Calc test
Job ID: Calc-test-082225150827
2025-08-22
Completed
Generating your report with AI insights. This may take a moment...
Overall Alignment
82.8%
Controls Aligned
275 / 332
Frameworks
2
CIS
NIST
Assessment frameworks applied
Key Controls
87 / 101
Overall Alignment
Framework Breakdown
Key Controls Status
Framework Compliance Overview
| Framework | Total Controls | Aligned | Gaps | Compliance Progress |
|---|---|---|---|---|
| CIS | 34 | 29 | 5 |
|
| NIST | 298 | 246 | 52 |
|
| OVERALL | 332 | 275 | 57 |
|
Document Analysis Details
anonymized_2.1_IS_Acceptable_Use_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 3 |
|
| NIST | 328 | 60 |
|
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 1 |
|
| NIST | 328 | 61 |
|
anonymized_3.0_IS_Information_Security_Policy_2.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 3 |
|
| NIST | 328 | 92 |
|
anonymized_2.0_IS_Acceptable_Use_Policy.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 2 |
|
| NIST | 328 | 53 |
|
37 Total Controls
| Control ID | Control Name | Status | Evidence Section | Document | Actions |
|---|---|---|---|---|---|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Asset Management – Establishes controls for asset identifica... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Asset Management – Establishes controls for asset identifica... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 1.2 |
Address Unauthorized Assets
|
Aligned | Asset Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 1.2 |
Address Unauthorized Assets
|
Aligned | 1.2 REQUIREMENTS - Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 1.2 |
Address Unauthorized Assets
|
Aligned | Asset Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 1.3 |
Utilize an Active Discovery Tool
|
Gap | Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure... | ||
| 1.4 |
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
|
Aligned | MAINTAINANCE... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 1.5 |
Use a Passive Asset Discovery Tool
|
Gap | Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and us... | ||
| 2.1 |
Establish and Maintain a Software Inventory
|
Aligned | Inventory of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.2 |
Ensure Authorized Software is Currently Supported
Key Control
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 2.2 |
Ensure Authorized Software is Currently Supported
Key Control
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Software... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 2.4 |
Utilize Automated Software Inventory Tools
|
Aligned | Inventory of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.7 |
Allowlist Authorized Scripts
|
Gap | Use technical controls, such as digital signatures and version control, to ensure that only authoriz... | ||
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | 1.8 DATA RETENTION and 1.9 ROLES & RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.2 |
Establish and Maintain a Data Inventory
|
Gap | Establish and maintain a data inventory based on the enterprise’s data management process. Inventory... | ||
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Define desktop and end-user device security access controls.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 3.4 |
Enforce Data Retention
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.4 |
Enforce Data Retention
|
Aligned | 1.8 DATA RETENTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | IT Asset Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | Disposal Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Encrypt data on end-user devices containing sensitive data... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Only USB sticks and other removable devices that have been a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | vi. Encryption is to be used to protect the confidentiality ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | 1.5 DATA CLASSIFICATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Data Security classification policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Definition of Confidentiality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Control: 3.7: Establish and maintain an overall data classif... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Data Classification Policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.8 |
Document Data Flows
Key Control
|
Gap |
Document data flows. Data flow documentation includes service provider data flows and should be base...
Critical Gap - Key Control Missing
|
||
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | Encryption requirements for PII/NPI data on High-Risk Techno... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | Removable Storage Devices... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
|
Aligned | Encrypt sensitive data at rest on servers, applications, and... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
|
Aligned | Encryption for remote access sessions... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 3.12 |
Segment Data Processing and Storage Based on Sensitivity
|
Aligned | Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
|
Aligned | Inventory of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
|
Aligned | Implementation of Data Loss Prevention Mechanism... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
Key Control
|
Aligned | Secure Configuration of Enterprise Assets & Software... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
|
Aligned | 1.11 MAINTENANCE... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
|
Aligned | Network Monitoring & Defense... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 4.3 |
Configure Automatic Session Locking on Enterprise Assets
|
Gap | Configure automatic session locking on enterprise assets after a defined period of inactivity. For g... | ||
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | Section 6: Personal firewalls software should be installed a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.5 |
Implement and Manage a Firewall on End-User Devices
|
Aligned | Section 6: Personal Firewalls... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.6 |
Securely Manage Enterprise Assets and Software
|
Gap | Securely manage enterprise assets and software. Example implementations include managing configurati... | ||
| 4.7 |
Manage Default Accounts on Enterprise Assets and Software
|
Aligned | Service Accounts... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 4.9 |
Configure Trusted DNS Servers on Enterprise Assets
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | Termination of employees and management of access privileges... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 4.12 |
Separate Enterprise Workspaces on Mobile End-User Devices
|
Gap | Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example ... | ||
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | Assets ownership and responsibilities... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | An Asset Owner should be responsible for: Ensuring that Asse... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | Service Accounts... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.8.2.2 |
Labeling of Information
|
Aligned | Labeling of Information... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
328 Total Controls
| Control ID | Control Name | Status | Evidence Section | Document | Actions |
|---|---|---|---|---|---|
| AC-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | g. Ensure that information access controls are implemented t... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | i. Privileged users should understand their roles and respon... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control Policy... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Information Access Controls... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Ensure that information access controls are implemented... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | The purpose of this policy is to provide requirements contro... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | g. Ensure that information access controls are implemented t... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | g. Ensure that information access controls are implemented t... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Information Access Controls... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control Policy... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | The purpose of this policy is to provide requirements contro... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control Policy and Procedures... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Control: AC-1: Access control policy and procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access control policy and procedures... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Defining and periodically reviewing access restrictions and ... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Acceptable Use of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Acceptable Use of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Assets ownership and responsibilities... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access control policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Cloud Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control – Establishes controls to manage access to in... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Cloud Policy - Establishes controls that define the requirem... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | End-user Device Security Policy - Establishes controls that ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Cloud Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Section 1.6 - EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control Policy and Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access control policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Network and Firewall Security Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Cloud Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Cloud Policy - Establishes controls that define the requirem... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | End-user Device Security Policy - Establishes controls that ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Cloud Policy - Establishes controls that define the requirem... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
|
Aligned | Segregation of duties... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-10 |
Concurrent Session Control
|
Gap | Organizations may define the maximum number of concurrent sessions for system accounts globally, by ... | ||
| AC-11 |
Device Lock
Key Control
|
Aligned | User accounts, including privileged user accounts, should be... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-11 |
Device Lock
Key Control
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-11 |
Device Lock
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-12 |
Session Termination
|
Aligned | Leaving Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | Access Control Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | Access Control Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Security & Privacy Attributes... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Defining and periodically reviewing access restrictions and ... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | Access to Networks & Network Services... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | Monitoring devices are typically employed at the managed int... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | All external connections to Test networks or Information Res... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | All external connections to Test networks or Information Res... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | Monitoring devices are typically employed at the managed int... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | 1.10 REMOTE ACCESS TO Test’s SYSTEMS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | A.9.4.4 - Access to Networks & Network Services... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | A.9.4.1 - A.13.2.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | Remote access should be configured to use a strong authentic... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | Encryption of external file transfers and data connections.... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | 1.10 REMOTE ACCESS TO Test’s SYSTEMS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | End-user Device Security Policy - Establishes controls that ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-17 |
Remote Access
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-18 |
Wireless Access
|
Aligned | Service Set Identifier (SSID)... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Section 9: Mobile Device Management... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Ensure that the security controls are in place while using m... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | 1.14 BRING YOUR OWN DEVICE (BYOD)... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | implementation and operation of information security within ... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Remote access should be configured to use a strong authentic... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Protection and control of mobile devices... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Section 9: Mobile Device Security Responsibilities... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | 1.14 BRING YOUR OWN DEVICE (BYOD)... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | implementation and operation of information security within ... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | f) Access privileges of all users, especially those with the... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Control: AC-2... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | General User Account... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | i. Privileged users should understand their roles and respon... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | i. Privileged users should understand their roles and respon... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | User access to networks and network services... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | vi. Authorization process is developed and implemented to en... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Application Security Administrators... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Termination of access privileges... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Leaving Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management Requirements... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management and User Privileges... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Defining and periodically reviewing access restrictions and ... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | End-user Device Security Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | End-user Device Security Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management Requirements... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | End-user Device Security Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Account Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | Section 9: Mobile Device Management... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | Access Control | Use of External Systems... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | Many safeguards for mobile devices are reflected in other co... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | Network services which are not required are formally documen... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | AC-20 addresses mobile devices that are not organization-con... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | Data transmission and external system usage guidelines... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-20 |
Use of External Systems
|
Aligned | Section 9: Mobile Device Security Responsibilities... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Restricted Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Classification of Information... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Information Sharing and Data Security Classification Policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Information Transfer Policies & Procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Information Sharing and Security Classification Policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | Public Data and Internal Use Only Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | c. Internet Use Restrictions... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | The purpose of this policy is to provide requirements contro... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | Control of proprietary information and sensitive material... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | c. Internet Use Restrictions... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | proprietary information, trade secrets or any other sensitiv... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-22 |
Publicly Accessible Content
|
Aligned | 4.0 Organization of Information Security Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-23 |
Data Mining Protection
|
Aligned | Access Control Policy... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-23 |
Data Mining Protection
