NOTE: The authority document "" has been copied to your account.
NOTE: The authority document is already in your account and can not be copied again.
Close
Portable Compliance Profile™
- 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs
- Cloud Computing Compliance Controls Catalogue (C5)
- CobiT
- FFIEC Business Continuity Planning (BCP) IT Examination Handbook
- Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning
- IM Guidance Update: Cybersecurity Guidance
- ISO 22301: Societal Security - Business Continuity Management Systems - Requirements
- ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services
- ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181
- Pandemic Response Planning Policy
- Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers
- Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery
-
Control NameID #
•Leadership and high level objectives00597- •Establish, implement, and maintain a reporting methodology program.02072
- •Establish, implement, and maintain communication protocols.12245
- •Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol.12419
- •Assess the effectiveness of the communication methods used in the communication protocol.12691
- •Include external requirements in the organization's communication protocol.12418
- •Report to management and stakeholders on the findings and information gathered from all types of inquiries.12797
- •Establish, implement, and maintain warning procedures that follow the organization's communication protocol.12407
- •Establish, implement, and maintain alert procedures that follow the organization's communication protocol.12406
- •Include the capturing and alerting of performance variances in the notification system.12929
- •Establish, implement, and maintain an internal reporting program.12409
- •Analyze organizational objectives, functions, and activities.00598
- •Develop instructions for setting organizational objectives and strategies.12931
- •Analyze the business environment in which the organization operates.12798
- •Identify the internal factors that may affect organizational objectives.12957
- •Include key processes in the analysis of the internal business environment.12947
- •Align assets with business functions and the business environment.13681
- •Monitor for changes which affect organizational strategies in the internal business environment.12863
- •Monitor for changes which affect organizational objectives in the internal business environment.12862
- •Analyze the external environment in which the organization operates.12799
- •Identify the external forces that may affect organizational objectives.12960
- •Monitor for changes which affect organizational strategies in the external environment.12880
- •Monitor for changes which affect organizational objectives in the external environment.12879
- •Include regulatory requirements in the analysis of the external environment.12964
- •Include legal requirements in the analysis of the external environment.12896
- •Include technology in the analysis of the external environment.12837
- •Conduct a context analysis to define objectives and strategies.12864
- •Establish, implement, and maintain organizational objectives.09959
- •Evaluate organizational objectives to determine impact on other organizational objectives.12814
- •Identify conditions that may affect organizational objectives.12958
- •Identify opportunities that could affect achieving organizational objectives.12826
- •Establish and maintain a Mission, Vision, and Values Statement.12783
- •Disseminate and communicate organizational objectives to all interested personnel and affected parties.13191
- •Document and communicate the linkage between organizational objectives, functions, activities, and general controls.12398
- •Identify threats that could affect achieving organizational objectives.12827
- •Identify how opportunities, threats, and external requirements are trending.12829
- •Review the organization's approach to managing information security, as necessary.12005
- •Identify all interested personnel and affected parties.12845
- •Analyze and prioritize the requirements of interested personnel and affected parties.12796
- •Establish, implement, and maintain an information classification standard.00601
- •Take into account the organization's obligation to protect data or information when establishing information impact levels.04786
- •Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard.11997
- •Classify the criticality to unauthorized disclosure or modification of information in the information classification standard.11996
- •Classify the value of information in the information classification standard.11995
- •Establish, implement, and maintain a data classification scheme.11628
- •Establish and maintain an organizational data dictionary, including data syntax rules.00600
- •Refrain from allowing incompatible data elements in the data dictionary.13624
- •Disseminate and communicate the data dictionary to interested personnel and affected parties.13516
- •Establish, implement, and maintain an Information and Infrastructure Architecture model.00599
- •Establish, implement, and maintain sustainable infrastructure planning.00603
- •Take into account the need for protecting information confidentiality during infrastructure planning.06486
- •Monitor regulatory trends to maintain compliance.00604
- •Monitor for new Information Security solutions.07078
- •Subscribe to a threat intelligence service to receive notification of emerging threats.12135
- •Disseminate and communicate emerging threats to all interested personnel and affected parties.12185
- •Establish, implement, and maintain a Quality Management framework.07196
- •Establish, implement, and maintain a Quality Management policy.13694
- •Include critical Information Technology processes in the Quality Management framework.13645
- •Establish, implement, and maintain a Quality Management standard.01006
- •Document the measurements used by Quality Assurance and Quality Control testing.07200
- •Enforce a continuous Quality Control system.01005
- •Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures.01008
- •Establish, implement, and maintain a Quality Management program.07201
- •Correct errors and deficiencies in a timely manner.13501
- •Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement.07203
- •Include program documentation standards in the Quality Management program.01016
- •Include program testing standards in the Quality Management program.01017
- •Review and analyze any quality improvement goals that were missed.07204
- •Include system testing standards in the Quality Management program.01018
- •Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.01241
- •Define the scope of the security policy.07145
- •Correlate Information Systems with applicable controls.01621
- •Establish, implement, and maintain a policy and procedure management program.06285
- •Include requirements in the organization’s policies, standards, and procedures.12956
- •Analyze organizational policies, as necessary.14037
- •Establish and maintain an Authority Document list.07113
- •Map in scope assets and in scope records to external requirements.12189
- •Document organizational procedures that harmonize external requirements, including all legal requirements.00623
- •Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.01636
- •Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.12901
- •Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties.01312
- •Approve all compliance documents.06286
- •Align the Authority Document list with external requirements.06288
- •Assign the appropriate roles to all applicable compliance documents.06284
- •Establish, implement, and maintain a compliance exception standard.01628
- •Include all compliance exceptions in the compliance exception standard.01630
- •Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.01631
- •Review the compliance exceptions in the exceptions document, as necessary.01632
- •Disseminate and communicate compliance documents to all interested personnel and affected parties.06282
- •Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties.06283
- •Define the Information Assurance strategic roles and responsibilities.00608
- •Establish and maintain a compliance oversight committee.00765
- •Include recommendations for changes or updates to the information security program in the Board Report.13180
- •Provide critical project reports to the compliance oversight committee in a timely manner.01183
- •Assign the corporate governance of Information Technology to the compliance oversight committee.01178
- •Involve the Board of Directors or senior management in Information Governance.00609
- •Address Information Security during the business planning processes.06495
- •Document the requirements of stakeholders during the business planning process regarding Information Security.06498
- •Establish, implement, and maintain a strategic plan.12784
- •Determine progress toward the objectives of the strategic plan.12944
- •Include acting with integrity in the strategic plan.12870
- •Include the outsource partners in the strategic plan, as necessary.13960
- •Align the cybersecurity program strategy with the organization's strategic plan.14322
- •Establish, implement, and maintain a decision management strategy.06913
- •Include an economic impact analysis in the decision management strategy.14015
- •Include cost benefit analysis in the decision management strategy.14014
- •Include criteria for risk tolerance in the decision making criteria.12950
- •Align organizational objectives with performance targets in the decision-making criteria.12843
- •Align organizational objectives with the acceptable residual risk in the decision-making criteria.12841
- •Create additional decision-making criteria to achieve organizational objectives, as necessary.12948
- •Involve knowledgeable and experienced individuals in the decision-making process.06915
- •Take actions in accordance with the decision-making criteria.12909
- •Document and evaluate the decision outcomes from the decision-making process.06918
- •Establish, implement, and maintain an information technology process framework.13648
- •Include maturity models in the Information Technology process framework.13652
- •Include relationships between Information Technology process structures in the Information Technology process framework.13651
- •Include Information Technology process structures in the Information Technology process framework.13650
- •Establish, implement, and maintain a Strategic Information Technology Plan.00628
- •Include business continuity objectives in the Strategic Information Technology Plan.06496
- •Align business continuity objectives with the business continuity policy.12408
- •Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs.00631
- •Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan.00630
- •Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan.06491
- •Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.00632
- •Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.01609
- •Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan.06497
- •Document the business case and return on investment in each Information Technology project plan.06846
- •Document all desired outcomes for a proposed project in the Information Technology project plan.06916
- •Assign senior management to approve business cases.13068
- •Include milestones for each project phase in the Information Technology project plan.12621
- •Document lessons learned at the conclusion of each Information Technology project.13654
- •Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan.13673
- •Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties.00633
- •Monitor and evaluate the implementation and effectiveness of Information Technology Plans.00634
- •Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans06839
- •Include significant security risks in the Information Technology Plan status reports.06939
- •Include significant risk mitigations in the Information Technology Plan status reports.06841
- •Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors.13094
- •Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program.06492
- •Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security.06493
- •Establish, implement, and maintain a financial management program.13228
- •Establish, implement, and maintain financial reports.14770
- •Monitoring and measurement00636
- •Monitor the usage and capacity of critical assets.14825
- •Monitor the usage and capacity of Information Technology assets.00668
- •Monitor systems for errors and faults.04544
- •Compare system performance metrics to organizational standards and industry benchmarks.00667
- •Establish, implement, and maintain Security Control System monitoring and reporting procedures.12506
- •Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures.12525
- •Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures.12513
- •Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures12512
- •Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures.12511
- •Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures.12510
- •Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures.12509
- •Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures.12508
- •Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures.12507
- •Establish, implement, and maintain Responding to Failures in Security Controls procedures.12514
- •Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure.12521
- •Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.12520
- •Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure.12518
- •Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure.12517
- •Include restoring security functions in the Responding to Failures in Security Controls procedure.12515
- •Establish, implement, and maintain logging and monitoring operations.00637
- •Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.06312
- •Review and approve the use of continuous security management systems.13181
- •Protect continuous security management systems from unauthorized use.13097
- •Establish, implement, and maintain intrusion management operations.00580
- •Install and maintain an Intrusion Detection System and/or Intrusion Prevention System.00581
- •Monitor systems for inappropriate usage and other security violations.00585
- •Monitor systems for access to restricted data or restricted information.04721
- •Assign roles and responsibilities for overseeing access to restricted data or restricted information.11950
- •Detect unauthorized access to systems.06798
- •Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.06430
- •Update the intrusion detection capabilities and the incident response capabilities regularly.04653
- •Document and communicate the log locations to the owning entity.12047
- •Make logs available for review by the owning entity.12046
- •Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.00638
- •Establish, implement, and maintain event logging procedures.01335
- •Include a standard to collect and interpret event logs in the event logging procedures.00643
- •Compile the event logs of multiple components into a system-wide time-correlated audit trail.01424
- •Review and update event logs and audit logs, as necessary.00596
- •Eliminate false positives in event logs and audit logs.07047
- •Correlate log entries to security controls to verify the security control's effectiveness.13207
- •Identify cybersecurity events in event logs and audit logs.13206
- •Follow up exceptions and anomalies identified when reviewing logs.11925
- •Enable logging for all systems that meet a traceability criteria.00640
- •Synchronize system clocks to an accurate and universal time source on all devices.01340
- •Centralize network time servers to as few as practical.06308
- •Include logging frequencies in the event logging procedures.00642
- •Monitor and evaluate system performance.00651
- •Monitor for and react to when suspicious activities are detected.00586
- •Assess customer satisfaction.00652
- •Establish, implement, and maintain a continuous monitoring program for configuration management.06757
- •Establish, implement, and maintain an automated configuration monitoring system.07058
- •Monitor for and report when a software configuration is updated.06746
- •Implement file integrity monitoring.01205
- •Identify unauthorized modifications during file integrity monitoring.12096
- •Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.12045
- •Monitor and evaluate user account activity.07066
- •Develop and maintain a usage profile for each user account.07067
- •Log account usage to determine dormant accounts.12118
- •Log account usage durations.12117
- •Establish, implement, and maintain a risk monitoring program.00658
- •Monitor the organization's exposure to threats, as necessary.06494
- •Implement a fraud detection system.13081
- •Monitor for new vulnerabilities.06843
- •Establish, implement, and maintain a compliance testing strategy.00659
- •Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy.12833
- •Establish, implement, and maintain a system security plan.01922
- •Create specific test plans to test each system component.00661
- •Validate all testing assumptions in the test plans.00663
- •Include error details, identifying the root causes, and mitigation actions in the testing procedures.11827
- •Determine the appropriate assessment method for each testing process in the test plan.00665
- •Implement automated audit tools.04882
- •Assign senior management to approve test plans.13071
- •Analyze system audit reports and determine the need to perform more tests.00666
