings.
        01739
      • Configure the settings of the system registry and the systems objects (for Windows OS only).
        01781
        • Configure the system to protect against SYN Flood attacks.
          01800
        • Enable or disable ICMPv6 redirects, as appropriate.
          05149
      • Apply the appropriate warning message to systems.
        01596
      • Enable logon authentication management techniques.
        00553
        • Configure the system to log all access attempts to all systems.
          00554
          • Include the date and time that access was granted in the system record.
            15174
          • Include the access level granted in the system record.
            15173
          • Include when access is withdrawn in the system record.
            15172
        • Configure devices and users to re-authenticate, as necessary.
          10609
        • Prohibit the use of cached authenticators and credentials after a defined period of time.
          10610
      • Establish, implement, and maintain authenticators.
        15305
        • Establish, implement, and maintain an authenticator standard.
          01702
          • Establish, implement, and maintain an authenticator management system.
            12031
            • Establish, implement, and maintain a repository of authenticators.
              16372
            • Establish, implement, and maintain authenticator procedures.
              12002
              • Configure authenticator activation codes in accordance with organizational standards.
                17032
              • Configure authenticators to comply with organizational standards.
                06412
                • Configure the system to require new users to change their authenticator on first use.
                  05268
                • Disable store passwords using reversible encryption.
                  01708
                • Configure the system to encrypt authenticators.
                  06735
                • Configure the system to mask authenticators.
                  02037
                • Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators.
                  05992
                • Configure the "minimum number of digits required for new passwords" setting to organizational standards.
                  08717
                • Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards.
                  08718
                • Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards.
                  08719
                • Configure the "minimum number of special characters required for new passwords" setting to organizational standards.
                  08720
                • Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards.
                  08722
                • Configure the "password reuse" setting to organizational standards.
                  08724
                  • Configure the "Disable Remember Password" setting.
                    05270
                • Configure the "Minimum password age" to organizational standards.
                  01703
              • Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate.
                05993
              • Configure the authenticator policy to ban or allow authenticators as proper names, as necessary.
                17030
              • Notify affected parties to keep authenticators confidential.
                06787
        • Protect authenticators or authentication factors from unauthorized modification and disclosure.
          15317
        • Obscure authentication information during the login process.
          15316
        • Issue temporary authenticators, as necessary.
          17062
        • Renew temporary authenticators, as necessary.
          17061
        • Disable authenticators, as necessary.
          17060
        • Change authenticators, as necessary.
          15315
        • Implement safeguards to protect authenticators from unauthorized access.
          15310
        • Change all default authenticators.
          15309
      • Configure each system's security alerts to organizational standards.
        12113
      • Configure the system security parameters to prevent system misuse or information misappropriation.
        00881
        • Configure the default locking Screen saver timeout to a predetermined time period.
          01570
        • Configure the "Display Error Notification" setting to organizational standards.
          04335
        • Digitally sign and encrypt e-mail, as necessary.
          04493
        • Verify all files are owned by an existing account and group.
          05295
        • Disable The "proxy ARP" configurable item on all interfaces.
          06570
        • Configure the "Enable Keep-Alive Messages" setting to organizational standards.
          10083
      • Disable or configure the e-mail server, as necessary.
        06563
      • Configure the system account settings and the permission settings in accordance with the organizational standards.
        01538
        • Remove unnecessary accounts.
          16476
        • Configure user accounts.
          07036
          • Change default usernames, as necessary.
            14661
          • Remove unnecessary default accounts.
            01539
          • Configure accounts with administrative privilege.
            07033
            • Employ multifactor authentication for accounts with administrative privilege.
              12496
            • Rename or disable the Administrator Account.
              01721
        • Configure User Rights.
          07034
          • Configure the "Lock Inactive User Accounts" setting to organizational standards.
            09921
        • Configure file permissions and directory permissions to organizational standards.
          07035
        • Verify that there are no accounts with empty password fields.
          01579
        • Use standards-based encryption for encryption, hashing, and signing.
          01583
        • Configure the Data Definition Language permissions to organizational standards.
          09261
        • Configure the "restore database data or other DBMS configurations, features or objects" permissions to organizational standards.