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Access Control Policy... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Overview, Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control to Program Source Code... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | d) Authorizing access to Information Assets.... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Controls such as file access limitation, time limit for acce... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | f, g, h... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Information Resources should be controlled through... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Enforcement... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Information Resources should be controlled through... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | iv. Control over User access to information services is enfo... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Access Enforcement... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Controls such as file access limitation, time limit for acce... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access privileges of employees should be removed from all sy... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.10 REMOTE ACCESS TO Test’s SYSTEMS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | A.9.4.4 - Access to Networks & Network Services... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Enforcement... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Segregation of duties... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control and User Privileges... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Overview and Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.1.3 Laptops... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Overview... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.6 EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Enforcing access restrictions for remote access.... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Remote Access, Access Control | Access Cont... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.10 REMOTE ACCESS TO Test’s SYSTEMS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Data Custodian... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | c. Internet Use Restrictions... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | A.9.4.1 - A.13.2.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control Policies... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | c. Internet Use Restrictions... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | General User Account... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | This policy assigns and describes roles and responsibilities... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Separation of Duties... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregate conflicting duties and areas of responsibility... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Account Management and Password Protection Requirements... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | 1.3 SEGREGATION OF DUTIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Data Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Access Control Policies... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Account Management and User Responsibilities... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | 1.3 SEGREGATION OF DUTIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregation of duties... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Privileged (Application Administration) Account... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Least Privilege... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access is based on an employee/contractor’s role and should ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Least Privilege... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | 1.1.3 Laptops... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control Policies... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | Unsuccessful Login Attempts... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | This policy assigns and describes roles and responsibilities... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | VII. Test adopts the NIST CSF and ISO 27001 standards as the... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-9 |
Previous Logon Notification
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-9 |
Previous Logon Notification
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | i. Privileged users should understand their roles and respon... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Privileged User Responsibilities... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Privileged users should understand their roles and responsib... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | i. Privileged users should understand their roles and respon... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | i. Privileged users should understand their roles and respon... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Awareness and training policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Awareness and training policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | Awareness and Training... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | Ensure that there is enough depth of expertise in critical f... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | INFORMATION SECURITY AWARENESS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-2 |
Literacy Training and Awareness
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness and Training... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Personnel Security | External Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Role-based Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-4 |
Training Records
|
Gap | Documentation for specialized training may be maintained by individual supervisors at the discretion... | ||
| AT-6 |
Training Feedback
|
Gap | Training feedback includes awareness training results and role-based training results. Training resu... | ||
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Ensuring the resolution of information security-related audi... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-10 |
Non-repudiation
|
Aligned | Activity... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AU-11 |
Audit Record Retention
Key Control
|
Aligned | 1.8 DATA RETENTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-12 |
Audit Record Generation
|
Gap | Audit records can be generated from many different system components. The event types specified in A... | ||
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Restricted Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Organizations monitor systems by observing audit activities ... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | 2.1 Acceptable Use Standard... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | DOCUMENT CLASSIFICATION... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Organizations monitor systems by observing audit activities ... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Discussion on proprietary information and sensitive material... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | DOCUMENT CLASSIFICATION... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | 7.2 End User Device Standard... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Overview and Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Confidentiality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Term Definitions... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | 2.1 Acceptable Use Standard... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Data Security classification policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
|
Aligned | Definition of Confidentiality and Information Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | Monitoring of User’s device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | b) Retrieve and share information with the authorities in re... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | Monitoring of User’s device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | b) Retrieve and share information with the authorities in re... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | The reviews can be supported by audit logging controls, such... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | c) Test should consider various means to ensure that initiat... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | f) Mitigating or compensating controls should be established... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Gap |
Audit record content that may be necessary to support the auditing function includes event descripti...
Critical Gap - Key Control Missing
|
||
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | NIST SP 800-53 Rev 5 AU-4 Audit & Accountability | Audit Log... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-5 |
Response to Audit Logging Process Failures
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Access groupings will be developed and tested prior to the i... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Role Responsibility CISO or his/her designee... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-7 |
Audit Record Reduction and Report Generation
Key Control
|
Gap |
Audit record reduction is a process that manipulates collected audit log information and organizes i...
Critical Gap - Key Control Missing
|
||
| AU-8 |
Time Stamps
|
Gap | Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated... | ||
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | Section on privileged account holders and log manipulation... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | Operations Security – Establishes controls to ensure the sec... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | Internet Security & Usage Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy, Cloud Policy, End-user Device Security Policy, ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Section 1.6 - Exceptions to the policy... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy, Cloud Policy, End-user Device Security Policy, ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | Assessment, Authorization, and Monitoring | Control Assessme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | Assessment, Authorization, and Monitoring | Control Assessme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | Assessment, Authorization, and Monitoring | Control Assessme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | External connections to Test networks or Information Resourc... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | A.9.4.1 - A.13.2.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | Data transmission should be encrypted.... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| CA-5 |
Plan of Action and Milestones
|
Aligned | Account Remediation Project Plans... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Authorization levels should be defined and documented.... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Authorization and Record Keeping Procedures... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Authorization levels should be defined and documented.... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Continuous monitoring at the system level facilitates ongoin... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Network Monitoring & Defense... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Overview and Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Assessment, Authorization, and Monitoring | Continuous Monit... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Assessment, Authorization, and Monitoring | Continuous Monit... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Assessment, Authorization, and Monitoring | Continuous Monit... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-8 |
Penetration Testing
|
Gap | Penetration testing is a specialized type of assessment conducted on systems or individual system co... | ||
| CA-9 |
Internal System Connections
Key Control
|
Aligned | Overview and Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CA-9 |
Internal System Connections
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.11 MAINTENANCE and 1.12 EXCEPTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Chunk: 1.4... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Security and privacy documentation requirements... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Section 1.6 - EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | The selection of a control baseline is determined by the nee... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Documentation provides user and administrator guidance for t... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-10 |
Software Usage Restrictions
|
Gap | Software license tracking can be accomplished by manual or automated methods, depending on organizat... | ||
| CM-11 |
User-installed Software
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-11 |
User-installed Software
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-12 |
Information Location
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-12 |
Information Location
|
Aligned | Scope... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-12 |
Information Location
|
Aligned | Overview and Scope & Applicability... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| CM-12 |
Information Location
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| CM-12 |
Information Location
|
Aligned | Scope... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-13 |
Data Action Mapping
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-13 |
Data Action Mapping
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-13 |
Data Action Mapping
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| CM-13 |
Data Action Mapping
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-14 |
Signed Components
|
Aligned | Certificate... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Configuration Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Controls can be viewed as descriptions of the safeguards... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | In some cases, the selection and implementation of a control... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CM-4 |
Impact Analyses
|
Aligned | An analysis of the general information security practices ap... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
|
Aligned | (b) A gap analysis of general information security practices... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
|
Aligned | (c) An open 'Request for Comments' from business units, grou... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Access groupings will be developed and tested prior to the i... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Refer to the Access Control Policy for additional details.... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | IV. Maintaining Security while using Organizationally Owned ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Configuration settings and their impact on security and priv... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | IV. Maintaining Security while using Organizationally Owned ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Control: CM-8... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Asset Management – Establishes controls for asset identifica... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Asset Management – Establishes controls for asset identifica... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | NIST CSF Subcategory Control Reference Control Name... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management Activities... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Least Functionality... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency Planning Policy and Procedures... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency planning policy and procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency Planning Policy and Procedures... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Divisions & Functions Policy Implementation... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency planning policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency Planning Policy and Procedures... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency planning policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
|
Aligned | Contingency planning policy and procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CP-10 |
System Recovery and Reconstitution
|
Gap | Recovery is executing contingency plan activities to restore organizational mission and business fun... | ||
| CP-11 |
Alternate Communications Protocols
|
Gap | Contingency plans and the contingency training or testing associated with those plans incorporate an... | ||
| CP-12 |
Safe Mode
|
Gap | For systems that support critical mission and business functions—including military operations... | ||
| CP-13 |
Alternative Security Mechanisms
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-13 |
Alternative Security Mechanisms
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | Contingency Planning | Contingency Plan... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | CP-2 Contingency Planning | Contingency Plan... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-2 |
Contingency Plan
|
Aligned | Contingency planning policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Contingency training provided by organizations... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Contingency planning policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-4 |
Contingency Plan Testing
|
Gap | Methods for testing contingency plans to determine the effectiveness of the plans and identify poten... | ||
| CP-6 |
Alternate Storage Site
Key Control
|
Gap |
Alternate storage sites are geographically distinct from primary storage sites and maintain duplicat...
Critical Gap - Key Control Missing
|
||
| CP-7 |
Alternate Processing Site
Key Control
|
Gap |
Alternate processing sites are geographically distinct from primary processing sites and provide pro...
Critical Gap - Key Control Missing
|
||
| CP-8 |
Telecommunications Services
Key Control
|
Gap |
Telecommunications services (for data and voice) for primary and alternate processing and storage si...