- •Establish, implement, and maintain a testing program.00654
- •Conduct Red Team exercises, as necessary.12131
- •Test security systems and associated security procedures, as necessary.11901
- •Employ third parties to carry out testing programs, as necessary.13178
- •Define the test requirements for each testing program.13177
- •Scan organizational networks for rogue devices.00536
- •Scan the network for wireless access points.00370
- •Document the business need justification for authorized wireless access points.12044
- •Scan wireless networks for rogue devices.11623
- •Implement incident response procedures when rogue devices are discovered.11880
- •Disseminate and communicate the testing program to all interested personnel and affected parties.11871
- •Establish, implement, and maintain a penetration test program.01105
- •Align the penetration test program with industry standards.12469
- •Assign penetration testing to a qualified internal resource or external third party.06429
- •Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation.11958
- •Retain penetration test results according to internal policy.10049
- •Retain penetration test remediation action records according to internal policy.11629
- •Perform penetration tests, as necessary.00655
- •Perform internal penetration tests, as necessary.12471
- •Perform external penetration tests, as necessary.12470
- •Include coverage of all in scope systems during penetration testing.11957
- •Test the system for broken access controls.01319
- •Test the system for insecure configuration management.01327
- •Perform network-layer penetration testing on all systems, as necessary.01277
- •Perform application-layer penetration testing on all systems, as necessary.11630
- •Perform penetration testing on segmentation controls, as necessary.12498
- •Verify segmentation controls are operational and effective.12545
- •Repeat penetration testing, as necessary.06860
- •Establish, implement, and maintain a vulnerability management program.15721
- •Establish, implement, and maintain a vulnerability assessment program.11636
- •Perform vulnerability scans, as necessary.11637
- •Repeat vulnerability scanning, as necessary.11646
- •Identify and document security vulnerabilities.11857
- •Rank discovered vulnerabilities.11940
- •Assign vulnerability scanning to qualified personnel or external third parties.11638
- •Correlate vulnerability scan reports from the various systems.10636
- •Perform internal vulnerability scans, as necessary.00656
- •Repeat vulnerability scanning after an approved change occurs.12468
- •Perform external vulnerability scans, as necessary.11624
- •Employ an approved third party to perform external vulnerability scans on the organization's systems.12467
- •Meet the requirements for a passing score during an external vulnerability scan or rescan.12039
- •Perform vulnerability assessments, as necessary.11828
- •Review applications for security vulnerabilities after the application is updated.11938
- •Recommend mitigation techniques based on vulnerability scan reports.11639
- •Recommend mitigation techniques based on penetration test results.04881
- •Correct or mitigate vulnerabilities.12497
- •Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated.13859
- •Establish, implement, and maintain a service management monitoring and metrics program.13916
- •Monitor service availability when implementing the service management monitoring and metrics program.13921
- •Establish, implement, and maintain a compliance monitoring policy.00671
- •Establish, implement, and maintain a metrics policy.01654
- •Establish, implement, and maintain an approach for compliance monitoring.01653
- •Establish, implement, and maintain risk management metrics.01656
- •Identify information being used to support the performance of the governance, risk, and compliance capability.12866
- •Monitor personnel and third parties for compliance to the organizational compliance framework.04726
- •Identify and document instances of non-compliance with the compliance framework.06499
- •Align enforcement reviews for non-compliance with organizational risk tolerance.13063
- •Determine the causes of compliance violations.12401
- •Identify and document events surrounding non-compliance with the organizational compliance framework.12935
- •Determine if multiple compliance violations of the same type could occur.12402
- •Correct compliance violations.13515
- •Review the effectiveness of disciplinary actions carried out for compliance violations.12403
- •Carry out disciplinary actions when a compliance violation is detected.06675
- •Align disciplinary actions with the level of compliance violation.12404
- •Establish, implement, and maintain compliance program metrics.11625
- •Establish, implement, and maintain a Business Continuity metrics program.01663
- •Establish, implement, and maintain a metrics standard and template.02157
- •Monitor compliance with the Quality Control system.01023
- •Establish, implement, and maintain a policies and controls metrics program.01666
- •Establish, implement, and maintain a security roles and responsibilities metrics program.01667
- •Establish, implement, and maintain an information risk threshold metrics program.01694
- •Establish, implement, and maintain an Information Systems architecture metrics program.02059
- •Establish, implement, and maintain a technical measurement metrics policy.01655
- •Establish, implement, and maintain a software change management metrics program.02081
- •Establish, implement, and maintain a network management and firewall management metrics program.02082
- •Establish, implement, and maintain an incident management and vulnerability management metrics program.02085
- •Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds.02126
- •Establish, implement, and maintain a log management program.00673
- •Restrict access to logs to a need to know basis.01342
- •Restrict access to audit trails to a need to know basis.11641
- •Back up audit trails according to backup procedures.11642
- •Copy logs from all predefined hosts onto a log management infrastructure.01346
- •Protect logs from unauthorized activity.01345
- •Perform testing and validating activities on all logs.06322
- •Archive the audit trail in accordance with compliance requirements.00674
- •Monitor the performance of the governance, risk, and compliance capability.12857
- •Establish, implement, and maintain a corrective action plan.00675
- •Include monitoring in the corrective action plan.11645
- •Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.00676
- •Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis.12330
- •Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis.12329
- •Protect against misusing automated audit tools.04547
- •Evaluate the measurement process used for metrics.06920
- •Provide intelligence support to the organization, as necessary.14020
- •Submit or respond to deconfliction requests regarding cyberspace operations, as necessary.14269
- •Perform intelligence operations on target systems and networks, as necessary.14039
- •Establish, implement, and maintain a Technical Surveillance Countermeasures program.11401
- •Determine the need for Technical Surveillance Countermeasures.11402
- •Determine the need for recurring Technical Surveillance Countermeasures.11409
- •Conduct recurring Technical Surveillance Countermeasures based on implemented security measures.11411
- •Conduct recurring Technical Surveillance Countermeasures based on information received from counterintelligence operations.11413
- •Provide targeting support for the intelligence collection strategy.14268
- •Provide targeting products to support the intelligence collection strategy.14267
- •Establish, implement, and maintain an intelligence collection strategy.14017
- •Include managing intelligence requirements in the intelligence collection strategy.14321
- •Establish and maintain target lists, as necessary.14266
- •Collect threat intelligence, as necessary.14064
- •Identify and document intelligence collection shortfalls.14078
- •Establish, implement, and maintain Technical Surveillance Countermeasures support request procedures.11414
- •Establish, implement, and maintain Technical Surveillance Countermeasure support request submission procedures.11435
- •Supply documented evidence of a technical penetration when requesting Technical Surveillance Countermeasure support.11415
- •Establish, implement, and maintain cyber threat intelligence tools.12696
- •Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures.12697
- •Evaluate cyber threat intelligence.12747
- •Conduct Technical Surveillance Countermeasures.11442
- •Create a Technical Surveillance Countermeasure survey report after completion of a Technical Surveillance Countermeasure survey.11445
- •Include the geographic location in the Technical Surveillance Countermeasure survey report.11456
- •Conduct joint Technical Surveillance Countermeasure exercises.11448
- •Develop and maintain guidance on gathering intelligence on technical penetrations and Technical Surveillance Countermeasures.11477
- •Communicate threat intelligence to interested personnel and affected parties.14016
- •Audits and risk management00677
- •Establish, implement, and maintain a Statement of Compliance.12499
- •Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance.12371
- •Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance.12370
- •Include a Statement of Compliance in the tactical Information Technology plan.06842
- •Define the roles and responsibilities for personnel assigned to tasks in the Audit function.00678
- •Manage supply chain audits.01203
- •Define and assign the external auditor's roles and responsibilities.00683
- •Retain copies of external auditor outsourcing contracts and engagement letters.01188
- •Include the scope and work to be performed in external auditor outsourcing contracts.01190
- •Conduct a performance review of the external auditor's performance during the audit process.01198
- •Establish, implement, and maintain an audit program.00684
- •Assign the audit to impartial auditors.07118
- •Exercise due professional care during the planning and performance of the audit.07119
- •Include provisions for legislative plurality and legislative domain in the audit program.06959
- •Include agreement to the audit scope and audit terms in the audit program.06965
- •Include audit subject matter in the audit program.07103
- •Establish and maintain audit assertions, as necessary.14871
- •Include the in scope risk assessment processes in the audit assertion.06975
- •Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms.06988
- •Accept the attestation engagement when all preconditions are met.13933
- •Audit in scope audit items and compliance documents.06730
- •Audit policies, standards, and procedures.12927
- •Audit cybersecurity risk management within the policies, standards, and procedures of the organization.13011
- •Audit information systems, as necessary.13010
- •Audit the potential costs of compromise to information systems.13012
- •Determine if the audit assertion's in scope controls are reasonable.06980
- •Document test plans for auditing in scope controls.06985
- •Determine the effectiveness of in scope controls.06984
- •Review incident management audit logs to determine the effectiveness of in scope controls.12157
- •Audit the in scope system according to the test plan using relevant evidence.07112
- •Investigate the nature and causes of identified in scope control deviations.06986
- •Supervise interested personnel and affected parties participating in the audit.07150
- •Respond to questions or clarification requests regarding the audit.08902
- •Track and measure the implementation of the organizational compliance framework.06445
- •Establish and maintain organizational audit reports.06731
- •Include the scope and work performed in the audit report.11621
- •Review the adequacy of the internal auditor's audit reports.11620
- •Review past audit reports.01155
- •Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.07117
- •Disseminate and communicate the reviews of audit reports to organizational management.00653
- •Review the issues of non-compliance from past audit reports.01148
- •Submit an audit report that is complete.01145
- •Implement a corrective action plan in response to the audit report.06777
- •Assign responsibility for remediation actions.13622
- •Review management's response to issues raised in past audit reports.01149
- •Define penalties for uncorrected audit findings or remaining non-compliant with the audit report.08963
- •Assess the quality of the audit program in regards to the staff and their qualifications.01150
- •Review the audit program scope as it relates to the organization's profile.01159
- •Assess the quality of the audit program in regards to its documentation.11622
- •Establish, implement, and maintain the audit plan.01156
- •Establish, implement, and maintain an audit schedule for the audit program.13158
- •Establish, implement, and maintain a risk management program.12051
- •Integrate the risk management program with the organization's business activities.13661
- •Integrate the risk management program into daily business decision-making.13659
- •Establish, implement, and maintain risk management strategies.13209
- •Include the use of alternate service providers in the risk management strategies.13217
- •Establish, implement, and maintain the risk assessment framework.00685
- •Define and assign the roles and responsibilities for the risk assessment framework, as necessary.06456
- •Establish, implement, and maintain a risk assessment program.00687
- •Address past incidents in the risk assessment program.12743
- •Establish and maintain the factors and context for risk to the organization.12230
- •Establish, implement, and maintain a financial plan to support the risk management strategy.12786
- •Address cybersecurity risks in the risk assessment program.13193
- •Establish, implement, and maintain risk assessment procedures.06446
- •Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling.06472
- •Employ risk assessment procedures that align with strategic objectives.06474
- •Include compliance with disposition requirements in the risk assessment procedures.12342
- •Establish, implement, and maintain a threat and risk classification scheme.07183
- •Employ risk assessment procedures that include appropriate risk treatment options for each identified risk.06484
- •Include security threats and vulnerabilities in the threat and risk classification scheme.00699
- •Categorize the systems, information, and data by risk profile in the threat and risk classification scheme.01443
- •Include risks to critical personnel and assets in the threat and risk classification scheme.00698
- •Include the environments that call for risk assessments in the risk assessment program.06448
- •Include the process for defining the scope of each risk assessment in the risk assessment program.06462
- •Include the roles and responsibilities involved in risk assessments in the risk assessment program.06450
- •Perform risk assessments for all target environments, as necessary.06452
- •Include the results of the risk assessment in the risk assessment report.06481
- •Update the risk assessment upon discovery of a new threat.00708
- •Update the risk assessment upon changes to the risk profile.11627
- •Disseminate and communicate the approved risk assessment report to interested personnel and affected parties.10633
- •Establish, implement, and maintain a risk assessment awareness and training program.06453
- •Disseminate and communicate information about risks to all interested personnel and affected parties.06718
- •Correlate the business impact of identified risks in the risk assessment report.00686
- •Conduct a Business Impact Analysis, as necessary.01147
- •Include tolerance to downtime in the Business Impact Analysis report.01172
- •Establish, implement, and maintain a risk register.14828
- •Document organizational risk tolerance in a risk register.09961
- •Review the Business Impact Analysis, as necessary.12774
- •Analyze and quantify the risks to in scope systems and information.00701
- •Establish and maintain a Risk Scoping and Measurement Definitions Document.00703
- •Assess the potential level of business impact risk associated with each business process.06463
- •Assess the potential level of business impact risk associated with the business environment.06464
- •Assess the potential level of business impact risk associated with business information of in scope systems.06465
- •Assess the potential level of business impact risk associated with external entities.06469
- •Establish a risk acceptance level that is appropriate to the organization's risk appetite.00706
- •Select the appropriate risk treatment option for each identified risk in the risk register.06483
- •Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties.06849
- •Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.00704
- •Prioritize and select controls based on the risk assessment findings.00707
- •Determine the effectiveness of risk control measures.06601
- •Establish, implement, and maintain a risk treatment plan.11983
- •Include the risk treatment strategy in the risk treatment plan.12159
- •Approve the risk treatment plan.13495
- •Integrate the corrective action plan based on the risk assessment findings with other risk management activities.06457
- •Document and communicate a corrective action plan based on the risk assessment findings.00705
- •Review and approve the risk assessment findings.06485
- •Include risk responses in the risk management program.13195