          09267
        • Configure the "Do not allow connections without IPSec" setting to organizational standards.
          10900
      • Establish, implement, and maintain appropriate shutdown procedures.
        01778
      • Establish, implement, and maintain network parameter modification procedures.
        01517
        • Configure network elements to organizational standards.
          16361
          • Configure devices having access to network elements to organizational standards.
            16408
        • Configure devices to block or avoid outbound connections.
          04807
        • Configure devices to deny inbound connections.
          04805
        • Review and restrict network addresses and network protocols.
          01518
          • Establish, implement, and maintain a network addressing plan.
            16399
          • Configure wireless access to be restricted to authorized wireless networks.
            12099
          • Configure Network Address Translation to organizational standards.
            16395
          • Disable DHCP Server unless DHCP Server is absolutely necessary.
            01482
          • Disable Simple Network Management Protocol unless it is absolutely necessary.
            01491
          • Disable Internet Protocol version 6 unless it is absolutely necessary.
            01493
          • Disable IP Routing unless it is absolutely necessary.
            02170
          • Disable Boot Protocol unless it is absolutely necessary.
            04809
        • Configure syslog to only accept messages from authorized devices and networks.
          01562
        • Enable digital encryption or digital signatures of secure channel data.
          01736
        • Configure the amount of idle time required before disconnecting an idle session.
          01763
        • Configure firewalls in accordance with organizational standards.
          01926
          • Establish, implement, and maintain firewall rules in accordance with organizational standards.
            16353
        • Create an access control list on Network Access and Control Points to restrict access.
          04810
          • Configure the Access Control List to restrict connections between untrusted networks and any system that holds restricted data or restricted information.
            06077
        • Configure the SSH server in accordance with organizational standards.
          04843
          • Disable Secure Shell version 1 and use Secure Shell version 2.
            04465
          • Allow or deny inbound connections to the secure shell port, as appropriate.
            05746
          • Set the SSH authentication log retry limit.
            05750
          • Use Secure Shell for remote logins and file transfers.
            06562
        • Configure Network Time Protocol.
          04844
        • Disallow Internet Protocol (IP) directed broadcasts.
          06571
      • Configure the time server in accordance with organizational standards.
        06426
        • Configure the time server to synchronize with specifically designated hosts.
          06427
      • Configure Wireless Access Points in accordance with organizational standards.
        12477
        • Configure the transmit power for wireless technologies to the lowest level possible.
          04593
        • Enable two-factor authentication for identifying and authenticating Wireless Local Area Network users.
          04595
        • Disable unnecessary applications, ports, and protocols on Wireless Access Points.
          04835
        • Enable or disable all wireless interfaces, as necessary.
          05755
      • Configure mobile device settings in accordance with organizational standards.
        04600
        • Configure mobile devices to enable remote wipe.
          12212
        • Configure mobile devices to organizational standards.
          04639
          • Configure mobile devices to separate organizational data from personal data.
            16463
          • Configure the mobile device properties to organizational standards.
            04640
        • Enable content protection on mobile devices.
          04609
        • Enable data-at-rest encryption on mobile devices.
          04842
      • Configure Cisco-specific applications and service in accordance with organizational standards.
        06557
        • Disable Cisco Discovery Protocol service unless the Cisco Discovery Protocol service is absolutely necessary.
          06556
      • Configure e-mail security settings in accordance with organizational standards.
        07055
      • Configure Services settings to organizational standards.
        07434
        • Configure the "Extensible Authentication Protocol" to organizational standards.
          07476
        • Configure the "Encrypting File System (EFS)" to organizational standards.
          07498
        • Configure the "Simple Mail Transport Protocol (SMTP)" to organizational standards.
          07527
        • Configure the "DNS Server" to organizational standards.
          07591
        • Configure the "IPSEC Services" to organizational standards.
          08233
      • Configure Account settings in accordance with organizational standards.
        07603
        • Configure the "Account lockout threshold" to organizational standards.
          07604
        • Configure the "Account lockout duration" to organizational standards.
          07771
      • Configure Protocol Configuration settings to organizational standards.
        07607
      • Configure Logging settings in accordance with organizational standards.
        07611
        • Configure the storage parameters for all logs.