Critical Gap - Key Control Missing
|
||
| CP-9 |
System Backup
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | 1.2.1 Backup and 1.2.2 Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | Encryption of PII/NPI data element under regulatory, legal o... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Identification and authentication policy and procedures... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Chunk: 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Identification and authentication policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Section 7, Sub-section j, k, l... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Identification & Authentication | Adaptive Authentication... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Section 7: Password Management and Authentication... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Section 7, Sub-section j... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Identification & Authentication | Re-Authentication... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Identification & Authentication | Adaptive Authentication... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | 1.1.3 Laptops... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Section 7, Sub-section j... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | Identification & Authentication | Identity Proofing... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | Identification & Authentication | Identity Proofing... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | Identification & Authentication | Re-Authentication... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.6 DATA HANDLING... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Password Requirements and Multi-Factor Authentication... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | User access to networks and network services... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.10 REMOTE ACCESS TO Test’s SYSTEMS and 1.11 USER ID & PASS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and Authentication Requirements... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Access Control | Remote Access... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and Authentication Requirements... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.10 REMOTE ACCESS TO Test’s SYSTEMS and 1.11 USER ID & PASS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Service Set Identifier (SSID)... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Identifier (SSID)... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | 9. Equipment and media containing confidential information s... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | Service Set Identifier (SSID)... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | Term Definitions related to User Accounts and Privileged Acc... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | Management of identifiers upon termination... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Section 7, Sub-section l... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Section 7.j, 7.k, 7.l... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Identification & Authentication | Adaptive Authentication... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Account Management and Password Protection Requirements... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | 1.1.3 Laptops... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Section 7, Sub-section l... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Section 7 - Password Management and Multi-Factor Authenticat... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-5 |
Authenticator Management
|
Aligned | Account Management and Password Protection... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-6 |
Authentication Feedback
|
Gap | Authentication feedback from systems does not provide information that would allow unauthorized indi... | ||
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Section 7, Sub-section j, k, l... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | For Test’s implementation authentication, factors one throug... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Section 7, Sub-section j, k, l... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and Authentication of Non-Organizational User... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Requirements for User Account Management... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and Authentication Requirements for Non-Organ... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Password Requirements and Multi-Factor Authentication... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | User Responsibilities and Password Protection... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-9 |
Service Identification and Authentication
Key Control
|
Aligned | Identification & Authentication | Adaptive Authentication... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Detailed explanation of why the exception is necessary.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Detailed explanation of why the exception is necessary.... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Detailed explanation of why the exception is necessary.... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response | Incident Response Training... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response | Incident Response Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident response training is associated with the assigned r... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident response training is associated with the assigned r... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Events that may precipitate an update to incident response t... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Evaluation of Policies... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Events that may precipitate an update to incident response t... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Role Responsibility CISO or his/her designee... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-4 |
Incident Handling
|
Aligned | Incident Response Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Incident Response Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-7 |
Incident Response Assistance
|
Gap | Incident response support resources provided by organizations include help desks, assistance groups,... | ||
| IR-8 |
Incident Response Plan
|
Aligned | Incident response training includes user training in identif... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-8 |
Incident Response Plan
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-8 |
Incident Response Plan
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-8 |
Incident Response Plan
|
Aligned | Incident response training includes user training in identif... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-9 |
Information Spillage Response
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-9 |
Information Spillage Response
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | 1.11 MAINTENANCE and 1.12 EXCEPTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | 1.0 PURPOSE... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | Detailed explanation of why the exception is necessary and D... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | Maintenance policy and procedures address the controls in th... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | Chunk: 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | Detailed explanation of why the exception is necessary and D... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MA-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| MA-2 |
Controlled Maintenance
Key Control
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| MA-3 |
Maintenance Tools
|
Aligned | 1.6 MAINTENANCE... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| MA-4 |
Nonlocal Maintenance
|
Aligned | 1.6 DATA HANDLING... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MA-4 |
Nonlocal Maintenance
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | Control: MA-5: Maintenance personnel refers to individuals w... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | Leaving Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | Personnel Security | External Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MA-6 |
Timely Maintenance
Key Control
|
Gap |
Organizations specify the system components that result in increased risk to organizational operatio...
Critical Gap - Key Control Missing
|
||
| MA-7 |
Field Maintenance
|
Gap | Field maintenance is the type of maintenance conducted on a system or system component after the sys... | ||
| MP-1 |
Policy and Procedures
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Media protection policy and procedures... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Chunk: 1.12... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Acceptable Use of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Media protection policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Chunk: 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Media Protection | Media Marking, Media Storage, Media Trans... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
|
Aligned | Media protection policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-2 |
Media Access
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Media Access... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Media Marking, Media Protection | Media S... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-2 |
Media Access
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Media Protection | Media Marking... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Media Protection | Media Marking... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | Media Protection | Media Storage... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | Asset Management and Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | Media Protection | Media Storage... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-4 |
Media Storage
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Disposal of Media, Physical Media Transfer... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Only USB sticks and other removable devices that have been a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Media Protection | Media Transport... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Asset Management – Establishes controls for asset identifica... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Backup Media... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Disposal (in accordance with Retention Policy) and procedure... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Asset Management and Cryptography... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Secure Disposal or Re-Use of Equipment... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Disposal of Media... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Leaving Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Disposal of Media, Physical Media Transfer, Removable Assets... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Media Protection | Media Use... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Media Protection for High-Risk Technology Assets... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Media Protection | Media Downgrading... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Media Protection | Media Downgrading... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.11 MAINTENANCE and 1.12 EXCEPTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | h. Should ensure that physical access to assets is managed a... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Physical Access Management... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Ensure that physical access to assets is managed and protect... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | h. Should ensure that physical access to assets is managed a... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | h. Should ensure that physical access to assets is managed a... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Physical Access Management... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | h. Should ensure that physical access to assets is managed a... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | h. Should ensure that physical access to assets is managed a... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | h. Should ensure that physical access to assets is managed a... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.12 EXCEPTION... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Physical and environmental protection policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Physical and environmental protection policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PE-10 |
Emergency Shutoff
|
Gap | Emergency power shutoff primarily applies to organizational facilities that contain concentrations o... | ||
| PE-11 |
Emergency Power
|
Gap | An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency p... | ||
| PE-12 |
Emergency Lighting
|
Gap | The provision of emergency lighting applies primarily to organizational facilities that contain conc... | ||
| PE-13 |
Fire Protection
|
Gap | The provision of fire detection and suppression systems applies primarily to organizational faciliti... | ||
| PE-14 |
Environmental Controls
|
Aligned | Physical and Environmental Security Policy... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-14 |
Environmental Controls
|
Aligned | Physical & Environmental Protection... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-15 |
Water Damage Protection
|
Gap | The provision of water damage protection primarily applies to organizational facilities that contain... | ||
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | User access to networks and network services... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PE-17 |
Alternate Work Site
Key Control
|
Gap |
Alternate work sites include government facilities or the private residences of employees. While dis...
Critical Gap - Key Control Missing
|
||
| PE-18 |
Location of System Components
Key Control
|
Gap |
Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terror...
Critical Gap - Key Control Missing
|
||
| PE-19 |
Information Leakage
|
Aligned | Confidential Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | while PE-2 addresses physical access for individuals whose m... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Leaving Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Personnel Security | External Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-20 |
Asset Monitoring and Tracking
Key Control
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-21 |
Electromagnetic Pulse Protection
|
Gap | An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a rang... | ||
| PE-22 |
Component Marking
Key Control
|
Aligned | Scope and Applicability... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-22 |
Component Marking
Key Control
|
Aligned | 1.14 BRING YOUR OWN DEVICE (BYOD)... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PE-22 |
Component Marking
Key Control
|
Aligned | Overview... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PE-22 |
Component Marking
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PE-23 |
Facility Location
|
Gap | Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terror... | ||
| PE-3 |
Physical Access Control
Key Control
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Physical and Environmental Security – Establishes controls t... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Physical and Environmental Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-4 |
Access Control for Transmission
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-5 |
Access Control for Output Devices
Key Control
|
Gap |
Controlling physical access to output devices includes placing output devices in locked rooms or oth...