- •Document residual risk in a residual risk report.13664
- •Establish, implement, and maintain a cybersecurity risk management strategy.11991
- •Include a risk prioritization approach in the Cybersecurity Risk Management Strategy.12276
- •Disseminate and communicate the risk management policy to interested personnel and affected parties.13792
- •Technical security00508
- •Establish, implement, and maintain an access classification scheme.00509
- •Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.00510
- •Include business security requirements in the access classification scheme.00002
- •Interpret and apply security requirements based upon the information classification of the system.00003
- •Include third party access in the access classification scheme.11786
- •Establish, implement, and maintain security classifications for organizational assets.00005
- •Limit the use of resources by priority.01448
- •Establish, implement, and maintain a digital identity management program.13713
- •Establish, implement, and maintain digital identification procedures.13714
- •Implement digital identification processes.13731
- •Implement identity proofing processes.13719
- •Validate proof of identity during the identity proofing process.13756
- •Verify proof of identity records.13761
- •Establish, implement, and maintain federated identity systems.13837
- •Authenticate all systems in a federated identity system.13835
- •Send and receive authentication assertions, as necessary.13839
- •Validate each element within the authentication assertion.13853
- •Validate the digital signature in the authentication assertion.13869
- •Establish, implement, and maintain an access control program.11702
- •Include instructions to change authenticators as often as necessary in the access control program.11931
- •Include guidance for how users should protect their authentication credentials in the access control program.11929
- •Include guidance on selecting authentication credentials in the access control program.11928
- •Establish, implement, and maintain access control policies.00512
- •Disseminate and communicate the access control policies to all interested personnel and affected parties.10061
- •Establish, implement, and maintain an access rights management plan.00513
- •Identify information system users.12081
- •Review user accounts.00525
- •Review and update accounts and access rights when notified of personnel status changes.00788
- •Control access rights to organizational assets.00004
- •Add all devices requiring access control to the Access Control List.06264
- •Disallow application IDs from running as privileged users.10050
- •Define roles for information systems.12454
- •Define access needs for each role assigned to an information system.12455
- •Define access needs for each system component of an information system.12456
- •Define the level of privilege required for each system component of an information system.12457
- •Establish access rights based on least privilege.01411
- •Assign user permissions based on job responsibilities.00538
- •Assign user privileges after they have management sign off.00542
- •Separate processing domains to segregate user privileges and enhance information flow control.06767
- •Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.01412
- •Establish, implement, and maintain session lock capabilities.01417
- •Limit concurrent sessions according to account type.01416
- •Enable access control for objects and users on each system.04553
- •Include all system components in the access control system.11939
- •Set access control for objects and users to "deny all" unless explicitly authorized.06301
- •Enable role-based access control for objects and users on information systems.12458
- •Assign Information System access authorizations if implementing segregation of duties.06323
- •Enforce access restrictions for change control.01428
- •Enforce access restrictions for restricted data.01921
- •Perform a risk assessment prior to activating third party access to the organization's critical systems.06455
- •Activate third party maintenance accounts and user identifiers, as necessary.04262
- •Control user privileges.11665
- •Review all user privileges, as necessary.06784
- •Establish, implement, and maintain User Access Management procedures.00514
- •Establish, implement, and maintain an authority for access authorization list.06782
- •Review and approve logical access to all assets based upon organizational policies.06641
- •Control the addition and modification of user identifiers, user credentials, or other authenticators.00515
- •Assign roles and responsibilities for administering user account management.11900
- •Automate access control methods, as necessary.11838
- •Refrain from allowing user access to identifiers and authenticators used by applications.10048
- •Remove inactive user accounts, as necessary.00517
- •Terminate user accounts when notified that an individual is terminated.11614
- •Terminate access rights when notified that an individual is terminated.11826
- •Revoke asset access when an individual is terminated.00516
- •Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.00526
- •Document the business need justification for authentication data storage.06325
- •Establish, implement, and maintain access control procedures.11663
- •Grant access to authorized personnel.12186
- •Document approving and granting access in the access control log.06786
- •Include digital identification procedures in the access control program.11841
- •Employ unique identifiers.01273
- •Disseminate and communicate user identifiers and authenticators using secure communication protocols.06791
- •Include instructions to refrain from using previously used authenticators in the access control program.11930
- •Authenticate user identities before manually resetting an authenticator.04567
- •Require proper authentication for user identifiers.11785
- •Assign authenticators to user accounts.06855
- •Assign authentication mechanisms for user account authentication.06856
- •Refrain from allowing individuals to share authentication mechanisms.11932
- •Limit account credential reuse as a part of digital identification procedures.12357
- •Use biometric authentication for identification and authentication, as necessary.06857
- •Identify and control all network access controls.00529
- •Establish, implement, and maintain a network configuration standard.00530
- •Establish, implement, and maintain a network security policy.06440
- •Maintain up-to-date network diagrams.00531
- •Maintain up-to-date data flow diagrams.10059
- •Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams.13737
- •Manage all internal network connections.06329
- •Secure the Domain Name System.00540
- •Implement segregation of duties.11843
- •Establish, implement, and maintain a Boundary Defense program.00544
- •Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary.11891
- •Authorize the disclosure of private Internet Protocol addresses and routing information to external entities.12034
- •Segregate out of scope systems from in scope systems.12546
- •Segregate servers that contain restricted data or restricted information from direct public access.00533
- •Restrict inbound Internet traffic inside the Demilitarized Zone.01285
- •Segregate applications and databases that contain restricted data or restricted information in an internal network zone.01289
- •Establish, implement, and maintain a network access control standard.00546
- •Include assigned roles and responsibilities in the network access control standard.06410
- •Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.11821
- •Place firewalls between all security domains and between any Demilitarized Zone and internal network zones.01274
- •Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information.01293
- •Establish, implement, and maintain a firewall and router configuration standard.00541
- •Include testing and approving all network connections through the firewall in the firewall and router configuration standard.01270
- •Include compensating controls implemented for insecure protocols in the firewall and router configuration standard.11948
- •Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary.11903
- •Include restricting inbound internet traffic in the firewall and router configuration standard.11960
- •Include restricting outbound network traffic in the firewall and router configuration standard.11961
- •Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard.12435
- •Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard.12434
- •Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.12426
- •Include a protocols, ports, applications, and services list in the firewall and router configuration standard.00537
- •Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard.12547
- •Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard.01280
- •Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list.12033
- •Identify and document the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration.12032
- •Install and configure firewalls to be enabled on all mobile devices, if possible.00550
- •Lock personal firewall configurations to prevent them from being disabled or changed by end users.06420
- •Configure network access and control points to protect restricted data or restricted information.01284
- •Configure firewalls to deny all traffic by default, except explicitly designated traffic.00547
- •Configure firewalls to perform dynamic packet filtering.01288
- •Configure firewall filtering to only permit established connections into the network.12482
- •Restrict outbound network traffic from systems that contain restricted data or restricted information.01295
- •Synchronize and secure all router configuration files.01291
- •Configure firewalls to generate an audit log.12038
- •Configure network access and control points to organizational standards.12442
- •Install and configure application layer firewalls for all key web-facing applications.01450
- •Update application layer firewalls to the most current version.12037
- •Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.01646
- •Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.04830
- •Enforce information flow control.11781
- •Establish, implement, and maintain information flow control configuration standards.01924
- •Require the system to identify and authenticate approved devices before establishing a connection to restricted data.01429
- •Perform content filtering scans on network traffic.06761
- •Use content filtering scans to identify information flows by data type usage.11818
- •Document information flow anomalies that do not fit normal traffic patterns.12163
- •Constrain the information flow of restricted data or restricted information.06763
- •Restrict access to restricted data and restricted information on a need to know basis.12453
- •Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.01410
- •Establish, implement, and maintain a document printing policy.14384
- •Include printing to personal printers during a continuity event in the document printing policy.14396
- •Establish, implement, and maintain information flow procedures.04542
- •Establish, implement, and maintain information exchange procedures.11782
- •Review and approve information exchange system connections.07143
- •Enable encryption of a protected distribution system if sending restricted data or restricted information.01749
- •Protect data from modification or loss while transmitting between separate parts of the system.04554
- •Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services.13104
- •Establish, implement, and maintain whitelists and blacklists of domain names.07097
- •Block uncategorized sites using URL filtering.12140
- •Establish, implement, and maintain whitelists and blacklists of software.11780
- •Implement information flow control policies when making decisions about information sharing or collaboration.10094
- •Secure access to each system component operating system.00551
- •Separate user functionality from system management functionality.11858
- •Control all methods of remote access and teleworking.00559
- •Establish, implement, and maintain a remote access and teleworking program.04545
- •Control remote access through a network access control.01421
- •Employ multifactor authentication for remote access to the organization's network.12505
- •Implement multifactor authentication techniques.00561
- •Monitor and evaluate all remote access usage.00563
- •Manage the use of encryption controls and cryptographic controls.00570
- •Employ only secure versions of cryptographic controls.12491
- •Establish, implement, and maintain digital signatures.13828
- •Establish, implement, and maintain an encryption management and cryptographic controls policy.04546
- •Encrypt restricted data or restricted information, as necessary.04824
- •Provide guidance to customers on how to securely transmit, store, and update cryptographic keys.12040
- •Establish, implement, and maintain cryptographic key management procedures.00571
- •Generate strong cryptographic keys.01299
- •Generate unique cryptographic keys for each user.12169
- •Include the establishment of cryptographic keys in the cryptographic key management procedures.06540
- •Disseminate and communicate cryptographic keys securely.01300
- •Store cryptographic keys securely.01298
- •Restrict access to cryptographic keys.01297
- •Store cryptographic keys in encrypted format.06084
- •Store key-encrypting keys and data-encrypting keys in different locations.06085
- •Change cryptographic keys, as necessary.01302
- •Control cryptographic keys with split knowledge and dual control.01304
- •Prevent the unauthorized substitution of cryptographic keys.01305
- •Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys.06852
- •Replace known or suspected compromised cryptographic keys immediately.01306
- •Require key custodians to sign the key custodian's roles and responsibilities.11820
- •Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates.06587
- •Establish a Root Certification Authority to support the Public Key Infrastructure.07084
- •Establish, implement, and maintain Public Key certificate procedures.07085
- •Use strong data encryption to transmit restricted data or restricted information, as necessary.00564
- •Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.12492
- •Encrypt traffic over public networks with trusted cryptographic keys.12490
- •Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.00568
- •Protect application services information transmitted over a public network from unauthorized modification.12021
- •Establish, implement, and maintain a malicious code protection program.00574
- •Install security and protection software, as necessary.00575
- •Scan for malicious code, as necessary.11941
- •Remove malware when malicious code is discovered.13691
- •Log and react to all malicious code activity.07072
- •Analyze the behavior and characteristics of the malicious code.10672
- •Lock antivirus configurations.10047
- •Establish, implement, and maintain an application security policy.06438
- •Conduct application security reviews, as necessary.06298
- •Include all vulnerabilities in the application security review.12036
- •Assign application security reviews for web-facing applications to an organization that specializes in application security.12035
- •Correct all found deficiencies according to organizational standards after a web application policy compliance review.06299
- •Re-evaluate the web application after deficiencies have been corrected.06300
- •Establish, implement, and maintain a virtual environment and shared resources security program.06551
- •Establish, implement, and maintain a shared resources management program.07096
- •Physical and environmental protection00709
- •Establish, implement, and maintain a physical security program.11757
- •Establish, implement, and maintain physical security procedures.13076
- •Establish, implement, and maintain an anti-tamper protection program.10638
- •Monitor for evidence of when tampering indicators are being identified.11905
- •Inspect device surfaces to detect tampering.11868
- •Inspect device surfaces to detect unauthorized substitution.11869
- •Protect assets from tampering or unapproved substitution.11902
- •Establish, implement, and maintain a facility physical security program.00711
- •Maintain all physical security systems.02206
- •Identify and document physical access controls for all physical entry points.01637
- •Control physical access to (and within) the facility.01329
- •Establish, implement, and maintain physical access procedures.13629
- •Secure physical entry points with physical access controls or security guards.01640
- •Establish, implement, and maintain a visitor access permission policy.06699
- •Escort visitors within the facility, as necessary.06417
- •Authorize visitors before granting entry to physical areas containing restricted data or restricted information.01330
- •Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.01436
- •Change access requirements to organizational assets for personnel and visitors, as necessary.12463
- •Authorize physical access to sensitive areas based on job functions.12462
- •Establish, implement, and maintain physical identification procedures.00713
- •Manage visitor identification inside the facility.11670
- •Issue visitor identification badges to all non-employees.00543
- •Retrieve visitor identification badges prior to the exit of a visitor from the facility.01331
- •Establish, implement, and maintain identification issuance procedures for identification cards or badges.06598