          06330
          • Configure sufficient log storage capacity and prevent the capacity from being exceeded.
            01425
        • Configure the security parameters for all logs.
          01712
          • Configure the log to capture audit log initialization, along with auditable event selection.
            00649
        • Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.
          06331
          • Configure the log to capture the user's identification.
            01334
          • Configure the log to capture a date and time stamp.
            01336
          • Configure the log to capture each auditable event's origination.
            01338
          • Configure the log to uniquely identify each asset.
            01339
          • Configure the log to capture the type of each event.
            06423
          • Configure the log to capture the details of electronic signature transactions.
            16910
          • Configure the log to uniquely identify each accessed record.
            16909
          • Configure the log to capture each event's success or failure indication.
            06424
        • Configure all logs to capture auditable events or actionable events.
          06332
          • Configure the log to capture startups and shutdowns.
            16491
          • Configure the log to capture user queries and searches.
            16479
          • Configure the log to capture Internet Protocol addresses.
            16495
          • Configure the log to capture account lockouts.
            16470
          • Configure the log to capture execution events.
            16469
          • Configure the log to capture attempts to bypass or circumvent security controls.
            17078
          • Configure the log to capture Identity and Access Management policy changes.
            15442
          • Configure the log to capture changes to encryption keys.
            15432
          • Configure the "logging level" to organizational standards.
            14456
          • Configure the log to capture hardware and software access attempts.
            01220
          • Configure the log to capture logons, logouts, logon attempts, and logout attempts.
            01915
          • Configure the privilege use auditing setting.
            01699
          • Configure the log to record the Denial of Access that results from an excessive number of unsuccessful logon attempts.
            01919
          • Configure the log to capture access to restricted data or restricted information.
            00644
          • Configure the log to capture user identifier, address, port blocking or blacklisting.
            01918
          • Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.
            00645
          • Configure the log to capture identification and authentication mechanism use.
            00648
          • Configure the log to capture Object access to key directories or key files.
            01697
            • Configure the log to capture both access and access attempts to security-relevant objects and security-relevant directories.
              01916
          • Configure the log to capture failed transactions.
            06334
          • Configure the log to capture successful transactions.
            06335
          • Configure the log to capture configuration changes.
            06881
            • Log, monitor, and review all changes to time settings on critical systems.
              11608
            • Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.
              01698
            • Configure the log to capture user authenticator changes.
              01917
        • Configure the event log settings for specific Operating System functions.
          06337
          • Enable or disable the logging of "martian" packets (impossible addresses), as appropriate.
            05601
          • Generate an alert when an audit log failure occurs.
            06737
        • Configure additional log settings.
          06333
          • Configure the log to send alerts for each auditable events success or failure.
            01337
        • Configure additional log file parameters appropriately.
          06338
          • Perform file system logging and file system journaling.
            05615
      • Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.
        07621
        • Configure the "Maximum password age" to organizational standards.
          07688
        • Configure the "Minimum password length" to organizational standards.
          07711
        • Configure the "Password must meet complexity requirements" to organizational standards.
          07743
        • Configure the "Enforce password history" to organizational standards.
          07877
        • Configure the "Password Expiration" to organizational standards.
          08576
      • Configure Virus and Malware Protection settings in accordance with organizational standards.
        07906
        • Configure the "Allow cut, copy or paste operations from the clipboard via script" to organizational standards.
          07997
      • Configure Security settings in accordance with organizational standards.
        08469
      • Configure the proxy server to organizational standards.
        12115
      • Configure Red Hat Enterprise Linux to Organizational Standards.
        08713
        • Configure the Secure Shell setting to organizational standards.
          08790
      • Configure Polycom HDX to Organizational Standards.
        08986
        • Configure ICMP destination unreachable messages to organizational standards.
          17052
        • Configure the "SNMP community name" setting to organizational standards.
          09715
      • Configure Microsoft SQL Server to Organizational Standards.
        08989
        • Configure the "encrypt custom and Government Off-The-Shelf application code" setting to organizational standards.
          09259
        • Configure the "Access to DBMS software files and directories" setting to organizational standards.
          09264
        • Configure the "Passwords for DBMS default accounts" setting to organizational standards.