Critical Gap - Key Control Missing
|
||
| PE-6 |
Monitoring Physical Access
Key Control
|
Aligned | Physical access monitoring includes publicly accessible area... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-6 |
Monitoring Physical Access
Key Control
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-8 |
Visitor Access Records
|
Gap | Visitor access records include the names and organizations of individuals visiting, visitor signatur... | ||
| PE-9 |
Power Equipment and Cabling
|
Gap | Organizations determine the types of protection necessary for the power equipment and cabling employ... | ||
| PL-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Chunk: 1.12... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy Statement of intent that is implemented as a procedur... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Risk Policy, Cloud Policy, End-user Device Security Policy, ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.6 EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy exception process and requirements... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Risk Policy, Cloud Policy, End-user Device Security Policy, ... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-10 |
Baseline Selection
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PL-10 |
Baseline Selection
|
Aligned | Control Baselines... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-10 |
Baseline Selection
|
Aligned | Control baselines are predefined sets of controls specifical... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Control: PL-11... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Tailoring Actions and Control Baselines... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Control: PL-11... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Tailoring Controls... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PL-2 |
System Security and Privacy Plans
|
Gap | System security and privacy plans are scoped to the system and system components within the defined ... | ||
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Rules of Behavior... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | VII. Test adopts the NIST CSF and ISO 27001 standards as the... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Rules of behavior for organizational users... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | VII. Test adopts the NIST CSF and ISO 27001 standards as the... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-7 |
Concept of Operations
|
Gap | The CONOPS may be included in the security or privacy plans for the system or in other system develo... | ||
| PL-8 |
Security and Privacy Architectures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-9 |
Central Management
Key Control
|
Aligned | Control: PL-9: Central management refers to organization-wid... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PL-9 |
Central Management
Key Control
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Program Management | Information Security Program Plan... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Security and privacy programs collaborate on the development... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Security and privacy program policies and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Program Management | Information Security Program Plan... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | Role Responsibility Information Technology... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.0 PURPOSE... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Protection needs are technology-independent capabilities tha... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Control: PM-11... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Control: PM-11... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-12 |
Insider Threat Program
|
Aligned | Program Management | Information Security Program Leadership... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-12 |
Insider Threat Program
|
Aligned | Program Management | Information Security Program Leadership... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Program Management | Security & Privacy Workforce... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Program Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Program Management | Security Awareness & Skills Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Program Management | Security & Privacy Workforce... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Program Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
|
Aligned | Program Management | Security & Privacy Workforce... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | System & Communications Protection | Security Awareness & Sk... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Overview and Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-15 |
Security and Privacy Groups and Associations
|
Aligned | Role Responsibility... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-15 |
Security and Privacy Groups and Associations
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-16 |
Threat Awareness Program
|
Gap | Because of the constantly changing and increasing sophistication of adversaries, especially the adva... | ||
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
|
Aligned | 1.0 PURPOSE... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PM-18 |
Privacy Program Plan
|
Gap | A privacy program plan is a formal document that provides an overview of an organization’s pri... | ||
| PM-19 |
Privacy Program Leadership Role
|
Gap | The privacy officer is an organizational official. For federal agencies—as defined by applicab... | ||
| PM-2 |
Information Security Program Leadership Role
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | Program Management | Information Security Program Leadership... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | Program Management | Information Security Program Leadership... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-20 |
Dissemination of Privacy Program Information
|
Gap | For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include p... | ||
| PM-21 |
Accounting of Disclosures
Key Control
|
Gap |
The purpose of accounting of disclosures is to allow individuals to learn to whom their personally i...
Critical Gap - Key Control Missing
|
||
| PM-22 |
Personally Identifiable Information Quality Management
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PM-23 |
Data Governance Body
Key Control
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-23 |
Data Governance Body
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PM-24 |
Data Integrity Board
|
Gap | A Data Integrity Board is the board of senior officials designated by the head of a federal agency a... | ||
| PM-25 |
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
|
Aligned | Confidential Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-25 |
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PM-26 |
Complaint Management
|
Gap | Complaints, concerns, and questions from individuals can serve as valuable sources of input to organ... | ||
| PM-27 |
Privacy Reporting
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-28 |
Risk Framing
|
Gap | Risk framing is most effective when conducted at the organization level and in consultation with sta... | ||
| PM-29 |
Risk Management Program Leadership Roles
|
Aligned | Role Responsibility... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-29 |
Risk Management Program Leadership Roles
|
Aligned | Role Responsibility... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-3 |
Information Security and Privacy Resources
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-3 |
Information Security and Privacy Resources
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-30 |
Supply Chain Risk Management Strategy
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-30 |
Supply Chain Risk Management Strategy
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-32 |
Purposing
|
Aligned | 1.0 PURPOSE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PM-32 |
Purposing
|
Aligned | 1.0 PURPOSE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PM-4 |
Plan of Action and Milestones Process
|
Gap | The plan of action and milestones is a key organizational document and is subject to reporting requi... | ||
| PM-5 |
System Inventory
|
Aligned | 1.2. Hardware, Software, Applications and Data Inventory of ... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-5 |
System Inventory
|
Aligned | NIST CSF Subcategory Control Reference Control Name... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-6 |
Measures of Performance
|
Gap | Measures of performance are outcome-based metrics used by an organization to measure the effectivene... | ||
| PM-7 |
Enterprise Architecture
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-7 |
Enterprise Architecture
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Gap | Protection strategies are based on the prioritization of critical assets and resources. The requirem... | ||
| PM-9 |
Risk Management Strategy
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Risk Policy - Establishes controls to ensure identification,... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Chunk: 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Role Responsibility Information Technology Department and CI... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Control: PS-2: Position risk designations reflect Office of ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | 1.0 Scope & Applicability... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | 1.2 SCOPE & APPLICABILITY... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | 1.3 BACKGROUND CHECKS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | 1.2 SCOPE & APPLICABILITY... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | User accounts management upon employment status changes... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | User account locking and deletion upon termination... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | Return of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | 1.5 ENFORCEMENT/COMPLIANCE... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PS-5 |
Personnel Transfer
|
Aligned | User accounts, including privileged user accounts, entitleme... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-5 |
Personnel Transfer
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | Segregation of duties... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Personnel Security | External Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | 1.10 ENFORCEMENT... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | 1.8 DISCIPLINARY PROCESS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | ENFORCEMENT/COMPLIANCE... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | 1.4 ENFORCEMENT/COMPLIANCE... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | Personnel Security | Personnel Sanctions... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | Section XI and XII regarding disciplinary actions and except... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | ENFORCEMENT/COMPLIANCE... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
|
Aligned | Disciplinary Actions and Exceptions... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Role Responsibility... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Personnel Security... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Information Security Roles & Responsibilities... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Role Responsibility Information Technology Department... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Information Security Roles & Responsibilities... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | 1.0 PURPOSE... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | Acceptable Use of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
|
Aligned | Control: PT-1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PT-3 |
Personally Identifiable Information Processing Purposes
Key Control
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PT-4 |
Consent
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PT-4 |
Consent
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PT-5 |
Privacy Notice
|
Gap | Privacy notices help inform individuals about how their personally identifiable information is being... | ||
| PT-6 |
System of Records Notice
|
Gap | The PRIVACT requires that federal agencies publish a system of records notice in the Federal Registe... | ||
| PT-7 |
Specific Categories of Personally Identifiable Information
Key Control
|
Aligned | Restricted Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| PT-7 |
Specific Categories of Personally Identifiable Information
Key Control
|
Aligned | Term Definitions... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PT-8 |
Computer Matching Requirements
|
Gap | The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matchi... | ||
| RA-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Assessment Policy and Procedures... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk assessment policy and procedures... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Chunk: 1.4... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy - Establishes controls to ensure identification,... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Chunk: 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy - Establishes controls to ensure identification,... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy - Establishes controls to ensure identification,... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Risk Policy - Establishes controls to ensure identification,... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-1 |
Policy and Procedures
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-10 |
Threat Hunting
|
Aligned | Threat hunting is an active means of cyber defense... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-10 |
Threat Hunting
|
Aligned | Threat Hunting... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | 1.0 PURPOSE... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Classification of Information... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security categorization of information and systems guides th... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Such analysis is conducted as part of security categorizatio... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security categorization processes facilitate the development... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security Categorization... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk assessments can also be conducted at various steps in t... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Such analysis is conducted as part of security categorizatio... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk Categorization... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | VII. Test adopts the NIST CSF and ISO 27001 standards as the... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Classification of Information... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk Assessment | Security Categorization... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security Categorization... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security categorization process as an organization-wide acti... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security Categorization... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Organizations can conduct risk assessments at all three leve... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Such analysis is conducted as part of security categorizatio... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | VII. Test adopts the NIST CSF and ISO 27001 standards as the... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk assessments consider threats, vulnerabilities, likeliho... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | 1.0 PURPOSE... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk assessments consider threats, vulnerabilities, likeliho... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability Monitoring... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Continuous Vulnerability Management... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Risk Assessment | Security Categorization... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability Monitoring and Analysis... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Continuous Vulnerability Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-6 |
Technical Surveillance Countermeasures Survey
|
Gap | A technical surveillance countermeasures survey is a service provided by qualified personnel to dete... | ||
| RA-7 |
Risk Response
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-8 |
Privacy Impact Assessments
|
Aligned | Privacy Impact Assessment Overview... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-8 |
Privacy Impact Assessments
|
Aligned | Privacy Impact Assessment... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Control assessments, such as red team exercises, provide add... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality analysis is performed when an architecture or de... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk assessment is an ongoing activity carried out throughou... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality analysis is performed when an architecture or de... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality Analysis... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk Assessment | Security Categorization... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality Analysis... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk assessment is an ongoing activity carried out throughou... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality analysis is performed when an architecture or de... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.12 EXCEPTION... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.4... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | Policy Exceptions and Implementation... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-1 |
Policy and Procedures
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | System & Services Acquisition | Developer Configuration Mana... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | Configuration Management | Configuration Management Plan... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | System & Services Acquisition | Developer Configuration Mana... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | System & Services Acquisition | Developer Configuration Mana... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | System & Services Acquisition | Developer Configuration Mana... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | System & Services Acquisition | Developer Configuration Mana... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
|
Aligned | Configuration Management | Developer Configuration Managemen... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | 1.1.1 General Controls... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SA-15 |
Development Process, Standards, and Tools
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-15 |
Development Process, Standards, and Tools
|
Aligned | Configuration Management | Configuration Settings... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-16 |
Developer-provided Training
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SA-17 |
Developer Security and Privacy Architecture and Design
|
Gap | Developer security and privacy architecture and design are directed at external developers, although... | ||
| SA-2 |
Allocation of Resources
|
Aligned | In exceptional cases Divisions & Functions may implement a l... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-2 |
Allocation of Resources
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-2 |
Allocation of Resources
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-20 |
Customized Development of Critical Components
|
Aligned | System & Services Acquisition | Customized Development of Cr... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-20 |
Customized Development of Critical Components
|
Aligned | SA-20: Organizations determine that certain system component... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-20 |
Customized Development of Critical Components
|
Aligned | Supply Chain Risk Management Plans... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-21 |
Developer Screening
Key Control
|
Aligned | 1.2 SCOPE & APPLICABILITY... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SA-22 |
Unsupported System Components
|
Gap | Support for system components includes software patches, firmware updates, replacement parts, and ma... | ||
| SA-23 |
Specialization
Key Control
|
Gap |
It is often necessary for a system or system component that supports mission-essential services or f...