- •Restrict access to the badge system to authorized personnel.12043
- •Establish, implement, and maintain identification mechanism termination procedures.06306
- •Use locks to protect against unauthorized physical access.06342
- •Use locks with electronic authentication systems or cipher locks, as necessary.06650
- •Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.00748
- •Implement physical security standards for mainframe rooms or data centers.00749
- •Establish, implement, and maintain a guideline for working in a secure area.04538
- •Monitor for unauthorized physical access at physical entry points and physical exit points.01638
- •Establish and maintain a visitor log.00715
- •Record the visitor's name in the visitor log.00557
- •Record the visitor's organization in the visitor log.12121
- •Record the onsite personnel authorizing physical access for the visitor in the visitor log.12466
- •Retain all records in the visitor log as prescribed by law.00572
- •Establish, implement, and maintain a physical access log.12080
- •Observe restricted areas with motion detectors or closed-circuit television systems.01328
- •Review and correlate all data collected from video cameras and/or access control mechanisms with other entries.11609
- •Retain video events according to Records Management procedures.06304
- •Monitor physical entry point alarms.01639
- •Establish, implement, and maintain physical security controls for distributed assets.00718
- •Control the transiting and internal distribution or external distribution of assets.00963
- •Obtain management authorization for restricted storage media transit or distribution from a controlled access area.00964
- •Transport restricted media using a delivery method that can be tracked.11777
- •Restrict physical access to distributed assets.11865
- •Protect electronic storage media with physical access controls.00720
- •Establish, implement, and maintain removable storage media controls.06680
- •Control access to restricted storage media.04889
- •Physically secure all electronic storage media that store restricted data or restricted information.11664
- •Log the transfer of removable storage media.12322
- •Establish, implement, and maintain storage media access control procedures.00959
- •Require removable storage media be in the custody of an authorized individual.12319
- •Control the storage of restricted storage media.00965
- •Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults.00717
- •Protect distributed assets against theft.06799
- •Control the delivery of assets through physical entry points and physical exit points.01441
- •Establish, implement, and maintain off-site physical controls for all distributed assets.04539
- •Establish, implement, and maintain mobile device security guidelines.04723
- •Include prohibiting the usage of unapproved application stores in the mobile device security guidelines.12290
- •Encrypt information stored on mobile devices.01422
- •Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.00722
- •Establish, implement, and maintain asset return procedures.04537
- •Require the return of all assets upon notification an individual is terminated.06679
- •Install and maintain network jacks and outlet boxes.08635
- •Implement physical controls to restrict access to publicly accessible network jacks.11989
- •Enable network jacks at the patch panel, as necessary.06305
- •Implement logical controls to enable network jacks, as necessary.11934
- •Establish, implement, and maintain an environmental control program.00724
- •Establish, implement, and maintain environmental control procedures.12246
- •Protect power equipment and power cabling from damage or destruction.01438
- •Establish, implement, and maintain facility maintenance procedures.00710
- •Design the Information Technology facility with consideration given to natural disasters and man-made disasters.00712
- •Design the Information Technology facility with a low profile.16140
- •Build critical facilities according to applicable building codes.06366
- •Build critical facilities with fire resistant materials.06365
- •Define selection criteria for facility locations.06351
- •Establish, implement, and maintain a fire prevention and fire suppression standard.06695
- •Install and maintain fire protection equipment.00728
- •Install and maintain fire suppression systems.00729
- •Conduct periodic fire marshal inspections for all organizational facilities.04888
- •Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes.06362
- •Conduct fire drills, as necessary.13985
- •Employ environmental protections.12570
- •Monitor and review environmental protections.12571
- •Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.00727
- •Install and maintain a moisture control system as a part of the climate control system.06694
- •Operational and Systems Continuity00731
- •Establish, implement, and maintain a business continuity program.13210
- •Involve auditors in reviewing and testing the business continuity program.13211
- •Establish, implement, and maintain a business continuity policy.12405
- •Establish, implement, and maintain a business continuity testing policy.13235
- •Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy.13257
- •Establish, implement, and maintain a continuity framework.00732
- •Establish and maintain the scope of the continuity framework.11908
- •Identify all stakeholders critical to the continuity of operations.12741
- •Explain any exclusions to the scope of the continuity framework.12236
- •Include the organization's business products and services in the scope of the continuity framework.12235
- •Include business units in the scope of the continuity framework.11898
- •Include information security continuity in the scope of the continuity framework.12009
- •Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework.12242
- •Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework.11907
- •Include Quality Management in the continuity framework.12239
- •Establish and maintain a system continuity plan philosophy.00734
- •Define the executive vision of the continuity planning process.01243
- •Include a pandemic plan in the continuity plan.06800
- •Establish, implement, and maintain continuity roles and responsibilities.00733
- •Coordinate continuity planning with other business units responsible for related plans.01386
- •Include continuity wrap-up procedures and continuity normalization procedures during continuity planning.00761
- •Establish, implement, and maintain a continuity plan.00752
- •Activate the continuity plan if the damage assessment report indicates the activation criterion has been met.01373
- •Report changes in the continuity plan to senior management.12757
- •Execute fail-safe procedures when an emergency occurs.07108
- •Lead or manage business continuity and system continuity, as necessary.12240
- •Allocate financial resources to implement the continuity plan, as necessary.12993
- •Include the continuity strategy in the continuity plan.13189
- •Restore systems and environments to be operational.13476
- •Include roles and responsibilities in the continuity plan, as necessary.13254
- •Document and use the lessons learned to update the continuity plan.10037
- •Monitor and evaluate business continuity management system performance.12410
- •Record business continuity management system performance for posterity.12411
- •Coordinate continuity planning with community organizations, as necessary.13259
- •Include incident management procedures in the continuity plan.13244
- •Include the use of virtual meeting tools in the continuity plan.14390
- •Include the annual statement based on the continuity plan review in the continuity plan.12775
- •Document the uninterrupted power requirements for all in scope systems.06707
- •Install an Uninterruptible Power Supply sized to support all critical systems.00725
- •Document all supporting information in the continuity plan, such as purpose, scope, and requirements.01371
- •Approve the continuity plan requirements before documenting the continuity plan.12778
- •Establish, implement, and maintain the organization's call tree.01167
- •Establish, implement, and maintain damage assessment procedures.01267
- •Establish, implement, and maintain a recovery plan.13288
- •Notify interested personnel and affected parties of updates to the recovery plan.13302
- •Test the recovery plan, as necessary.13290
- •Test the backup information, as necessary.13303
- •Document lessons learned from testing the recovery plan or an actual event.13301
- •Include restoration procedures in the continuity plan.01169
- •Include risk prioritized recovery procedures for each business unit in the recovery plan.01166
- •Include the recovery plan in the continuity plan.01377
- •Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties.12758
- •Establish, implement, and maintain organizational facility continuity plans.02224
- •Install and maintain redundant power supplies for critical facilities.06355
- •Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches.01439
- •Establish, implement, and maintain system continuity plan strategies.00735
- •Include emergency operating procedures in the continuity plan.11694
- •Include a system acquisition process for critical systems in the emergency mode operation plan.01369
- •Define and prioritize critical business functions.00736
- •Review and prioritize the importance of each business unit.01165
- •Review and prioritize the importance of each business process.11689
- •Document the mean time to failure for system components.10684
- •Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities.12759
- •Establish, implement, and maintain Recovery Time Objectives for all in scope services.12241
- •Establish, implement, and maintain Recovery Time Objectives for all in scope systems.11688
- •Define and prioritize critical business records.11687
- •Identify all critical business records.00737
- •Include the protection of personnel in the continuity plan.06378
- •Establish, implement, and maintain a critical personnel list.00739
- •Identify alternate personnel for each person on the critical personnel list.12771
- •Define the triggering events for when to activate the pandemic plan.06801
- •Establish, implement, and maintain a critical third party list.06815
- •Disseminate and communicate critical third party dependencies to interested personnel and affected parties.06816
- •Establish, implement, and maintain a critical resource list.00740
- •Define and maintain continuity Service Level Agreements for all critical resources.00741
- •Establish and maintain a core supply inventory required to support critical business functions.04890
- •Include server continuity procedures in the continuity plan.01379
- •Include telecommunications continuity procedures in the continuity plan.11691
- •Include system continuity procedures in the continuity plan.01268
- •Include Internet Service Provider continuity procedures in the continuity plan.00743
- •Include Wide Area Network continuity procedures in the continuity plan.01294
- •Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers.01397
- •Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards.01399
- •Include emergency power continuity procedures in the continuity plan.01254
- •Include evacuation procedures in the continuity plan.12773
- •Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan.01374
- •Establish, implement, and maintain physical hazard segregation or removal procedures.01248
- •Designate an alternate facility in the continuity plan.00742
- •Separate the alternate facility from the primary facility through geographic separation.01394
- •Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs.01391
- •Include technical preparation considerations for backup operations in the continuity plan.01250
- •Establish, implement, and maintain backup procedures for in scope systems.01258
- •Determine which data elements to back up.13483
- •Establish and maintain off-site electronic media storage facilities.00957
- •Separate the off-site electronic media storage facilities from the primary facility through geographic separation.01390
- •Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.01393
- •Review the security of the off-site electronic media storage facilities, as necessary.00573
- •Store backup media at an off-site electronic media storage facility.01332
- •Transport backup media in lockable electronic media storage containers.01264
- •Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility.01257
- •Store backup vital records in a manner that is accessible for emergency retrieval.12765
- •Perform backup procedures for in scope systems.11692
- •Encrypt backup data.00958
- •Log the execution of each backup.00956
- •Test backup media for media integrity and information integrity, as necessary.01401
- •Test each restored system for media integrity and information integrity.01920
- •Include emergency communications procedures in the continuity plan.00750
- •Include managing multiple responding organizations in the emergency communications procedure.01249
- •Maintain contact information for key third parties in a readily accessible manner.12764
- •Log important conversations conducted during emergencies with third parties.12763
- •Identify the appropriate staff to route external communications to in the emergency communications procedures.12762
- •Identify who can speak to the media in the emergency communications procedures.12761
- •Use available financial resources for the efficaciousness of the service continuity strategy.01370
- •Include the ability to obtain additional liquidity in the continuity plan.12770
- •Include purchasing insurance in the continuity plan.00762
- •Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography.06682
- •Review the insurance coverage of the insurance policy, as necessary.12688
- •Disseminate and communicate the continuity plan to interested personnel and affected parties.00760
- •Store an up-to-date copy of the continuity plan at the alternate facility.01171
- •Establish, implement, and maintain a pandemic plan.13214
- •Match emergency policies to the level of disruption anticipated in the pandemic plan.14375
- •Identify employees who have family members who are first responders or medical personnel.14389
- •Identify tasks that can be accomplished at alternate work sites.14393
- •Include work that will be suspended during the pandemic in the pandemic plan.14380
- •Include alternate work locations in the pandemic plan.14376
- •Assign pandemic planning roles and responsibilities, as necessary.13230
- •Include a compensation plan in the pandemic plan.13231
- •Revalidate exceptions to the pandemic plan, as necessary.14395
- •Approve exceptions to the pandemic plan, as necessary.14392
- •Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan.14374
- •Prepare the alternate facility for an emergency offsite relocation.00744
- •Establish, implement, and maintain Service Level Agreements for all alternate facilities.00745
- •Include that the shared service provider will not oversubscribe their services in the Service Level Agreement.04892
- •Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement.04893
- •Configure the alternate facility to meet the least needed operational capabilities.01395
- •Protect backup systems and restoration systems at the alternate facility.04883
- •Train personnel on the continuity plan.00759
- •Include stay at home order training in the continuity plan training.14382
- •Include avoiding unnecessary travel in the stay at home order training.14388
- •Include personal protection in continuity plan training.14394
- •Establish, implement, and maintain a business continuity plan testing program.14829
- •Establish, implement, and maintain a continuity test plan.04896
- •Include test scenarios in the continuity test plan.13506
- •Test the continuity plan, as necessary.00755
- •Include coverage of all major components in the scope of testing the continuity plan.12767
- •Include third party recovery services in the scope of testing the continuity plan.12766
- •Validate the emergency communications procedures during continuity plan tests.12777
- •Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan.12769
- •Test the continuity plan under conditions that simulate a disaster or disruption.00757
- •Validate the evacuation plans during continuity plan tests.12760
- •Test the continuity plan at the alternate facility.01174
- •Coordinate testing the continuity plan with all applicable business units and critical business functions.01388
- •Review all third party's continuity plan test results.01365
- •Document the continuity plan test results and provide them to interested personnel and affected parties.06548
- •Human Resources management00763
- •Establish, implement, and maintain high level operational roles and responsibilities.00806
- •Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.13112
- •Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures.00807
- •Define and assign the Chief Information Officer's roles and responsibilities.00808
- •Define and assign the Information Technology staff's roles and responsibilities.00809
- •Define and assign the technology security leader's roles and responsibilities.01897
- •Define and assign the Chief Security Officer's roles and responsibilities.06431
- •Establish and maintain an Information Technology steering committee.12706
- •Convene the Information Technology steering committee, as necessary.12730
- •Assign reviewing investments to the Information Technology steering committee, as necessary.13625
- •Define and assign workforce roles and responsibilities.13267
- •Establish, implement, and maintain cybersecurity roles and responsibilities.13201