          09269
        • Configure the "Remote DBMS administration" setting to organizational standards.
          09270
        • Configure the "clear residual data from memory, data objects or files, or other storage locations" setting to organizational standards.
          09296
      • Configure security and protection software according to Organizational Standards.
        11917
        • Configure security and protection software to automatically run at startup.
          12443
        • Configure security and protection software to check for up-to-date signature files.
          00576
        • Configure security and protection software to enable automatic updates.
          11945
        • Configure security and protection software to check e-mail messages.
          00578
        • Configure security and protection software to check e-mail attachments.
          11860
        • Configure security and protection software to check for phishing attacks.
          04569
      • Configure Application Programming Interfaces in accordance with organizational standards.
        12170
      • Configure the Domain Name System in accordance with organizational standards.
        12202
        • Configure the secure name/address resolution service (authoritative source).
          01624
        • Configure DNS records in accordance with organizational standards.
          17083
      • Configure Bluetooth settings according to organizational standards.
        12422
        • Refrain from using unit keys on Bluetooth devices.
          12541
      • Perform vulnerability testing before final installation.
        00884
      • Implement safeguards to prevent unauthorized code execution.
        10686
    • Configure initial system hardening according to the secure configuration baseline.
      13824
    • Lock configurations to prevent circumventing security measures.
      12187
    • Establish, implement, and maintain a Configuration Baseline Documentation Record.
      02130
      • Create a hardened image of the baseline configuration to be used for building new systems.
        07063
        • Store master images on securely configured servers.
          12089
    • Protect master copies of Configurable Items using secure methods or mechanisms.
      02131
    • Audit the configuration of organizational assets, as necessary.
      13653
      • Audit assets after maintenance was performed.
        13657
  • Records management
    00902
    • Establish, implement, and maintain an information management program.
      14315
    • Establish, implement, and maintain records management policies.
      00903
      • Establish, implement, and maintain a record classification scheme.
        00914
        • Establish, implement, and maintain an electronic signature policy.
          16907
          • Include roles and responsibilities in the electronic signature policy.
            16912
          • Implement electronic signature systems.
            16911
            • Implement mobile platform compatibility in electronic signature systems.
              16914
          • Allow electronic signatures to satisfy requirements for written signatures, as necessary.
            11807
          • Establish, implement, and maintain electronic signature requirements.
            06219
            • Provide the signer a duplicate original document after the electronic signature transaction is complete.
              16908
            • Require acknowledgment of reading the document prior to allowing an electronic signature.
              16906
      • Define each system's preservation requirements for records and logs.
        00904
        • Establish, implement, and maintain a data retention program.
          00906
          • Store records and data in accordance with organizational standards.
            16439
          • Archive appropriate records, logs, and database tables.
            06321
          • Maintain continued integrity for all stored data and stored records.
            00969
        • Determine how long to keep records and logs before disposing them.
          11661
          • Retain records in accordance with applicable requirements.
            00968
        • Define which documents and records the organization may capture.
          00905
        • Establish, implement, and maintain storage media disposition and destruction procedures.
          11657
          • Perform destruction at authorized facilities.
            17074
          • Sanitize electronic storage media in accordance with organizational standards.
            16464
            • Sanitize all electronic storage media before disposing a system or redeploying a system.
              01643
          • Degauss as a method of sanitizing electronic storage media.
            00973
          • Destroy electronic storage media following the storage media disposition and destruction procedures.
            00970
            • Maintain media sanitization equipment in operational condition.
              00721
            • Use approved media sanitization equipment for destruction.
              16459
      • Define each system's disposition requirements for records and logs.
        11651
        • Establish, implement, and maintain records disposition procedures.
          00971
          • Manage the disposition status for all records.
            00972
            • Require authorized individuals be present to witness records disposition.
              12313
          • Remove and/or destroy records according to the records' retention event and retention period schedule.
            06621
            • Destroy printed records so they cannot be reconstructed.
              11779
            • Automate a programmatic process to remove stored data and records that exceed retention requirements.
              06082
          • Maintain disposal records or redeployment records.
            01644
            • Include the sanitization method in the disposal record.
              17073
            • Include time information in the disposal record.
              17072
      • Establish, implement, and maintain secure record transaction standards with third parties.