Critical Gap - Key Control Missing
|
||
| SA-3 |
System Development Life Cycle
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-3 |
System Development Life Cycle
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-3 |
System Development Life Cycle
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-3 |
System Development Life Cycle
|
Aligned | Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SA-3 |
System Development Life Cycle
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-3 |
System Development Life Cycle
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Security and privacy functional requirements are typically d... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Security and privacy functional requirements... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Section 1.6 - EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Security and privacy functional requirements are typically d... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-5 |
System Documentation
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-5 |
System Documentation
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-5 |
System Documentation
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Systems security and privacy engineering principles are clos... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Control: SA-8... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Control: SA-8... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Systems security and privacy engineering principles are clos... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | VII. Test adopts the NIST CSF and ISO 27001 standards as the... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.11 MAINTENANCE and 1.12 EXCEPTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | In exceptional cases Divisions & Functions may implement a l... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | System and communications protection policy and procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-10 |
Network Disconnect
|
Gap | Network disconnect applies to internal and external networks. Terminating network connections associ... | ||
| SC-11 |
Trusted Path
|
Gap | Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) ... | ||
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | 9.0 Cryptographic Policy... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | Encryption is to be used to protect the confidentiality of r... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | Cryptography – Establishes controls for proper and effective... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | Cryptography... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | Cryptography... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | 9.0 Cryptographic Policy... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Section v and vi... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Cryptography – Establishes controls for proper and effective... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Cryptography... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-15 |
Collaborative Computing Devices and Applications
|
Aligned | System & Communications Protection | Collaborative Computing... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | Restricted Data... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | Confidentiality or Non-Disclosure Agreements, Securing Appli... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | Data Security classification policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | Assets ownership and responsibilities... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | Term Definitions... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
|
Aligned | proprietary information, trade secrets or any other sensitiv... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-17 |
Public Key Infrastructure Certificates
|
Aligned | 9.0 Cryptography Policy... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-18 |
Mobile Code
|
Aligned | f. Ensure that the security controls are in place while usin... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-18 |
Mobile Code
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-18 |
Mobile Code
|
Aligned | 1.4 SECURITY & PROPRIETARY INFORMATION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | User access to networks and network services... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection | Secure Name/address Res... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection| Architecture and Provisi... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-23 |
Session Authenticity
|
Aligned | System & Communications Protection| Session Authenticity... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-23 |
Session Authenticity
|
Aligned | All external connections to Test networks or Information Res... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-23 |
Session Authenticity
|
Aligned | System & Communications Protection| Session Authenticity... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-24 |
Fail in Known State
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-24 |
Fail in Known State
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-25 |
Thin Nodes
|
Gap | The deployment of system components with minimal functionality reduces the need to secure every endp... | ||
| SC-26 |
Decoys
|
Gap | Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and de... | ||
| SC-27 |
Platform-independent Applications
|
Gap | Platforms are combinations of hardware, firmware, and software components used to execute software a... | ||
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Controls can be viewed as descriptions of the safeguards and... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | 1.4 DATA CUSTODIAN RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Encryption is to be used to protect the confidentiality of r... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Information Resources which are necessary for their work, an... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Encryption is to be used to protect the confidentiality of r... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Only USB sticks and other removable devices that have been a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Asset Management, Access Control, Cryptography... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Encryption of PII/NPI data under regulatory, legal or contra... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Asset Management, Access Control, Cryptography... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-29 |
Heterogeneity
|
Gap | Increasing the diversity of information technologies within organizational systems reduces the impac... | ||
| SC-3 |
Security Function Isolation
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-30 |
Concealment and Misdirection
|
Gap | Concealment and misdirection techniques can significantly reduce the targeting capabilities of adver... | ||
| SC-31 |
Covert Channel Analysis
|
Gap | Developers are in the best position to identify potential areas within systems that might lead to co... | ||
| SC-32 |
System Partitioning
|
Gap | System partitioning is part of a defense-in-depth protection strategy. Organizations determine the d... | ||
| SC-34 |
Non-modifiable Executable Programs
|
Gap | The operating environment for a system contains the code that hosts applications, including operatin... | ||
| SC-35 |
External Malicious Code Identification
|
Aligned | Section 6: Unacceptable Uses of Test’s Systems... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-36 |
Distributed Processing and Storage
|
Gap | Distributing processing and storage across multiple physical locations or logical domains provides a... | ||
| SC-37 |
Out-of-band Channels
Key Control
|
Aligned | System & Communications Protection| Out-of-Band Channels... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-37 |
Out-of-band Channels
Key Control
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-37 |
Out-of-band Channels
Key Control
|
Aligned | System & Communications Protection| Out-of-Band Channels... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-38 |
Operations Security
|
Aligned | Scope & Applicability... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-38 |
Operations Security
|
Aligned | Operations Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-38 |
Operations Security
|
Aligned | Operations Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-39 |
Process Isolation
|
Gap | Systems can maintain separate execution domains for each executing process by assigning each process... | ||
| SC-4 |
Information in Shared System Resources
|
Aligned | Leaving Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-4 |
Information in Shared System Resources
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-40 |
Wireless Link Protection
|
Aligned | Section 10 and 11 regarding approved end-user devices and th... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-41 |
Port and I/O Device Access
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-41 |
Port and I/O Device Access
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | Monitoring of User’s device and Installation of Software on ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | Ensure that the security controls are in place while using m... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | Monitoring of User’s device and Installation of Software on ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
|
Aligned | Usage Restrictions and Compliance... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
|
Aligned | Overview, Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
|
Aligned | Acceptable Use of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-43 |
Usage Restrictions
|
Aligned | 1.2 Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
|
Aligned | Usage Restrictions and Compliance... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-44 |
Detonation Chambers
|
Gap | Detonation chambers, also known as dynamic execution environments, allow organizations to open email... | ||
| SC-45 |
System Time Synchronization
|
Gap | Time synchronization of system clocks is essential for the correct execution of many system services... | ||
| SC-46 |
Cross Domain Policy Enforcement
|
Gap | For logical policy enforcement mechanisms, organizations avoid creating a logical path between inter... | ||
| SC-47 |
Alternate Communications Paths
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | Information Security Incident Management and Information Sec... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | Information Security Incident Management and Information Sec... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-48 |
Sensor Relocation
|
Gap | Adversaries may take various paths and use different approaches as they move laterally through an or... | ||
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
|
Gap | System owners may require additional strength of mechanism and robustness to ensure domain separatio... | ||
| SC-5 |
Denial-of-service Protection
|
Aligned | System & Communications Protection| Denial-of-Service Protec... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-5 |
Denial-of-service Protection
|
Aligned | Denial-of-service events may occur due to a variety of inter... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-5 |
Denial-of-service Protection
|
Aligned | System & Communications Protection| Denial-of-Service Protec... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.6 EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.4 MAINTAINANCE and 1.5 EXCEPTIONS... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-51 |
Hardware-based Protection
|
Gap | None.... | ||
| SC-6 |
Resource Availability
|
Gap | Priority protection prevents lower-priority processes from delaying or interfering with the system t... | ||
| SC-7 |
Boundary Protection
|
Aligned | System & Communications Protection| Boundary Protection... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | System monitoring capabilities are achieved through a variet... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | a. Appropriate controls for User access to networks and netw... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network and Firewall Security Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | System & Communications Protection| Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | System & Communications Protection | Resource Availability... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Network and Firewall Security Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-7 |
Boundary Protection
|
Aligned | Access to Networks & Network Services... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | The application of systems security and privacy engineering ... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Contingency Planning | Telecommunications Services... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | All external connections to Test networks or Information Res... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Encryption is to be used to protect the confidentiality of r... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Protecting the confidentiality and integrity of transmitted ... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | In certain offices, encrypted USB devices are required.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Voice Communications Equipment Protection... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Protection of system backup information while in transit.... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Contingency Planning | Telecommunications Services... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
|
Aligned | Control: SC-8: Protecting the confidentiality and integrity ... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.7 WORDING and 1.8 GLOSSARY... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.12 EXCEPTION... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.4 EXCEPTION... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | Internet Security & Usage Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | Internet Security & Usage Policy – Establishes controls that... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | Internet Security & Usage Policy... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.6... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | Internet Security & Usage Policy – Establishes controls that... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | Internet Security & Usage Policy – Establishes controls that... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SI-10 |
Information Input Validation
|
Aligned | Checks into a system or report to ensure the logical consist... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-11 |
Error Handling
|
Gap | Organizations consider the structure and content of error messages. The extent to which systems can ... | ||
| SI-12 |
Information Management and Retention
|
Aligned | 1.8 DATA RETENTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Control: SI-12: Information management and retention require... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Information Management and Retention... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Information management and retention requirements cover the ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-13 |
Predictable Failure Prevention
|
Gap | While MTTF is primarily a reliability issue, predictable failure prevention is intended to address p... | ||
| SI-14 |
Non-persistence
|
Gap | Implementation of non-persistent components and services mitigates risk from advanced persistent thr... | ||
| SI-15 |
Information Output Filtering
|
Gap | Certain types of attacks, including SQL injections, produce output results that are unexpected or in... | ||
| SI-16 |
Memory Protection
|
Gap | Some adversaries launch attacks with the intent of executing code in non-executable regions of memor... | ||
| SI-17 |
Fail-safe Procedures
|
Gap | Failure conditions include the loss of communications among critical system components or between sy... | ||
| SI-18 |
Personally Identifiable Information Quality Operations
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-19 |
De-identification
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-19 |
De-identification
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-2 |
Flaw Remediation
|
Aligned | IV. Maintaining Security while using Organizationally Owned ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
|
Aligned | 1.5 ORGANIZATIONALY OWNED & MANAGED INFO SYSTEMS & ASSETS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
|
Aligned | IV. Maintaining Security while using Organizationally Owned ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
|
Aligned | 1.5 ORGANIZATIONALY OWNED & MANAGED INFO SYSTEMS & ASSETS... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | 1.8 DISCIPLINARY PROCESS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Requirements for handling suspicious emails... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Requirements for handling suspicious emails... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-21 |
Information Refresh
|
Aligned | 1.8 DATA RETENTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-21 |
Information Refresh
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-22 |
Information Diversity
Key Control
|
Gap |
Actions taken by a system service or a function are often driven by the information it receives. Cor...