- •Assign roles and responsibilities for physical security, as necessary.13113
- •Define and assign roles and responsibilities for those involved in risk management.13660
- •Assign the roles and responsibilities for the change control program.13118
- •Identify and define all critical roles.00777
- •Assign responsibility for cyber threat intelligence.12746
- •Define and assign the data controller's roles and responsibilities.00471
- •Assign the role of data controller to applicable controls.00354
- •Assign the role of the Quality Management committee to applicable controls.00769
- •Assign interested personnel to the Quality Management committee.07193
- •Assign the role of fire protection management to applicable controls.04891
- •Define and assign roles and responsibilities for dispute resolution.13626
- •Analyze workforce management.12844
- •Identify root causes of staffing shortages, if any exist.13276
- •Establish, implement, and maintain a personnel management program.14018
- •Establish, implement, and maintain a succession plan for organizational leaders and support personnel.11822
- •Establish, implement, and maintain onboarding procedures for new hires.11760
- •Train all new hires, as necessary.06673
- •Establish, implement, and maintain a personnel security program.10628
- •Establish, implement, and maintain security clearance level criteria.00780
- •Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies.00782
- •Establish, implement, and maintain personnel screening procedures.11700
- •Perform a background check during personnel screening.11758
- •Perform a criminal records check during personnel screening.06643
- •Perform an academic records check during personnel screening.06647
- •Perform a curriculum vitae check during personnel screening.06660
- •Document the personnel risk assessment results.11764
- •Establish, implement, and maintain security clearance procedures.00783
- •Perform periodic background checks on designated roles, as necessary.11759
- •Establish, implement, and maintain personnel status change and termination procedures.06549
- •Notify terminated individuals of applicable, legally binding post-employment requirements.10630
- •Enforce the information security responsibilities and duties that remain valid after termination or change of employment.11992
- •Update contact information of any individual undergoing a personnel status change, as necessary.12692
- •Establish and maintain the staff structure in line with the strategic plan.00764
- •Document and communicate role descriptions to all applicable personnel.00776
- •Assign and staff all roles appropriately.00784
- •Delegate authority for specific processes, as necessary.06780
- •Implement a staff rotation plan.12772
- •Place Information Technology operations in a position to support the business model.00766
- •Implement personnel supervisory practices.00773
- •Implement segregation of duties in roles and responsibilities.00774
- •Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical.06960
- •Evaluate the staffing requirements regularly.00775
- •Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff.00779
- •Establish job categorization criteria, job recruitment criteria, and promotion criteria.00781
- •Establish, implement, and maintain a compensation, reward, and recognition program.12806
- •Use rewards and career development to motivate personnel.06906
- •Train all personnel and third parties, as necessary.00785
- •Establish, implement, and maintain an education methodology.06671
- •Support certification programs as viable training programs.13268
- •Retrain all personnel, as necessary.01362
- •Tailor training to meet published guidance on the subject being taught.02217
- •Tailor training to be taught at each person's level of responsibility.06674
- •Conduct cross-training or staff backup training to minimize dependency on critical individuals.00786
- •Document all training in a training record.01423
- •Conduct tests and evaluate training.06672
- •Review the current published guidance and awareness and training programs.01245
- •Establish, implement, and maintain training plans.00828
- •Train personnel to recognize conditions of diseases or sicknesses, as necessary.14383
- •Include prevention techniques in training regarding diseases or sicknesses.14387
- •Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses.14386
- •Train personnel to identify and communicate symptoms of exposure to disease or sickness.14385
- •Develop or acquire content to update the training plans.12867
- •Include ethical culture in the training plan, as necessary.12801
- •Include duties and responsibilities in the training plan, as necessary.12800
- •Conduct bespoke roles and responsibilities training, as necessary.13192
- •Conduct personal data processing training.13757
- •Establish, implement, and maintain a security awareness program.11746
- •Include configuration management procedures in the security awareness program.13967
- •Document security awareness requirements.12146
- •Include updates on emerging issues in the security awareness program.13184
- •Include cybersecurity in the security awareness program.13183
- •Include training based on the participants' level of responsibility and access level in the security awareness program.11802
- •Document the goals of the security awareness program.12145
- •Disseminate and communicate the security awareness program to all interested personnel and affected parties.00823
- •Train all personnel and third parties on how to recognize and report security incidents.01211
- •Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.01363
- •Conduct secure coding and development training for developers.06822
- •Conduct tampering prevention training.11875
- •Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training.11877
- •Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training.11876
- •Include how to report tampering and unauthorized substitution in the tampering prevention training.11879
- •Include how to prevent physical tampering in the tampering prevention training.11878
- •Train interested personnel and affected parties to collect digital forensic evidence.08658
- •Analyze and evaluate training records to improve the training program.06380
- •Establish, implement, and maintain an occupational health and safety management system.16201
- •Establish, implement, and maintain an occupational health and safety policy.00716
- •Establish, implement, and maintain health and safety personnel disinfecting procedures.06802
- •Provide protective face masks for critical personnel, as necessary.06803
- •Establish, implement, and maintain food handling procedures.11765
- •Vaccinate critical employees, as necessary.06805
- •Establish, implement, and maintain a travel program for all personnel.10597
- •Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally.06076
- •Establish, implement, and maintain a Code of Conduct.04897
- •Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment.12029
- •Take disciplinary actions against individuals who violate the Code of Conduct.06435
- •Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.06664
- •Establish, implement, and maintain performance reviews.14777
- •Conduct staff performance reviews, as necessary.07205
- •Establish, implement, and maintain an ethics program.11496
- •Establish, implement, and maintain an ethical culture.12781
- •Establish mechanisms for whistleblowers to report compliance violations.06806
- •Refrain from assigning roles and responsibilities that breach segregation of duties.12055
- •Operational management00805
- •Establish, implement, and maintain a capacity management plan.11751
- •Establish, implement, and maintain a capacity planning baseline.13492
- •Establish, implement, and maintain future system capacity forecasting methods.01617
- •Align critical Information Technology resource availability planning with capacity planning.01618
- •Forecast system workloads.00938
- •Utilize resource capacity management controls.00939
- •Manage cloud services.13144
- •Protect clients' hosted environments.11862
- •Notify cloud customers of the geographic locations of the cloud service organization and its assets.13037
- •Establish, implement, and maintain cloud service agreements.13157
- •Establish, implement, and maintain cloud management procedures.13149
- •Establish, implement, and maintain a cloud service usage standard.13143
- •Include the roles and responsibilities of cloud service users in the cloud service usage standard.13984
- •Monitor managing cloud services.13150
- •Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties.13159
- •Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties.13147
- •Document the organization's business processes.13035
- •Establish, implement, and maintain a Governance, Risk, and Compliance framework.01406
- •Include enterprise architecture in the Governance, Risk, and Compliance framework.13266
- •Acquire resources necessary to support Governance, Risk, and Compliance.12861
- •Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities.12895
- •Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives.12809
- •Assign accountability for maintaining the Governance, Risk, and Compliance framework.12523
- •Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework.12524
- •Establish, implement, and maintain a positive information control environment.00813
- •Establish, implement, and maintain an internal control framework.00820
- •Measure policy compliance when reviewing the internal control framework.06442
- •Assign resources to implement the internal control framework.00816
- •Establish, implement, and maintain a baseline of internal controls.12415
- •Include procedures for continuous quality improvement in the internal control framework.00819
- •Include threat assessment in the internal control framework.01347
- •Include vulnerability management and risk assessment in the internal control framework.13102
- •Automate vulnerability management, as necessary.11730
- •Include continuous security warning monitoring procedures in the internal control framework.01358
- •Include security information sharing procedures in the internal control framework.06489
- •Share relevant security information with Special Interest Groups, as necessary.11732
- •Include incident response escalation procedures in the internal control framework.11745
- •Include continuous user account management procedures in the internal control framework.01360
- •Authorize and document all exceptions to the internal control framework.06781
- •Disseminate and communicate the internal control framework to all interested personnel and affected parties.15229
- •Establish, implement, and maintain an information security program.00812
- •Include technical safeguards in the information security program.12374
- •Include system development in the information security program.12389
- •Include system acquisition in the information security program.12387
- •Include communication management in the information security program.12384
- •Include a continuous monitoring program in the information security program.14323
- •Include risk management in the information security program.12378
- •Provide management direction and support for the information security program.11999
- •Monitor and review the effectiveness of the information security program.12744
- •Establish, implement, and maintain an information security policy.11740
- •Align the information security policy with the organization's risk acceptance level.13042
- •Include a commitment to the information security requirements in the information security policy.13496
- •Include information security objectives in the information security policy.13493
- •Establish, implement, and maintain information security procedures.12006
- •Approve the information security policy at the organization's management level or higher.11737
- •Document the roles and responsibilities for all activities that protect restricted data in the information security procedures.12304
- •Assign ownership of the information security program to the appropriate role.00814
- •Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.11884
- •Assign information security responsibilities to interested personnel and affected parties in the information security program.11885
- •Assign the responsibility for distributing the information security program to the appropriate role.11883
- •Disseminate and communicate the information security policy to interested personnel and affected parties.11739
- •Establish, implement, and maintain operational control procedures.00831
- •Establish, implement, and maintain a Standard Operating Procedures Manual.00826
- •Include information sharing procedures in standard operating procedures.12974
- •Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties.12026
- •Establish, implement, and maintain a job scheduling methodology.00834
- •Establish, implement, and maintain a data processing continuity plan.00836
- •Establish, implement, and maintain the Acceptable Use Policy.01350
- •Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.01351
- •Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy.11894
- •Include Bring Your Own Device usage in the Acceptable Use Policy.12293
- •Include Bring Your Own Device security guidelines in the Acceptable Use Policy.01352
- •Include asset tags in the Acceptable Use Policy.01354
- •Include asset use policies in the Acceptable Use Policy.01355
- •Include authority for access authorization lists for assets in all relevant Acceptable Use Policies.11872
- •Include access control mechanisms in the Acceptable Use Policy.01353
- •Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy.11892
- •Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy.11893
- •Correlate the Acceptable Use Policy with the network security policy.01356
- •Include appropriate network locations for each technology in the Acceptable Use Policy.11881
- •Correlate the Acceptable Use Policy with the approved product list.01357
- •Include disciplinary actions in the Acceptable Use Policy.00296
- •Include a software installation policy in the Acceptable Use Policy.06749
- •Document idle session termination and logout for remote access technologies in the Acceptable Use Policy.12472
- •Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties.12431
- •Establish, implement, and maintain an e-mail policy.06439
- •Include business use of personal e-mail in the e-mail policy.14381
- •Protect policies, standards, and procedures from unauthorized modification or disclosure.10603
- •Establish, implement, and maintain nondisclosure agreements.04536
- •Require interested personnel and affected parties to sign nondisclosure agreements.06667
- •Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary.06669
- •Implement and comply with the Governance, Risk, and Compliance framework.00818
- •Analyze the organizational culture.12899
- •Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture.12922
- •Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework.11747
- •Comply with all implemented policies in the organization's compliance framework.06384
- •Review systems for compliance with organizational information security policies.12004
- •Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.00815
- •Establish, implement, and maintain a Service Management System.13889
- •Establish, implement, and maintain a service management program.11388
- •Include the service management objectives in the service management program.11389
- •Include the service requirements in the service management program.11390
- •Include known limitations in the service management program.11391
- •Include all resources needed to achieve the objectives in the service management program.11394
- •Include all technologies used to support service management in the service management program.11398
- •Establish, implement, and maintain a network management program.13123
- •Document the network design in the network management program.13135
- •Establish, implement, and maintain an Asset Management program.06630
- •Assign an information owner to organizational assets, as necessary.12729
- •Establish, implement, and maintain classification schemes for all systems and assets.01902
- •Apply security controls to each level of the information classification standard.01903
- •Define confidentiality controls.01908
- •Establish, implement, and maintain the systems' availability level.01905
- •Establish, implement, and maintain the systems' integrity level.01906
- •Define availability controls.01911
- •Classify assets according to the Asset Classification Policy.07186
- •Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.07184
- •Establish, implement, and maintain an asset inventory.06631
- •Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails.00689
- •Include each Information System's system boundaries in the Information Technology inventory.00695
- •Establish, implement, and maintain a hardware asset inventory.00691
- •Include network equipment in the Information Technology inventory.00693
- •Include mobile devices that store restricted data or restricted information in the Information Technology inventory.04719
- •Include software in the Information Technology inventory.00692
- •Establish and maintain a list of authorized software and versions required for each system.12093
- •Establish, implement, and maintain a storage media inventory.00694
- •Include all electronic storage media containing restricted data or restricted information in the storage media inventory.00962
- •Establish, implement, and maintain a records inventory and database inventory.01260