        06093
    • Establish, implement, and maintain records management procedures.
      11619
      • Capture the records required by organizational compliance requirements.
        00912
        • Assign the appropriate information classification to records imported into the Records Management system.
          04555
        • Establish, implement, and maintain a recordkeeping system.
          15709
          • Log the date and time each item is accessed in the recordkeeping system.
            15711
        • Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity.
          04720
      • Establish, implement, and maintain Electronic Document and Records Management systems.
        16913
      • Include record integrity techniques in the records management procedures.
        06418
      • Control error handling when data is being inputted.
        00922
      • Establish, implement, and maintain data processing integrity controls.
        00923
        • Sanitize user input in accordance with organizational standards.
          16856
        • Establish, implement, and maintain Automated Data Processing validation checks and editing checks.
          00924
        • Establish, implement, and maintain Automated Data Processing error handling procedures.
          00925
      • Establish, implement, and maintain electronic storage media management procedures.
        00931
        • Establish, implement, and maintain security label procedures.
          06747
          • Label restricted storage media appropriately.
            00966
        • Establish and maintain access controls for all records.
          00371
        • Establish, implement, and maintain a records lifecycle management program.
          00951
          • Implement and maintain high availability storage, as necessary.
            00952
          • Implement and maintain backups and duplicate copies of organizational records.
            00953
        • Establish, implement, and maintain a transparent storage media strategy.
          00932
          • Establish, implement, and maintain online storage monitoring and reporting capabilities.
            00935
        • Establish, implement, and maintain online storage controls.
          00942
          • Establish, implement, and maintain security controls appropriate to the record types and electronic storage media.
            00943
            • Provide encryption for different types of electronic storage media.
              00945
      • Establish, implement, and maintain document retention procedures.
        11660
      • Maintain electronic records in an equivalent manner as printed records, as necessary.
        11806
        • Convert hard copy records to electronic records, as necessary.
          16927
      • Protect records from loss in accordance with applicable requirements.
        12007
    • Establish, implement, and maintain an e-discovery program.
      00976
      • Establish, implement, and maintain e-discovery record and log preparation procedures.
        00907
        • Retain indexes for all electronic storage media.
          00908
          • Establish, implement, and maintain an indexing system for records and images.
            00909
  • Systems design, build, and implementation
    00989
    • Establish, implement, and maintain a System Development Life Cycle program.
      11823
      • Include information security throughout the system development life cycle.
        12042
    • Initiate the System Development Life Cycle planning phase.
      06266
      • Establish, implement, and maintain system design principles and system design guidelines.
        01057
        • Include naming conventions in system design guidelines.
          13656
        • Define and assign the system development project team roles and responsibilities.
          01061
          • Restrict system architects from being assigned as Administrators.
            01064
            • Restrict the development team from having access to the production environment.
              01066
        • Redesign business activities to support the system implementation.
          01067
          • Establish and maintain an input requirements definition document.
            01071
        • Establish, implement, and maintain security design principles.
          14718
          • Include reduced complexity of systems or system components in the security design principles.
            14753
          • Include modularity and layering of systems or system components in the security design principles.
            14750
          • Include least privilege of systems or system components in the security design principles.
            14742
          • Include minimized security elements in systems or system components in the security design principles.
            14739
          • Include minimization of systems or system components in the security design principles.
            14733
          • Include accountability and traceability of systems or system components in the security design principles.
            14727
        • Establish, implement, and maintain a system use training plan.
          01089
      • Establish and maintain System Development Life Cycle documentation.
        12079
        • Define and document organizational structures for the System Development Life Cycle program.
          12549
          • Include system operation responsibilities in the System Development Life Cycle documentation.
            12563
        • Establish, implement, and maintain a full set of system procedures.
          01074
          • Establish, implement, and maintain a database management standard.
            01079
      • Establish, implement, and maintain system design requirements.
        06618
        • Design and develop built-in redundancies, as necessary.
          13064
        • Identify and document the system boundaries of the system design project.
          06924
        • Include performance criteria in the system requirements specification.
          11540
          • Include product upgrade methodologies in the system requirements specification.
            11563
      • Establish, implement, and maintain a system design project management framework.