Critical Gap - Key Control Missing
|
||
| SI-23 |
Information Fragmentation
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Section 4: Posting Test information on public Internet sites... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Malicious code protection mechanisms include both signature-... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Section 4: All PCs and laptops should be equipped with up-to... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Malicious code protection mechanisms include both signature-... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Network Monitoring & Defense... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System monitoring includes external and internal monitoring.... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System Monitoring Overview... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Overview, Scope & Applicability... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Organizations may determine that, in response to the detecti... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System monitoring includes external and internal monitoring.... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-5 |
Security Alerts, Advisories, and Directives
Key Control
|
Aligned | Role Responsibility... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-6 |
Security and Privacy Function Verification
|
Aligned | 1.9 LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-6 |
Security and Privacy Function Verification
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Integrity Checks... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Monitoring of User’s device and Installation of Software on ... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-8 |
Spam Protection
|
Aligned | Section 6: Unacceptable Uses of Test's Systems... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-8 |
Spam Protection
|
Aligned | Section 6: Personal firewalls software should be installed a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-8 |
Spam Protection
|
Aligned | Network Controls... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-8 |
Spam Protection
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SI-8 |
Spam Protection
|
Aligned | Section 6 - Unacceptable Uses of Test’s Systems... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-8 |
Spam Protection
|
Aligned | 1.4 SECURITY & PROPRIETARY INFORMATION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Supply chain risk management policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | 1.6 EXCEPTION... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Supply chain risk management policy and procedures... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-1 |
Policy and Procedures
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-10 |
Inspection of Systems or Components
|
Gap | The inspection of systems or systems components for tamper resistance and detection addresses physic... | ||
| SR-11 |
Component Authenticity
|
Gap | Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-... | ||
| SR-12 |
Component Disposal
|
Aligned | Disposal of Media... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| SR-12 |
Component Disposal
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SR-12 |
Component Disposal
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| SR-12 |
Component Disposal
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SR-12 |
Component Disposal
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| SR-12 |
Component Disposal
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | Supply Chain Risk Management Overview... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | Program Management | Information Security Program Leadership... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | Supply Chain Risk Management Overview... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | System Acquisition, Development and Maintenance; Vendor Risk... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
|
Aligned | Program Management | Service Provider Management... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-3 |
Supply Chain Controls and Processes
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-3 |
Supply Chain Controls and Processes
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-4 |
Provenance
Key Control
|
Gap |
Every system and system component has a point of origin and may be changed throughout its existence....
Critical Gap - Key Control Missing
|
||
| SR-5 |
Acquisition Strategies, Tools, and Methods
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-5 |
Acquisition Strategies, Tools, and Methods
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-5 |
Acquisition Strategies, Tools, and Methods
|
Aligned | IT Asset Procurement... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SR-5 |
Acquisition Strategies, Tools, and Methods
|
Aligned | System Acquisition, Development and Maintenance... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Aligned | Vendor Risk Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-7 |
Supply Chain Operations Security
|
Aligned | Asset Management Policy and Supplier Relationship Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-7 |
Supply Chain Operations Security
|
Aligned | Operations Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-7 |
Supply Chain Operations Security
|
Aligned | Operations Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-7 |
Supply Chain Operations Security
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | IT Asset Procurement... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | Information Security Incident Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-9 |
Tamper Resistance and Detection
|
Gap | Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system co... | ||
| MA-2b |
Controlled Maintenance
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MA-2b |
Controlled Maintenance
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-17(1) |
Remote Access
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-17(1) |
Remote Access
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-17(1) |
Remote Access
|
Aligned | Section c) and e)... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AU-6(1) |
Audit Review, Analysis, and Reporting
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-6(1) |
Audit Review, Analysis, and Reporting
|
Aligned | Monitoring of User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-6(1) |
Audit Review, Analysis, and Reporting
|
Aligned | Section f)... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CM-3(1) |
Configuration Change Control
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| A.16 |
Application Software Security
|
Aligned | Control: A.16... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| A.16 |
Application Software Security
|
Aligned | Service Provider Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 15 |
Service Provider Management
|
Aligned | Service Provider Management... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 15 |
Service Provider Management
|
Aligned | Supply chain risk management (SCRM) activities include ident... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.11.1.4 |
Protecting Against External & Environmental Threats
|
Aligned | Protecting Against External & Environmental Threats... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| A.11.1.4 |
Protecting Against External & Environmental Threats
|
Aligned | Control: SC-7... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.11.1.4 |
Protecting Against External & Environmental Threats
|
Aligned | Threat actions that may increase security or privacy risks i... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.11.1.4 |
Protecting Against External & Environmental Threats
|
Aligned | Management of Privileged Access Rights... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.11.1.4 |
Protecting Against External & Environmental Threats
|
Aligned | Physical & Environmental Protection... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.11.1.4 |
Protecting Against External & Environmental Threats
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.6.1.2 |
Segregation of Duties
|
Aligned | Supply chain OPSEC expands the scope of OPSEC to include sup... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Supply chain information includes user identities; uses for ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Mission and business process definitions and the associated ... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | System and communications protection policy and procedures... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Physical & Environmental Protection... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | Control: SC-7... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Access to Networks & Network Services
|
Aligned | NIST CSF... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | Control: SC-7... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | A.13.1.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | Network Controls... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | A.13.1.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.13.1.3 |
Segregation in Networks
|
Aligned | Network Monitoring & Defense... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2g |
Account Management
|
Aligned | Managers... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.2.3 |
Access to Networks & Network Services
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.2.3 |
Access to Networks & Network Services
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.10.1.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | NIST CSF... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.10.1.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | A.10.1.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.10.1.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | A.10.1.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.10.1.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | Access to Networks & Network Services... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.10.1.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | A.10.1.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-6(9) |
Access Control Policy
|
Aligned | Access Control Policy... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| ID.AM-6 |
Security Awareness & Skills Training
|
Aligned | 1.11 CONTROL REFERENCES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| ID.AM-6 |
Security Awareness & Skills Training
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| ID.AM-6 |
Security Awareness & Skills Training
|
Aligned | Control References... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| ID.AM-6 |
Security Awareness & Skills Training
|
Aligned | 1.11 CONTROL REFERENCES... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| ID.AM-6 |
Security Awareness & Skills Training
|
Aligned | Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.7.1.2 |
Terms & Conditions of Employment
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.13.2.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | Policy on the Utilization of Cryptographic Controls... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.13.2.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | Segregation in Networks... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.13.2.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | A.13.2.1... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PR.DS-5 |
Data Protection
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| PR.DS-5 |
Data Protection
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.11.2.1 |
Equipment Siting & Protection
|
Aligned | Physical & Environmental Protection... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.11.2.1 |
Equipment Siting & Protection
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| A.11.2.1 |
Equipment Siting & Protection
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| ID.GV-1 |
Governance
|
Aligned | Information Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| ID.GV-1 |
Governance
|
Aligned | 1.10 CONTROL REFERENCES... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| ID.GV-1 |
Governance
|
Aligned | Definition of Information Security... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PR.IP-7 |
Vulnerability Management
|
Aligned | Continuous vulnerability monitoring tools that use instrumen... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| AM-1 |
Asset Management
|
Aligned | Asset Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Communications Protection | Boundary Protection... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Privacy Engineering Principles
|
Aligned | System & Information Integrity | System Monitoring... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| CM-2(2) |
Configuration Change Control
|
Aligned | Installation of Software on User’s device.... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| A.5.1.1 |
Policies for Information Security
|
Aligned | 1.10 CONTROL REFERENCES... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 3.1 |
Asset Management
Key Control
|
Aligned | Asset Management... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| A.7.2.2 |
Information Security Awareness, Education and Training
|
Aligned | Information Security Awareness, Education and Training... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
anonymized_2.1_IS_Acceptable_Use_Standard.pdf CIS
3 matches foundDocument Content
Matched Section
Section: V. Bring Your Own Device
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
AI Justification
The section outlines the process for wiping or removing data from personal devices, which aligns with the requirement for securely disposing of data as per the documented data management process.