- •Record the make, model of device for applicable assets in the asset inventory.12465
- •Record the physical location for applicable assets in the asset inventory.06634
- •Record the manufacturer's serial number for applicable assets in the asset inventory.06635
- •Record the owner for applicable assets in the asset inventory.06640
- •Record all changes to assets in the asset inventory.12190
- •Establish, implement, and maintain a software accountability policy.00868
- •Establish, implement, and maintain software asset management procedures.00895
- •Establish, implement, and maintain a system redeployment program.06276
- •Wipe all data on systems prior to when the system is redeployed or the system is disposed.06401
- •Establish, implement, and maintain a system disposal program.14431
- •Establish, implement, and maintain a system preventive maintenance program.00885
- •Establish and maintain maintenance reports.11749
- •Conduct maintenance with authorized personnel.01434
- •Acquire spare parts prior to when maintenance requests are scheduled.11833
- •Perform periodic maintenance according to organizational standards.01435
- •Calibrate assets according to the calibration procedures for the asset.06203
- •Post calibration limits or calibration tolerances on or near assets requiring calibration.06204
- •Dispose of hardware and software at their life cycle end.06278
- •Establish, implement, and maintain a customer service program.00846
- •Establish, implement, and maintain an Incident Management program.00853
- •Define and assign the roles and responsibilities for Incident Management program.13055
- •Include incident escalation procedures in the Incident Management program.00856
- •Define the characteristics of the Incident Management program.00855
- •Include the criteria for an incident in the Incident Management program.12173
- •Include intrusion detection procedures in the Incident Management program.00588
- •Categorize the incident following an incident response.13208
- •Define and document impact thresholds to be used in categorizing incidents.10033
- •Determine the incident severity level when assessing the security incidents.01650
- •Identify root causes of incidents that force system changes.13482
- •Respond to and triage when an incident is detected.06942
- •Document the incident and any relevant evidence in the incident report.08659
- •Respond to all alerts from security systems in a timely manner.06434
- •Coordinate incident response activities with interested personnel and affected parties.13196
- •Contain the incident to prevent further loss and preserve the system for forensic analysis.01751
- •Assess all incidents to determine what information was accessed.01226
- •Check the precursors and indicators when assessing the security incidents.01761
- •Share incident information with interested personnel and affected parties.01212
- •Share data loss event information with the media.01759
- •Include data loss event notifications in the Incident Response program.00364
- •Include legal requirements for data loss event notifications in the Incident Response program.11954
- •Notify interested personnel and affected parties of the privacy breach that affects their personal data.00365
- •Establish, implement, and maintain incident response notifications.12975
- •Include information required by law in incident response notifications.00802
- •Include a "What We Are Doing" heading in the breach notification.12982
- •Include what the organization has done to enhance data protection controls in incident response notifications.04736
- •Include incident recovery procedures in the Incident Management program.01758
- •Establish, implement, and maintain a restoration log.12745
- •Analyze security violations in Suspicious Activity Reports.00591
- •Update the incident response procedures using the lessons learned.01233
- •Include incident monitoring procedures in the Incident Management program.01207
- •Include incident response procedures in the Incident Management program.01218
- •Integrate configuration management procedures into the incident management program.13647
- •Include incident management procedures in the Incident Management program.12689
- •Establish, implement, and maintain temporary and emergency access authorization procedures.00858
- •Include after-action analysis procedures in the Incident Management program.01219
- •Conduct incident investigations, as necessary.13826
- •Analyze the behaviors of individuals involved in the incident during incident investigations.14042
- •Interview suspects during incident investigations, as necessary.14041
- •Interview victims and witnesses during incident investigations, as necessary.14038
- •Establish, implement, and maintain incident management audit logs.13514
- •Log incidents in the Incident Management audit log.00857
- •Include the organizational functions affected by disruption in the Incident Management audit log.12238
- •Include the organization's business products and services affected by disruptions in the Incident Management audit log.12234
- •Include incident record closure procedures in the Incident Management program.01620
- •Include incident reporting procedures in the Incident Management program.11772
- •Establish, implement, and maintain a customer service business function.00847
- •Confirm the customer agrees with the resolution process associated with the complaint.13630
- •Document the resolution of issues reported to customer service.12918
- •Investigate and take action regarding help desk queries.06324
- •Log help desk queries.00848
- •Establish, implement, and maintain help desk query escalation procedures.00849
- •Establish, implement, and maintain help desk query clearance procedures.00850
- •Establish, implement, and maintain help desk query trend analysis procedures.00851
- •Provide customer security advice, as necessary.13674
- •Establish, implement, and maintain an Incident Response program.00579
- •Create an incident response report following an incident response.12700
- •Include the number of customers that were affected by the incident in the incident response report.12727
- •Include the scope of the incident in the incident response report.12717
- •Include the reasons the incident occurred in the incident response report.12711
- •Include lessons learned from the incident in the incident response report.12713
- •Include corrective action taken to eradicate the incident in the incident response report.12708
- •Include a description of the impact the incident had on operations in the incident response report.12703
- •Include a root cause analysis of the incident in the incident response report.12701
- •Define target resolution times for incident response in the Incident Response program.13072
- •Analyze and respond to security alerts.12504
- •Mitigate reported incidents.12973
- •Establish, implement, and maintain an incident response plan.12056
- •Establish, implement, and maintain a cyber incident response plan.13286
- •Include incident response team structures in the Incident Response program.01237
- •Include the incident response team member's roles and responsibilities in the Incident Response program.01652
- •Include the incident response point of contact's roles and responsibilities in the Incident Response program.01877
- •Notify interested personnel and affected parties that a security breach was detected.11788
- •Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program.01885
- •Assign the distribution of security alerts to the appropriate role in the incident response program.11887
- •Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program.11886
- •Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program.12473
- •Assign the distribution of incident response procedures to the appropriate role in the incident response program.12474
- •Include personnel contact information in the event of an incident in the Incident Response program.06385
- •Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program.11789
- •Include procedures for providing updated status information to the crisis management team in the incident response plan.12776
- •Include coverage of all system components in the Incident Response program.11955
- •Include incident response team services in the Incident Response program.11766
- •Include the incident response training program in the Incident Response program.06750
- •Incorporate realistic exercises that are tested into the incident response training program.06753
- •Conduct incident response training.11889
- •Establish, implement, and maintain incident response procedures.01206
- •Include references to industry best practices in the incident response procedures.11956
- •Include responding to alerts from security monitoring systems in the incident response procedures.11949
- •Include business continuity procedures in the Incident Response program.06433
- •Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures.06432
- •Establish trust between the incident response team and the end user community during an incident.01217
- •Include business recovery procedures in the Incident Response program.11774
- •Establish, implement, and maintain a digital forensic evidence framework.08652
- •Retain collected evidence for potential future legal actions.01235
- •Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence.08686
- •Define the business scenarios that require digital forensic evidence.08653
- •Define the circumstances for collecting digital forensic evidence.08657
- •Conduct forensic investigations in the event of a security compromise.11951
- •Contact affected parties to participate in forensic investigations, as necessary.12343
- •Identify potential sources of digital forensic evidence.08651
- •Document the legal requirements for evidence collection.08654
- •Establish, implement, and maintain a digital forensic evidence collection program.08655
- •Establish, implement, and maintain secure storage and handling of evidence procedures.08656
- •Prepare digital forensic equipment.08688
- •Use digital forensic equipment suitable to the circumstances.08690
- •Test the operation of the digital forensic equipment prior to use.08694
- •Collect evidence from the incident scene.02236
- •Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report.08679
- •Secure devices containing digital forensic evidence.08681
- •Use a write blocker to prevent digital forensic evidence from being modified.08692
- •Create a system image of the device before collecting digital forensic evidence.08673
- •Disseminate and communicate the incident response procedures to all interested personnel and affected parties.01215
- •Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results.12306
- •Test the incident response procedures.01216
- •Establish, implement, and maintain a performance management standard.01615
- •Establish, implement, and maintain future system performance forecasting methods.11775
- •Utilize resource availability management controls.00940
- •Establish, implement, and maintain rate limiting filters.06883
- •Establish, implement, and maintain system capacity monitoring procedures.01619
- •Establish, implement, and maintain system performance monitoring procedures.11752
- •Establish, implement, and maintain a collection management program.14013
- •Receive and follow up on information collection requests.14075
- •Track status of information collection requests.14265
- •Validate the link between critical information requirements and intelligence requirements in information collection requests.14090
- •Develop information requirements for following up on information collection requests.14077
- •Submit information collection requests for processing.14259
- •Solicit feedback on the follow up quality of information requests.14254
- •Disseminate information collected using collection resources to all interested personnel and affected parties.14089
- •Establish, implement, and maintain a collection plan.14021
- •Document changes to the collection plan that affect collection assets.14079
- •Include collection requirements in the collection plan.14036
- •Review collection requirements in the collection plan, as necessary.14088
- •Include collection plans in other governance documents, as necessary.14261
- •Modify collection requirements, as necessary.14076
- •Request discipline-specific exploitation for information collected using collection resources.14087
- •Request discipline-specific processing for information collected using collection resources.14085
- •Allocate collection assets as defined in the collection plan.14083
- •Monitor collection activities.14046
- •Evaluate the effectiveness of collection assets against the collection plan.14082
- •Evaluate the effectiveness of collection operations against the collection plan.14043
- •Compile lessons learned from collection management activity's execution of the collection plan.14264
- •Optimize collection resources, as necessary.14086
- •Adjust collection operations or the collection plan itself, as necessary.14080
- •Communicate the collection management program to all interested personnel and affected parties.14263
- •Link collection requirements to assets and resources in the collection plan.14040
- •Establish and maintain electronic target folders, as necessary.14320
- •Provide feedback regarding the collection management program to all interested personnel and affected parties.14262
- •Provide language analysis support, as necessary.14084
- •Transcribe voice materials, as necessary.14260
- •Establish, implement, and maintain a Service Level Agreement framework.00839
- •Include exceptions in the Service Level Agreements, as necessary.13912
- •Include the appropriate aspects of the Quality Management program in the Service Level Agreement.00845
- •Include the organizational structure for service level management in the Service Level Agreement framework.13633
- •Include capacity planning in Service Level Agreements.13096
- •Include Operational Level Agreements within Service Level Agreements, as necessary.13631
- •Include funding sources in Service Level Agreements, as necessary.13632
- •Include business requirements of delivered services in the Service Level Agreement.00840
- •Include performance requirements in the Service Level Agreement.00841
- •Include the service levels for network services in the Service Level Agreement.12024
- •Include availability requirements in Service Level Agreements.13095
- •Establish, implement, and maintain a cost management program.13638
- •Establish, implement, and maintain cost management procedures.00873
- •Update the business cases for cost management procedures, as necessary.13642
- •Perform an impact assessment of any deviations found in the cost management procedures.13641
- •Identify deviations in cost management procedures.13640
- •Identify and allocate departmental costs.00871
- •Establish, implement, and maintain an Information Technology financial management framework.01610
- •Prepare an Information Technology budget, as necessary.00872
- •Review and approve the Information Technology budget.13644
- •Update the Information Technology budget, as necessary.13643
- •Justify the system's cost and benefit.00874
- •Compare actual Information Technology costs to forecasted Information Technology budgets.11753
- •Establish, implement, and maintain a change control program.00886
- •Include potential consequences of unintended changes in the change control program.12243
- •Include version control in the change control program.13119
- •Separate the production environment from development environment or test environment for the change control process.11864
- •Integrate configuration management procedures into the change control program.13646
- •Establish, implement, and maintain a back-out plan.13623
- •Establish, implement, and maintain back-out procedures for each proposed change in a change request.00373
- •Approve back-out plans, as necessary.13627
- •Manage change requests.00887
- •Include documentation of the impact level of proposed changes in the change request.11942
- •Document all change requests in change request forms.06794
- •Examine all changes to ensure they correspond with the change request.12345
- •Approve tested change requests.11783
- •Disseminate and communicate proposed changes to all interested personnel and affected parties.06807
- •Establish, implement, and maintain emergency change procedures.00890
- •Perform emergency changes, as necessary.12707
- •Log emergency changes after they have been performed.12733
- •Perform risk assessments prior to approving change requests.00888
- •Implement changes according to the change control program.11776
- •Provide audit trails for all approved changes.13120
- •Establish, implement, and maintain a patch management program.00896
- •Implement patch management software, as necessary.12094
- •Establish, implement, and maintain a patch log.01642
- •Deploy software patches.07032
- •Patch software.11825
- •Update computer firmware, as necessary.11755
- •Implement cryptographic mechanisms to authenticate software and computer firmware before installation.10682
- •Mitigate the adverse effects of unauthorized changes.12244
- •Establish, implement, and maintain approved change acceptance testing procedures.06391
- •Test the system's operational functionality after implementing approved changes.06294
- •Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred.04541
- •Update associated documentation after the system configuration has been changed.00891
- •Establish, implement, and maintain production process control procedures.06209