        00990
        • Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems.
          01028
          • Analyze the business activity risk for system design projects.
            01034
        • Identify system design strategies.
          01046
          • Investigate the range of alternative system design strategies available.
            01047
        • Establish, implement, and maintain a system requirements specification.
          01035
        • Include the threats and risks associated with the system development project in the project feasibility study.
          11797
        • Establish, implement, and maintain project management standards.
          00992
          • Establish, implement, and maintain a project program documentation standard.
            00995
          • Formally approve the initiation of each project phase.
            00997
          • Establish, implement, and maintain a project control program.
            01612
      • Separate the design and development environment from the production environment.
        06088
    • Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.
      06267
      • Develop systems in accordance with the system design specifications and system design standards.
        01094
        • Develop new products based on best practices.
          01095
          • Establish, implement, and maintain a system design specification.
            04557
            • Include security requirements in the system design specification.
              06826
            • Establish, implement, and maintain a CAPTCHA design specification.
              17092
            • Establish, implement, and maintain human interface guidelines.
              08662
              • Provide labels or instructions when content requires user input.
                15077
              • Ensure the purpose of links can be determined through the link text.
                15157
          • Implement security controls when developing systems.
            06270
            • Require successful authentication before granting access to system functionality via network interfaces.
              14926
            • Analyze and minimize attack surfaces when developing systems.
              06828
          • Establish, implement, and maintain secure update mechanisms.
            14923
            • Implement cryptographic mechanisms to authenticate software updates before installation.
              14925
            • Automate secure update mechanisms, as necessary.
              14933
          • Design the security architecture.
            06269
          • Protect system libraries.
            01097
          • Digitally sign software components.
            16490
          • Establish and maintain access rights to source code based upon least privilege.
            06962
      • Develop new products based on secure coding techniques.
        11733
        • Establish and maintain a coding manual for secure coding techniques.
          11863
          • Protect applications from improper access control through secure coding techniques in source code.
            11959
          • Protect applications from improper error handling through secure coding techniques in source code.
            11937
          • Protect applications from insecure communications through secure coding techniques in source code.
            11936
          • Protect applications from format string attacks through secure coding techniques in source code.
            17091
          • Refrain from hard-coding security parameters in source code.
            14917
            • Refrain from hard-coding authenticators in source code.
              11829
          • Protect applications from injection flaws through secure coding techniques in source code.
            11944
          • Protect applications from buffer overflows through secure coding techniques in source code.
            11943
          • Protect applications from cross-site scripting through secure coding techniques in source code.
            11899
          • Protect against coding vulnerabilities through secure coding techniques in source code.
            11897
          • Protect databases from unauthorized database management actions through secure coding techniques in source code.
            12049
          • Refrain from displaying error messages to end users through secure coding techniques in source code.
            12166
        • Include all confidentiality, integrity, and availability functions in the system design specification.
          04556
        • Establish, implement, and maintain a security policy model document.
          04560
      • Perform Quality Management on all newly developed or modified systems.
        01100
        • Establish, implement, and maintain a system testing policy.
          01102
          • Configure the test environment similar to the production environment.
            06837
        • Establish, implement, and maintain system testing procedures.
          11744
          • Restrict production data from being used in the test environment.
            01103
          • Include security controls in the scope of system testing.
            12623
          • Review and test custom code to identify potential coding vulnerabilities.
            01316
            • Review and test source code.
              01086
            • Assign the review of custom code changes to individuals other than the code author.
              06291
      • Establish, implement, and maintain sandboxes.
        14946
        • Execute unauthorized code within a sandbox.
          16509
    • Initiate the System Development Life Cycle implementation phase.
      06268
      • Establish, implement, and maintain a system implementation standard.
        01111
        • Deploy applications based on best practices.
          12738
        • Plan and document the Certification and Accreditation process.
          11767
          • Submit the information system's security authorization package to the appropriate stakeholders, as necessary.
            13987
      • Perform a final system test prior to implementing a new system.
        01108
        • Conduct a final security audit prior to implementing a new system.
          06833
      • Manage the system implementation process.
        01115
        • Establish, implement, and maintain promoting the system to a production environment procedures.