Document Content
Matched Section
Section: 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use
Content: Data processing using Test-authorized encrypted removable media (USB drives, external hard drives).
Content: Data processing using Test-authorized encrypted removable media (USB drives, external hard drives).
AI Justification
The section explicitly mentions the use of Test-authorized encrypted removable media for data processing, which aligns with the control's requirement for encryption.
Document Content
Matched Section
Section: V. Bring Your Own Device
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
AI Justification
The section explicitly mentions the ability to remotely wipe data from personal devices that are part of the BYOD program, which aligns with the control's requirement for enterprise-owned devices.
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf CIS
1 matches foundDocument Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The document explicitly states its classification as 'Confidential', which aligns with the requirement to establish and maintain a data classification scheme.
anonymized_3.0_IS_Information_Security_Policy_2.pdf CIS
3 matches foundDocument Content
Matched Section
Section: Asset Management
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The section discusses controls for asset identification and handling, which aligns with the need to address unauthorized assets.
Document Content
Matched Section
Section: Asset Management – Establishes controls for asset identification, inventory, ownership and handling.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The chunk discusses the establishment of controls for asset identification and inventory, which aligns with the requirement to maintain an accurate inventory of enterprise assets.
Document Content
Matched Section
Section: Control: 3.7: Establish and maintain an overall data classification scheme for the enterprise.
Content: Control: 3.7: Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.
Content: Control: 3.7: Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.
AI Justification
The chunk discusses the importance of protecting data and maintaining its confidentiality, which aligns with the need for a data classification scheme.
anonymized_2.0_IS_Acceptable_Use_Policy.pdf CIS
2 matches foundDocument Content
Matched Section
Section: Data Classification Policy
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
AI Justification
The text discusses sensitive material and mentions a Data Security classification policy, which aligns with establishing and maintaining a data classification scheme.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The section discusses the process for requesting exceptions to security policies, which aligns with the need to document exceptions for unsupported software as outlined in control 2.2.
anonymized_2.1_IS_Acceptable_Use_Standard.pdf NIST
66 matches foundDocument Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for access control policies and procedures, including the approval process for exceptions, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses the identification of authorized system users, specification of access privileges, and management of various types of accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: c. Internet Use Restrictions
Content: 1. Transmitting non-public information over the internet or unsecure means.
Content: 1. Transmitting non-public information over the internet or unsecure means.
AI Justification
The chunk discusses restrictions on transmitting non-public information and accessing inappropriate content, which aligns with the control's focus on managing access to nonpublic information.
Document Content
Matched Section
Section: Section 9: Mobile Device Security Responsibilities
Content: If the device is lost or stolen, the user should IMMEDIATELY report this to the Information Security Department and IT Department so they can remotely wipe or remove all data from the device. This applies even if the user has misplaced the device and knows where it is located. If the user has left it behind somewhere like at a hotel or restaurant and has made plans to pick it up, the incident should be reported.
Content: If the device is lost or stolen, the user should IMMEDIATELY report this to the Information Security Department and IT Department so they can remotely wipe or remove all data from the device. This applies even if the user has misplaced the device and knows where it is located. If the user has left it behind somewhere like at a hotel or restaurant and has made plans to pick it up, the incident should be reported.
AI Justification
The text discusses the responsibilities of users regarding mobile device security, including reporting lost or stolen devices and the management of data storage, which aligns with the requirements for mobile device protection and control.
Document Content
Matched Section
Section: Section 9: Mobile Device Security Responsibilities
Content: At no time is the user permitted to store any Test data on a cloud-based storage.
Content: At no time is the user permitted to store any Test data on a cloud-based storage.
AI Justification
The text mentions the need for organizational policies regarding mobile devices that are not controlled by the organization, which aligns with the requirements for managing mobile devices.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Test, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Test may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Test, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Test may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The section discusses enforcement of policies and the consequences of violations, which aligns with the access control policies that govern authorized access.
Document Content
Matched Section
Section: c. Internet Use Restrictions
Content: 1. Transmitting non-public information over the internet or unsecure means.
Content: 1. Transmitting non-public information over the internet or unsecure means.
AI Justification
The chunk discusses restrictions on transmitting non-public information over the internet, which aligns with the concept of information flow control.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Test systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Test should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Test systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Test should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The chunk explicitly describes the implementation of system use notifications that align with the requirements outlined in control AC-8.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Test systems, all users should be presented a system use notification message upon login.
Content: When accessing Test systems, all users should be presented a system use notification message upon login.
AI Justification
The section discusses the requirement for a system use notification message upon login, which aligns with the need for users to be informed about their last logon and system access.
Document Content
Matched Section
Section: Monitoring of User’s device
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
AI Justification
The chunk discusses monitoring of the user's device and the review of data, which aligns with session auditing practices.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard
Content: The information contained herein is the property of Test Freres & Co. LLC (“Test") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Test without prior written permission.
Content: The information contained herein is the property of Test Freres & Co. LLC (“Test") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Test without prior written permission.
AI Justification
The chunk discusses the confidentiality of the document and the restrictions on copying, using, or disclosing the information, which aligns with the control's focus on preventing unauthorized disclosure.
Document Content
Matched Section
Section: Monitoring of User’s device.
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
AI Justification
The chunk discusses monitoring of user devices and the review of data, which aligns with the control's focus on audit record review and analysis.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The text discusses the need for policies and procedures related to assessment, authorization, and monitoring, which aligns with the CA-1 control requirements.
Document Content
Matched Section
Section: Installation of Software on User’s device.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
AI Justification
The section discusses the user's agreement to install required software and not interfere with it, which aligns with the control's focus on managing software installations.
Document Content
Matched Section
Section: Monitoring of User’s device.
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
AI Justification
The text discusses monitoring user devices and the requirement for users to allow monitoring, which aligns with the continuous monitoring concept of assessing and monitoring controls.
Document Content
Matched Section
Section: Monitoring of User’s device.
Content: 2. Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
Content: 2. Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
AI Justification
The mention of monitoring and reviewing data aligns with the need for audit records to be retained and reviewed for security purposes.
Document Content
Matched Section
Section: Installation of Software on User’s device.
Content: 1. User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
Content: 1. User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
AI Justification
The requirement for users to install specific software on their devices aligns with the control of maintaining and managing software on devices.
Document Content
Matched Section
Section: V. Bring Your Own Device
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
AI Justification
The chunk discusses the management of personally identifiable information (PII) on personal devices, including the processes for wiping or removing data, which aligns with the control's focus on data actions involving PII.
Document Content
Matched Section
Section: IV. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: To maintain security, users SHOULD: a. Ensure they do not turn off the antivirus software or take any other action to inhibit automatic updates. b. Promptly report any indication that automatic updates are not working properly to the Help desk. c. Ensure they do not disable the pre-configured, password protected screensaver. d. Assets are updated only when they are connected to the VPN. e. Owners of BYOD devices should promptly follow helpdesk directions to apply security updates and patches to their devices as outlined in the Test Global IT policies. f. Do not dispose of pre-defined Test Standard images on laptops. Do not apply privately created images as outlined in the Test Global IT policies.
Content: To maintain security, users SHOULD: a. Ensure they do not turn off the antivirus software or take any other action to inhibit automatic updates. b. Promptly report any indication that automatic updates are not working properly to the Help desk. c. Ensure they do not disable the pre-configured, password protected screensaver. d. Assets are updated only when they are connected to the VPN. e. Owners of BYOD devices should promptly follow helpdesk directions to apply security updates and patches to their devices as outlined in the Test Global IT policies. f. Do not dispose of pre-defined Test Standard images on laptops. Do not apply privately created images as outlined in the Test Global IT policies.
AI Justification
The chunk discusses maintaining security through various user actions related to configuration settings and updates, which aligns with the definition of configuration settings impacting security posture.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, including the need for approval for exceptions and the role of InfoSec in this process.