- •Establish, implement, and maintain a service delivery and production process Quality Management program.07194
- •Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary.07197
- •Document the organization's local environments.06726
- •Establish, implement, and maintain local environment security profiles.07037
- •Include the technology used in the local environment in the local environment security profile.07040
- •Manage the creation of products and services, as necessary.13497
- •Define the processing activities to meet products and services creation requirements.13499
- •Establish and maintain a service catalog.13634
- •Include a service description in the service catalog.13917
- •Include Service Level Agreements in the service catalog, as necessary.13636
- •Include Information Technology services in the service catalog, as necessary.13635
- •Base definitions of Information Technology services on their service characteristics.13655
- •Conduct official proceedings, as necessary.13836
- •Support legal counsel during the judicial process.14019
- •System hardening through configuration management00860
- •Establish, implement, and maintain a Configuration Management program.00867
- •Establish, implement, and maintain a configuration management plan.01901
- •Employ the Configuration Management program.11904
- •Record Configuration Management items in the Configuration Management database.00861
- •Disseminate and communicate the configuration management program to all interested personnel and affected parties.11946
- •Establish, implement, and maintain a configuration baseline based on the least functionality principle.00862
- •Identify and document the system's Configurable Items.02133
- •Define the relationships and dependencies between Configurable Items.02134
- •Establish, implement, and maintain a system hardening standard.00876
- •Establish, implement, and maintain configuration standards for all systems based upon industry best practices.11953
- •Include common security parameter settings in the configuration standards for all systems.12544
- •Apply configuration standards to all systems, as necessary.12503
- •Configure security parameter settings on all system components appropriately.12041
- •Establish, implement, and maintain system hardening procedures.12001
- •Configure session timeout and reauthentication settings according to organizational standards.12460
- •Use the latest version of all software.00897
- •Install all available critical security updates and important security updates in a timely manner.01696
- •Change default configurations, as necessary.00877
- •Reconfigure the encryption keys from their default setting or previous setting.06079
- •Establish, implement, and maintain procedures to standardize operating system software installation.00869
- •Configure virtual networks in accordance with the information security policy.13165
- •Configure Simple Network Management Protocol (SNMP) to organizational standards.12423
- •Change the default community string for Simple Network Management Protocol.01872
- •Configure the system's storage media.10618
- •Configure the system's electronic storage media's encryption settings.11927
- •Implement only one application or primary function per network component or server.00879
- •Disable telnet unless telnet use is absolutely necessary.01478
- •Remove all unnecessary functionality.00882
- •Document that all enabled functions support secure configurations.11985
- •Disable all unnecessary applications unless otherwise noted in a policy exception.04827
- •Install and enable public Instant Messaging clients as necessary.02173
- •Disable all unnecessary services unless otherwise noted in a policy exception.00880
- •Configure the settings of the system registry and the systems objects (for Windows OS only).01781
- •Configure the system to protect against source-routing spoofing.01793
- •Establish, implement, and maintain authenticators.15305
- •Establish, implement, and maintain an authenticator standard.01702
- •Establish, implement, and maintain an authenticator management system.12031
- •Establish, implement, and maintain authenticator procedures.12002
- •Configure authenticators to comply with organizational standards.06412
- •Configure the system to require new users to change their authenticator on first use.05268
- •Configure the system to encrypt authenticators.06735
- •Configure the "minimum number of digits required for new passwords" setting to organizational standards.08717
- •Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards.08718
- •Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards.08719
- •Configure the "minimum number of special characters required for new passwords" setting to organizational standards.08720
- •Change all default authenticators.15309
- •Configure the system security parameters to prevent system misuse or information misappropriation.00881
- •Configure the system account settings and the permission settings in accordance with the organizational standards.01538
- •Configure user accounts.07036
- •Remove unnecessary default accounts.01539
- •Disable or delete shared User IDs.12478
- •Disable or delete generic user IDs.12479
- •Disable all unnecessary user identifiers.02185
- •Configure accounts with administrative privilege.07033
- •Employ multifactor authentication for accounts with administrative privilege.12496
- •Encrypt non-console administrative access.00883
- •Invoke a strong encryption method before requesting an authenticator.11986
- •Establish, implement, and maintain network parameter modification procedures.01517
- •Create an access control list on Network Access and Control Points to restrict access.04810
- •Configure the time server in accordance with organizational standards.06426
- •Configure the time server to synchronize with specifically designated hosts.06427
- •Restrict access to time server configuration to personnel with a business need.06858
- •Keep current the time synchronization technology.12548
- •Configure mobile device settings in accordance with organizational standards.04600
- •Configure mobile devices to enable remote wipe.12212
- •Certify and accredit the system before releasing it into a production environment.06419
- •Establish, implement, and maintain virtualization configuration settings.07110
- •Implement the security features of hypervisor to protect virtual machines.12176
- •Configure Services settings to organizational standards.07434
- •Configure the "Group Policy Client" to organizational standards.07522
- •Configure Account settings in accordance with organizational standards.07603
- •Configure the "Account lockout threshold" to organizational standards.07604
- •Configure the "Account lockout duration" to organizational standards.07771
- •Configure system integrity settings to organizational standards.07605
- •Configure the "Turn on script execution" to organizational standards.08411
- •Configure Logging settings in accordance with organizational standards.07611
- •Configure the security parameters for all logs.01712
- •Configure the log to capture audit log initialization, along with auditable event selection.00649
- •Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.06331
- •Configure the log to capture creates, reads, updates, or deletes of records containing personal data.11890
- •Configure the log to capture the user's identification.01334
- •Configure the log to capture a date and time stamp.01336
- •Configure the log to capture each auditable event's origination.01338
- •Configure the log to uniquely identify each asset.01339
- •Configure the log to capture the type of each event.06423
- •Configure the log to capture each event's success or failure indication.06424
- •Configure all logs to capture auditable events or actionable events.06332
- •Configure the log to capture logons, logouts, logon attempts, and logout attempts.01915
- •Configure the log to capture access to restricted data or restricted information.00644
- •Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.00645
- •Configure the log to capture identification and authentication mechanism use.00648
- •Configure the log to capture all access to the audit trail.00646
- •Configure the log to capture Object access to key directories or key files.01697
- •Configure the log to capture system level object creation and deletion.00650
- •Configure the log to capture configuration changes.06881
- •Log, monitor, and review all changes to time settings on critical systems.11608
- •Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.01698
- •Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards.07734
- •Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.07621
- •Configure the "Maximum password age" to organizational standards.07688
- •Configure the "Minimum password length" to organizational standards.07711
- •Configure the "Password must meet complexity requirements" to organizational standards.07743
- •Configure the "Enforce password history" to organizational standards.07877
- •Configure security and protection software according to Organizational Standards.11917
- •Configure security and protection software to automatically run at startup.12443
- •Configure security and protection software to check for up-to-date signature files.00576
- •Configure security and protection software to enable automatic updates.11945
- •Configure File Integrity Monitoring Software to Organizational Standards.11923
- •Configure the file integrity monitoring software to perform critical file comparisons, as necessary.11924
- •Configure network switches to organizational standards.12120
- •Audit the configuration of organizational assets, as necessary.13653
- •Audit assets after maintenance was performed.13657
- •Records management00902
- •Establish, implement, and maintain a translation management program.14316
- •Translate graphic materials, as necessary.14324
- •Establish, implement, and maintain an information management program.14315
- •Establish, implement, and maintain records management policies.00903
- •Establish, implement, and maintain a record classification scheme for forms.00911
- •Establish, implement, and maintain form creation, management, and distribution procedures.06393
- •Establish, implement, and maintain a record classification scheme.00914
- •Allocate record identifiers to reference the records as a part of document tracking.11662
- •Define each system's preservation requirements for records and logs.00904
- •Establish, implement, and maintain a data retention program.00906
- •Select the appropriate format for archived data and records.06320
- •Determine how long to keep records and logs before disposing them.11661
- •Retain records in accordance with applicable requirements.00968
- •Establish, implement, and maintain storage media disposition and destruction procedures.11657
- •Sanitize all electronic storage media before disposing a system or redeploying a system.01643
- •Destroy electronic storage media following the storage media disposition and destruction procedures.00970
- •Define each system's disposition requirements for records and logs.11651
- •Establish, implement, and maintain records disposition procedures.00971
- •Remove and/or destroy records according to the records' retention event and retention period schedule.06621
- •Place printed records awaiting destruction into secure containers.12464
- •Destroy printed records so they cannot be reconstructed.11779
- •Automate a programmatic process to remove stored data and records that exceed retention requirements.06082
- •Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures.11962
- •Establish, implement, and maintain records management procedures.11619
- •Review the information that the organization collects, processes, and stores, as necessary.12988
- •Review the information classification of the information that the organization collects, processes, and stores, as necessary.13008
- •Review the electronic storage media for the information the organization collects and processes.13009
- •Establish, implement, and maintain source document error handling tracking.01263
- •Establish, implement, and maintain data accuracy controls.00921
- •Protect records from loss in accordance with applicable requirements.12007
- •Establish, implement, and maintain data completeness controls.11649
- •Capture the records required by organizational compliance requirements.00912
- •Assign the appropriate information classification to records imported into the Records Management system.04555
- •Include record integrity techniques in the records management procedures.06418
- •Control error handling when data is being inputted.00922
- •Establish, implement, and maintain data processing integrity controls.00923
- •Establish, implement, and maintain Automated Data Processing validation checks and editing checks.00924
- •Establish, implement, and maintain document security requirements for the output of records.11656
- •Establish, implement, and maintain electronic storage media management procedures.00931
- •Establish and maintain access controls for all records.00371
- •Establish, implement, and maintain a records lifecycle management program.00951
- •Establish, implement, and maintain information preservation procedures.06277
- •Implement and maintain backups and duplicate copies of organizational records.00953
- •Establish, implement, and maintain online storage controls.00942
- •Establish, implement, and maintain security controls appropriate to the record types and electronic storage media.00943
- •Store records on non-rewritable, non-erasable storage media formats, as necessary.00944
- •Provide encryption for different types of electronic storage media.00945
- •Establish, implement, and maintain a removable storage media log.12317
- •Include the date and time in the removable storage media log.12318
- •Include the number of physical media used for the data transfer in the removable storage media log.12754
- •Include the recipient's name for the data transfer in the removable storage media log.12753
- •Include the sender's name in the removable storage media log.12752
- •Include the type of physical media being used for the data transfer in the removable storage media log.12751
- •Establish, implement, and maintain output distribution procedures.00927
- •Establish, implement, and maintain document retention procedures.11660
- •Physically secure printed records.11778
- •Establish, implement, and maintain an e-discovery program.00976
- •Establish, implement, and maintain a document retrieval system to use during e-discovery.00985
- •Systems design, build, and implementation00989
- •Establish, implement, and maintain a System Development Life Cycle program.11823
- •Perform a feasibility study for product requests.06895
- •Assign senior management to approve the cost benefit analysis in the feasibility study.13069
- •Include information security throughout the system development life cycle.12042
- •Initiate the System Development Life Cycle planning phase.06266
- •Establish, implement, and maintain research and development plans.13649
- •Establish, implement, and maintain system design principles and system design guidelines.01057
- •Establish, implement, and maintain a security controls definition document.01080
- •Include identified risks and legal requirements in the security controls definition document.11743
- •Include naming conventions in system design guidelines.13656
- •Define and assign the system development project team roles and responsibilities.01061
- •Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties.01062
- •Redesign business activities to support the system implementation.01067
- •Establish, implement, and maintain a source data collection design specification.01070
- •Establish, implement, and maintain a system use training plan.01089
- •Train the affected users during system development life cycle projects.01091
- •Establish and maintain System Development Life Cycle documentation.12079
- •Define and document organizational structures for the System Development Life Cycle program.12549
- •Include system maintenance responsibilities in the System Development Life Cycle documentation.12556
- •Include system and network monitoring responsibilities in the System Development Life Cycle documentation.12557
- •Define and document organizational structures for system and network monitoring.12554
- •Establish, implement, and maintain a full set of system procedures.01074
- •Establish, implement, and maintain a database management standard.01079
- •Establish, implement, and maintain system design requirements.06618
- •Identify all stakeholders who may influence the System Development Life Cycle.06922
- •Document stakeholder requirements and how they influence system design requirements.06925
- •Compare system design requirements against system design requests.06619
- •Resolve conflicting design and development inputs.13703
- •Design and develop built-in redundancies, as necessary.13064
- •Identify and document system design constraints.06923
- •Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution.06928
- •Include performance criteria in the system requirements specification.11540
- •Include product upgrade methodologies in the system requirements specification.11563
- •Establish, implement, and maintain a system design project management framework.00990
- •Conduct a preliminary investigation before new system development projects begin.01025
- •Define and document the nature and scope of all new system development projects.01026
- •Update infrastructure resources when system development project requirements change.06900
- •Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems.01028