          01119
          • Remove test data prior to promoting the system to a production environment.
            12494
        • Evaluate and determine whether or not the newly developed system meets users' system design requirements.
          01120
  • Acquisition or sale of facilities, technology, and services
    01123
    • Establish, implement, and maintain a product upgrade program.
      12216
      • Establish, implement, and maintain product update procedures.
        12218
    • Plan for acquiring facilities, technology, or services.
      06892
      • Perform a due diligence assessment on bidding suppliers prior to acquiring assets.
        15714
      • Establish, implement, and maintain system acquisition contracts.
        14758
        • Include audit record generation capabilities in system acquisition contracts.
          16427
      • Conduct an acquisition feasibility study prior to acquiring assets.
        01129
        • Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study.
          01135
      • Establish, implement, and maintain a product and services acquisition program.
        01136
        • Establish, implement, and maintain a product and services acquisition policy.
          14028
          • Include compliance requirements in the product and services acquisition policy.
            14163
        • Establish, implement, and maintain the requirements for competitive bid documents.
          16936
        • Establish, implement, and maintain the requirements for off-contract purchases.
          16929
          • Require prior approval from the appropriate authority for any off-contract purchases.
            16928
      • Establish, implement, and maintain a software product acquisition methodology.
        01138
        • Review software licensing agreements to ensure compliance.
          01140
      • Establish and maintain a register of approved third parties, technologies and tools.
        06836
        • Install software that originates from approved third parties.
          12184
    • Acquire products or services.
      11450
      • Acquire products and services that meet useful life requirements.
        16939
      • Register new systems with the program office or other applicable stakeholder.
        13986
    • Establish, implement, and maintain facilities, assets, and services acceptance procedures.
      01144
      • Test new hardware or upgraded hardware and software against predefined performance requirements.
        06740
      • Test new hardware or upgraded hardware and software for implementation of security controls.
        06743
        • Test new software or upgraded software for security vulnerabilities.
          01898
        • Test new hardware or upgraded hardware for compatibility with the current system.
          11655
  • Privacy protection for information and data
    00008
    • Establish, implement, and maintain a privacy framework that protects restricted data.
      11850
      • Establish, implement, and maintain a personal data transparency program.
        00375
        • Establish and maintain privacy notices, as necessary.
          13443
          • Include contact information in the privacy notice.
            14432
        • Deliver privacy notices to data subjects, as necessary.
          13444
        • Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.
          00393
          • Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data.
            12585
      • Establish, implement, and maintain a privacy policy.
        06281
        • Document privacy policies in clearly written and easily understood language.
          00376
        • Define what is included in the privacy policy.
          00404
          • Define the information being collected in the privacy policy.
            13115
        • Post the privacy policy in an easily seen location.
          00401
      • Establish, implement, and maintain personal data choice and consent program.
        12569
        • Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data.
          00391
      • Establish, implement, and maintain a personal data accountability program.
        13432
        • Require data controllers to be accountable for their actions.
          00470
          • Notify the supervisory authority.
            00472
            • Establish, implement, and maintain approval applications.
              16778
              • Submit approval applications to the supervisory authority.
                16627
            • Provide the supervisory authority with any information requested by the supervisory authority.
              12606
            • Respond to questions about submissions in a timely manner.
              16930
      • Establish, implement, and maintain a personal data use limitation program.
        13428
        • Establish, implement, and maintain a personal data use purpose specification.
          00093
          • Dispose of media and restricted data in a timely manner.
            00125
        • Establish, implement, and maintain data disclosure procedures.
          00133
      • Include cookie management in the privacy framework.
        13809
        • Establish, implement, and maintain cookie management procedures.
          13810
          • Refrain from using cookies unless legitimate reasons have been defined.
            16953
          • Include the acceptable uses of cookies in the cookie management procedures.
            16952
      • Establish, implement, and maintain a personal data collection program.
        06487
        • Establish, implement, and maintain personal data collection limitation boundaries.
          00507
          • Manage Personal Identification Numbers and PIN verification code numbers.
            00058
            • Employ a random number generator to create authenticators.
              13782
          • Establish, implement, and maintain a personal data collection policy.
            00029
            • Collect and record restricted data for specific, explicit, and legitimate purposes.
              00027
            • Validate the business need for maintaining collected restricted data.
              17090
      • Establish, implement, and maintain a data handling program.
        13427
        • Establish, implement, and maintain data handling policies.
          00353
          • Establish, implement, and maintain data and information confidentiality policies.
            00361
            • Establish, implement, and maintain record structures to support information confidentiality.
              00360
            • Limit data leakage.
              00356
              • Conduct personal data risk assessments.
                00357
              • Search the Internet for evidence of data leakage.
                10419
          • Establish, implement, and maintain call metadata controls.
            04790
          • Disseminate and communicate the data handling policy to all interested personnel and affected parties.
            15465
        • Establish, implement, and maintain data handling procedures.
          11756
      • Establish, implement, and maintain a personal data transfer program.
        00307
        • Establish, implement, and maintain Internet interactivity data transfer procedures.
          06949
          • Obtain consent prior to downloading software to an individual's computer.
            06951
            • Remove or uninstall software from an individual's computer, as necessary.
              13998
      • Establish, implement, and maintain a privacy impact assessment.
        13712
        • Include data handling procedures in the privacy impact assessment.
          15516
      • Develop remedies and sanctions for privacy policy violations.
        00474
        • Define the organization's liability based on the applicable law.
          00504
          • Define the sanctions and fines available for privacy rights violations based on applicable law.
            00505
    • Establish, implement, and maintain an anti-spam policy.
      00283
      • Refrain from sending unsolicited commercial electronic messages under predetermined conditions.
        13993
  • Harmonization Methods and Manual of Style
    06095
    • Establish, implement, and maintain terminological resources.
      13317
      • Establish and maintain terminological entries and their definitions.
        13318
        • Establish and maintain definitions for terminological entries.
          13319
          • Use definition types that fit the purpose of the term definition.
            13422
            • Create partitive definitions, as necessary.
              13392
              • Begin partitive definitions with formulations that indicate the partitive relationship.
                13405
  • Third Party and supply chain oversight
    08807
    • Establish, implement, and maintain a supply chain management program.
      11742
      • Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts.
        00796
        • Review and update all contracts, as necessary.
          11612
      • Formalize client and third party relationships with contracts or nondisclosure agreements.
        00794
        • Establish, implement, and maintain information flow agreements with all third parties.
          04543
          • Include the purpose in the information flow agreement.
            17016
          • Include the costs in the information flow agreement.
            17018
          • Include the security requirements in the information flow agreement.
            14244
        • Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts.
          06528
          • Include proof of license documentation for the third parties with access to in scope systems in third party contracts.
            06529
        • Include a description of the data or information to be covered in third party contracts.
          06510
          • Include text about data ownership in third party contracts.
            06502
        • Include cryptographic keys in third party contracts.
          16179
        • Include text that organizations must meet organizational compliance requirements in third party contracts.
          06506
          • Include compliance with the organization's data usage policies in third party contracts.
            16413
        • Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts.
          06516
        • Include location requirements in third party contracts.
          16915
        • Include a termination provision clause in third party contracts.
          01367
        • Include end-of-life information in third party contracts.
          15265
        • Include third party acknowledgment of their data protection responsibilities in third party contracts.
          01364
          • Include auditing third party security controls and compliance controls in third party contracts.
            01366
      • Document the organization's supply chain in the supply chain management program.
        09958
        • Establish and maintain a Third Party Service Provider list.
          12480
          • Include required information in the Third Party Service Provider list.
            14429
          • Include contact information of the Service Provider in the Third Party Service Provider list.
            14430
          • Include the services provided by each supplier in the Third Party Service Provider list.
            12481
            • Include the location of services provided in the Third Party Service Provider list.
              14423
      • Establish, implement, and maintain a supply chain management policy.
        08808
        • Use third parties that are compliant with the applicable requirements.
          08818
    • Conduct all parts of the supply chain due diligence process.
      08854
      • Assess third parties' business continuity capabilities during due diligence.
        12077
      • Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements.
        00359
      • Assess third parties' compliance environment during due diligence.
        13134
        • Request attestation of compliance from third parties.
          12067
          • Validate the third parties' compliance to organizationally mandated compliance requirements.
            08819