- •Obtain approval from appropriate parties for system design projects.01033
- •Analyze existing systems during preliminary investigations for system design projects.01043
- •Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects.01045
- •Assess the continuity requirements during the planning and development stage for new products and services.12779
- •Identify system design strategies.01046
- •Reassess staffing needs while identifying the system design strategies.01053
- •Adopt a system design strategy after examining the strategic options and tactical options.01054
- •Disseminate and communicate the adopted system design strategy to interested personnel and affected parties.01055
- •Establish, implement, and maintain a system requirements specification.01035
- •Include relevant resources needed for the system design project in the system requirements specification.01036
- •Include pertinent legal requirements in the system requirements specification.01037
- •Include privacy policy requirements in the system requirements specification.01040
- •Include file format standards in the system requirements specification.01041
- •Conduct a project feasibility study prior to designing a system.01613
- •Include the threats and risks associated with the system development project in the project feasibility study.11797
- •Establish, implement, and maintain project management standards.00992
- •Include participation by each affected user department in the implementation phase of the project plan.00993
- •Include budgeting for projects in the project management standard.13136
- •Formally approve the initiation of each project phase.00997
- •Establish, implement, and maintain integrated project plans.01056
- •Perform a risk assessment for each system development project.01000
- •Establish, implement, and maintain a project control program.01612
- •Establish, implement, and maintain a project test plan.01001
- •Establish, implement, and maintain a project team plan.06533
- •Identify accreditation tasks.00999
- •Conduct a post implementation review when the system design project ends.01003
- •Separate the design and development environment from the production environment.06088
- •Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.06267
- •Develop systems in accordance with the system design specifications and system design standards.01094
- •Develop new products based on best practices.01095
- •Establish, implement, and maintain a system design specification.04557
- •Document the system architecture in the system design specification.12287
- •Include communication links in the system design specification.08665
- •Include a description of each module and asset in the system design specification.11734
- •Include supporting software requirements in the system design specification.08664
- •Include threat models in the system design specification.06829
- •Include security requirements in the system design specification.06826
- •Establish, implement, and maintain coding guidelines.08661
- •Establish, implement, and maintain human interface guidelines.08662
- •Establish and maintain User Interface documentation.12204
- •Include measurable system performance requirements in the system design specification.08667
- •Include the data structure in the system design specification.08669
- •Assign appropriate parties to approve the system design specification.13070
- •Implement security controls when developing systems.06270
- •Implement a hardware security module, as necessary.12222
- •Establish, implement, and maintain an acceptable use policy for the hardware security module.12247
- •Include roles and responsibilities in the acceptable use policy for the hardware security module.12264
- •Include administrative responsibilities in the acceptable use policy for the hardware security module.12260
- •Establish and maintain a cryptographic architecture document.12476
- •Include the algorithms used in the cryptographic architecture document.12483
- •Include an inventory of all protected areas in the cryptographic architecture document.12486
- •Include a description of the key usage for each key in the cryptographic architecture document.12484
- •Include descriptions of all cryptographic keys in the cryptographic architecture document.12487
- •Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document.12488
- •Include each cryptographic key's expiration date in the cryptographic architecture document.12489
- •Include the protocols used in the cryptographic architecture document.12485
- •Establish and maintain a coding manual for secure coding techniques.11863
- •Protect applications from improper access control through secure coding techniques in source code.11959
- •Protect applications from improper error handling through secure coding techniques in source code.11937
- •Protect applications from insecure communications through secure coding techniques in source code.11936
- •Protect applications from injection flaws through secure coding techniques in source code.11944
- •Control user account management through secure coding techniques in source code.11909
- •Restrict direct access of databases to the database administrator through secure coding techniques in source code.11933
- •Protect applications from buffer overflows through secure coding techniques in source code.11943
- •Protect applications from cross-site scripting through secure coding techniques in source code.11899
- •Protect against coding vulnerabilities through secure coding techniques in source code.11897
- •Protect applications from broken authentication and session management through secure coding techniques in source code.11896
- •Protect applications from insecure cryptographic storage through secure coding techniques in source code.11935
- •Protect applications from cross-site request forgery through secure coding techniques in source code.11895
- •Follow security design requirements when developing systems.06827
- •Establish, implement, and maintain a system implementation representation document.04558
- •Design the security architecture.06269
- •Implement software development version controls.01098
- •Follow the system development process when upgrading a system.01059
- •Conduct a design review at each milestone or quality gate.01087
- •Reassess the system design after the product has been tested.01088
- •Approve the design methodology before moving forward on the system design project.01060
- •Perform source code analysis at each milestone or quality gate.06832
- •Monitor the development environment for when malicious code is discovered.06396
- •Establish and maintain system security documentation.06271
- •Establish and maintain access rights to source code based upon least privilege.06962
- •Develop new products based on secure coding techniques.11733
- •Address known coding vulnerabilities as a part of secure coding techniques.12493
- •Include all confidentiality, integrity, and availability functions in the system design specification.04556
- •Establish and maintain the overall system development project management roles and responsibilities.00991
- •Disseminate and communicate continuously and routinely regarding system development project requirements.06899
- •Perform Quality Management on all newly developed or modified systems.01100
- •Evaluate system development projects for compliance with the system requirements specifications.06903
- •Establish, implement, and maintain a system testing policy.01102
- •Configure the test environment similar to the production environment.06837
- •Establish, implement, and maintain parallel testing criteria and pilot testing criteria.01107
- •Establish, implement, and maintain system testing procedures.11744
- •Restrict production data from being used in the test environment.01103
- •Control the test data used in the development environment.12013
- •Test all software changes before promoting the system to a production environment.01106
- •Test security functionality during the development process.12015
- •Include system performance in the scope of system testing.12624
- •Include security controls in the scope of system testing.12623
- •Review and test custom code to identify potential coding vulnerabilities.01316
- •Review and test source code.01086
- •Assign the review of custom code changes to individuals other than the code author.06291
- •Correct code anomalies and code deficiencies in custom code and retest before release.06292
- •Approve all custom code test results before code is released.06293
- •Perform Quality Management on all newly developed or modified software.11798
- •Establish, implement, and maintain a system testing program for all system development projects.01101
- •Develop the system in a timely manner and cost-effective way.06908
- •Identify new technologies and critical processes during system development projects.06907
- •Develop Natural Language Processing tools, as necessary.14063
- •Document requirements and feedback when developing language processing tools.14081
- •Initiate the System Development Life Cycle implementation phase.06268
- •Establish, implement, and maintain a system implementation standard.01111
- •Deploy applications based on best practices.12738
- •Select implementation strategies based on the system design requirements.01113
- •Establish, implement, and maintain an implementation plan.01114
- •Approve implementation plans, as necessary.13628
- •Plan and document the Certification and Accreditation process.11767
- •Install and integrate the system components according to the system implementation standard.06930
- •Document the system implementation integration process.06931
- •Perform a final acceptance test prior to implementing a new system.01108
- •Involve all stakeholders in the final acceptance test.13168
- •Document the acceptance status for all products passing the System Development Life Cycle implementation phase.06211
- •Control products that do not conform to the system acceptance criteria.06212
- •Manage the system implementation process.01115
- •Establish, implement, and maintain system conversion procedures.01117
- •Establish, implement, and maintain a data conversion plan.01118
- •Establish, implement, and maintain promoting the system to a production environment procedures.01119
- •Remove test accounts prior to promoting the system to a production environment.12495
- •Remove test data prior to promoting the system to a production environment.12494
- •Evaluate and determine whether or not the newly developed system meets users' system design requirements.01120
- •Evaluate and determine whether or not the newly developed system meets security requirements.06273
- •Approve and authorize the newly implemented system.06274
- •Establish and maintain end user support communications.06615
- •Establish, implement, and maintain user documentation.12250
- •Include documentation for all systems in the user documentation.12285
- •Acquisition or sale of facilities, technology, and services01123
- •Establish, implement, and maintain a product upgrade program.12216
- •Plan for acquiring facilities, technology, or services.06892
- •Involve all stakeholders in the acquisition process.13169
- •Establish, implement, and maintain system acquisition contracts.14758
- •Include security requirements in system acquisition contracts.01124
- •Include required service levels in system acquisition contracts.11652
- •Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets.01447
- •Identify and include alternatives to meeting the security requirements when acquiring assets.01128
- •Conduct an acquisition feasibility study prior to acquiring assets.01129
- •Establish test environments separate from the production environment to support integration testing before product acquisition.11668
- •Establish, implement, and maintain a product and services acquisition strategy.01133
- •Establish, implement, and maintain a product and services acquisition program.01136
- •Establish, implement, and maintain acquisition approval requirements.13704
- •Include chain of custody procedures in the product and services acquisition program.10058
- •Establish, implement, and maintain a software product acquisition methodology.01138
- •Store source code documentation in escrow by an independent third party.01139
- •Review software licensing agreements to ensure compliance.01140
- •Acquire products or services.11450
- •Register new systems with the program office or other applicable stakeholder.13986
- •Establish, implement, and maintain facilities, assets, and services acceptance procedures.01144
- •Test new hardware or upgraded hardware and software against predefined performance requirements.06740
- •Test new hardware or upgraded hardware and software for implementation of security controls.06743
- •Test new software or upgraded software for security vulnerabilities.01898
- •Test new software or upgraded software for compatibility with the current system.11654
- •Test new hardware or upgraded hardware for compatibility with the current system.11655
- •Test new hardware or upgraded hardware for security vulnerabilities.01899
- •Privacy protection for information and data00008
- •Establish, implement, and maintain a privacy framework that protects restricted data.11850
- •Establish, implement, and maintain a personal data transparency program.00375
- •Establish and maintain privacy notices, as necessary.13443
- •Establish, implement, and maintain adequate openness procedures.00377
- •Register with public bodies and notify the Data Commissioner before processing personal data.00383
- •Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes.00398
- •Document the countries where restricted data may be stored.12750
- •Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.00393
- •Provide the data subject with the means of gaining access to personal data held by the organization.00396
- •Provide the data subject with information about the right to erasure.12602
- •Provide the data subject with what personal data is made available to related organizations or subsidiaries.00399
- •Establish and maintain a disclosure accounting record.13022
- •Include what information was disclosed and to whom in the disclosure accounting record.04680
- •Include the disclosure date in the disclosure accounting record.07133
- •Include the disclosure recipient in the disclosure accounting record.07134
- •Establish, implement, and maintain a privacy policy.06281
- •Document privacy policies in clearly written and easily understood language.00376
- •Notify interested personnel and affected parties when changes are made to the privacy policy.06943
- •Document the notification of interested personnel and affected parties regarding privacy policy changes.06944
- •Disseminate and communicate the privacy policy to interested personnel and affected parties.13346
- •Establish, implement, and maintain personal data choice and consent program.12569
- •Establish and maintain disclosure authorization forms for authorization of consent to use personal data.13433
- •Establish, implement, and maintain a personal data accountability program.13432
- •Assign ownership of the privacy program to the appropriate organizational role.11848
- •Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data.12584
- •Include privacy awareness and training in the Binding Corporate Rules.12626
- •Establish, implement, and maintain Data Processing Contracts.12650
- •Include data processor confidentiality requirements in the Data Processing Contract.12685
- •Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract.12669
- •Establish, implement, and maintain a personal data use limitation program.13428
- •Establish, implement, and maintain a personal data use purpose specification.00093
- •Display or print the least amount of personal data necessary.04643
- •Notify the data subject of changes to personal data use.00105
- •Document the use of personal data as an acceptable secondary purpose when the data subject gives consent.00115
- •Establish, implement, and maintain data access procedures.00414
- •Respond to data access requests in a timely manner.00421
- •Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary.11811
- •Establish, implement, and maintain restricted data use limitation procedures.00128
- •Notify the data subject after personal data is used or disclosed.06247
- •Refrain from processing restricted data, as necessary.12551
- •Process restricted data lawfully and carefully.00086
- •Analyze requirements for processing personal data in contracts.12550
- •Process personal data after the data subject has granted explicit consent.00180
- •Define the exceptions to disclosure absent consent.00135
- •Disclose restricted data absent consent when it is needed by law.00163
- •Disclose personal data required by law absent consent for special cases involving security or law enforcement.04796
- •Establish, implement, and maintain personal data disposition procedures.13498
- •Remove personal data from records after receiving a personal data removal request.11972
- •Establish, implement, and maintain data disclosure procedures.00133
- •Review personal data disclosure requests.07129
- •Establish, implement, and maintain a personal data collection program.06487
- •Establish, implement, and maintain personal data collection limitation boundaries.00507
- •Establish, implement, and maintain a personal data collection policy.00029
- •Collect personal data directly from the data subject.00011
- •Collect and record restricted data for specific, explicit, and legitimate purposes.00027
- •Provide the data subject with information about the data controller during the collection process.00023
- •