Document Content
Matched Section
Section: Identification and Authentication Requirements
Content: Passwords should not be based on personal information, names of family, pets, etc. NOTE/EXCEPTION: There may be instances where third party or legacy systems are unable to adhere to certain password requirements. In such cases, an exception should be received from the Test CISO. Users should be aware that Test systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements. Multi-Factor Authentication (MFA) is required to access the Test network, any internet facing applications and certain sensitive and business critical Test systems.
Content: Passwords should not be based on personal information, names of family, pets, etc. NOTE/EXCEPTION: There may be instances where third party or legacy systems are unable to adhere to certain password requirements. In such cases, an exception should be received from the Test CISO. Users should be aware that Test systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements. Multi-Factor Authentication (MFA) is required to access the Test network, any internet facing applications and certain sensitive and business critical Test systems.
AI Justification
The text discusses password requirements, multi-factor authentication, and the identification of users, which aligns with the requirements for identification and authentication of organizational users.
Document Content
Matched Section
Section: Section 7, Sub-section j
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team.
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team.
AI Justification
The text discusses the need for users to change passwords immediately if they suspect compromise, which aligns with the re-authentication requirements when credentials change.
Document Content
Matched Section
Section: Section 7, Sub-section l
Content: If available, Multi-Factor Authentication (MFA) should be used to augment credential security.
Content: If available, Multi-Factor Authentication (MFA) should be used to augment credential security.
AI Justification
The mention of Multi-Factor Authentication (MFA) aligns with the need for managing authenticators to enhance security.
Document Content
Matched Section
Section: Section 7: Password Management and Authentication
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team. If the compromise was without the knowledge of the owner, the user should report the event to the Test IT Users should never use the 'Remember Password' feature in web browsers (e.g., Internet Explorer, Edge, Chrome, etc.) except in by Test approved password vault such as LastPass, CyberArk. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: (cid:127) Something you know – the employee’s username and password. (cid:127) Something you have – a device or access token.
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team. If the compromise was without the knowledge of the owner, the user should report the event to the Test IT Users should never use the 'Remember Password' feature in web browsers (e.g., Internet Explorer, Edge, Chrome, etc.) except in by Test approved password vault such as LastPass, CyberArk. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: (cid:127) Something you know – the employee’s username and password. (cid:127) Something you have – a device or access token.
AI Justification
The section discusses the importance of changing passwords when compromised and the use of Multi-Factor Authentication (MFA) to enhance security, which aligns with the need for adaptive authentication mechanisms.
Document Content
Matched Section
Section: Password Requirements and Multi-Factor Authentication
Content: Passwords should not be based on personal information, names of family, pets, etc. NOTE/EXCEPTION: There may be instances where third party or legacy systems are unable to adhere to certain password requirements. In such cases, an exception should be received from the Test CISO. Users should be aware that Test systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements. Multi-Factor Authentication (MFA) is required to access the Test network, any internet facing applications and certain sensitive and business critical Test systems.
Content: Passwords should not be based on personal information, names of family, pets, etc. NOTE/EXCEPTION: There may be instances where third party or legacy systems are unable to adhere to certain password requirements. In such cases, an exception should be received from the Test CISO. Users should be aware that Test systems will lockout users after the threshold for invalid access attempts has been reached. The general threshold is set to five failed attempts but may be set lower depending on specific system requirements. Multi-Factor Authentication (MFA) is required to access the Test network, any internet facing applications and certain sensitive and business critical Test systems.
AI Justification
The chunk discusses password requirements and multi-factor authentication, which are essential for the identification and authentication of users, including non-organizational users.
Document Content
Matched Section
Section: Section 7 - Password Management and Multi-Factor Authentication
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team. If the compromise was without the knowledge of the owner, the user should report the event to the Test IT Users should never use the 'Remember Password' feature in web browsers (e.g., Internet Explorer, Edge, Chrome, etc.) except in by Test approved password vault such as LastPass, CyberArk. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: (cid:127) Something you know – the employee’s username and password. (cid:127) Something you have – a device or access token.
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team. If the compromise was without the knowledge of the owner, the user should report the event to the Test IT Users should never use the 'Remember Password' feature in web browsers (e.g., Internet Explorer, Edge, Chrome, etc.) except in by Test approved password vault such as LastPass, CyberArk. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: (cid:127) Something you know – the employee’s username and password. (cid:127) Something you have – a device or access token.
AI Justification
The chunk discusses the importance of changing compromised passwords, the use of Multi-Factor Authentication (MFA), and the management of passwords, which aligns with the requirements for authenticator management.
Document Content
Matched Section
Section: Section 7, Sub-section j, k, l
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team. If the compromise was without the knowledge of the owner, the user should report the event to the Test IT Users should never use the 'Remember Password' feature in web browsers (e.g., Internet Explorer, Edge, Chrome, etc.) except in by Test approved password vault such as LastPass, CyberArk. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: (cid:127) Something you know – the employee’s username and password. (cid:127) Something you have – a device or access token.
Content: If an account or password is suspected to have been compromised or to be known by someone other than the credential owner, users should change that password immediately and inform Test’s Information Security Team. If the compromise was without the knowledge of the owner, the user should report the event to the Test IT Users should never use the 'Remember Password' feature in web browsers (e.g., Internet Explorer, Edge, Chrome, etc.) except in by Test approved password vault such as LastPass, CyberArk. Passwords should not be inserted into email messages, help desk tickets, change requests or any other form of electronic communication. If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: (cid:127) Something you know – the employee’s username and password. (cid:127) Something you have – a device or access token.
AI Justification
The chunk discusses the importance of changing compromised passwords and the use of Multi-Factor Authentication (MFA), which aligns with the need for authentication mechanisms to ensure that only authorized users can access systems.
Document Content
Matched Section
Section: Incident Response Policy and Procedures
Content: Control: IR-1: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Content: Control: IR-1: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
AI Justification
The text discusses the importance of incident response policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of maintenance policies and procedures in relation to security and privacy assurance, which aligns with control MA-1.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The text discusses the importance of media protection policies and procedures, including the approval process for exceptions, which aligns with the control's focus on establishing and maintaining such policies.
Document Content
Matched Section
Section: 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
AI Justification
The section discusses acceptable use of removable media, which aligns with the control's focus on managing access to both digital and non-digital media.
Document Content
Matched Section
Section: 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
AI Justification
The section discusses acceptable use of removable media, including encrypted removable media, which aligns with the control's focus on protecting media during transport.
Document Content
Matched Section
Section: 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
AI Justification
The section discusses acceptable use of removable media and the conditions under which they can be used, which aligns with the control's focus on managing and protecting system media.
Document Content
Matched Section
Section: 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
Content: The following activities are acceptable to be performed using Test IT resources and information systems, to include removable media.
AI Justification
The section discusses acceptable use of removable media, which aligns with the control's focus on restricting and managing the use of system media.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having a physical and environmental protection policy and procedures, including the process for exceptions to the policy.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The chunk discusses the need for exceptions to the policy and outlines the process for requesting such exceptions, which aligns with the planning and procedural aspects of control PL-1.
Document Content
Matched Section
Section: Monitoring of User’s device.
Content: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
Content: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application.
AI Justification
The monitoring of the user's device and the requirement for users to install specific software aligns with the need for remote access controls to ensure security and compliance.
Document Content
Matched Section
Section: Monitoring of User’s device.
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices.
AI Justification
The monitoring and review of data on the user's device supports the need for audit capabilities to track and analyze user activities.
Document Content
Matched Section
Section: Installation of Software on User’s device.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
AI Justification
The requirement for users to install specific software and not interfere with it aligns with the need for configuration management controls.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: As part of its business mission, Test procures, configures, and maintains computers, information systems, and networks. These technology resources are intended for business-related purposes, including direct and indirect support of the business units, partners, and subsidiaries.
Content: As part of its business mission, Test procures, configures, and maintains computers, information systems, and networks. These technology resources are intended for business-related purposes, including direct and indirect support of the business units, partners, and subsidiaries.
AI Justification
The text discusses the purpose of technology resources in supporting business-related purposes and the importance of understanding usage restrictions to strengthen security, aligning with the control's focus on mission support.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Test, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Test may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Test, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Test may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the concept of organizational sanctions as described in PS-8.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to personally identifiable information, including how exceptions to these policies should be handled.
Document Content
Matched Section
Section: Classification of Information
Content: Classification of Information
Content: Classification of Information
AI Justification
The text discusses the process of security categorization, its importance in understanding potential adverse impacts, and the involvement of various organizational roles, which aligns directly with the RA-2 control.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The text discusses the importance of risk assessment policies and procedures, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: Risk Assessment | Security Categorization
Content: Control: RA-5: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked.
Content: Control: RA-5: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the processes involved in identifying and addressing vulnerabilities.
Document Content
Matched Section
Section: Risk Assessment | Security Categorization
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text outlines the processes for vulnerability monitoring and assessment, including the use of various tools and methodologies.
Document Content
Matched Section
Section: Risk Assessment | Security Categorization
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
AI Justification
The text emphasizes the need for continuous monitoring and assessment of vulnerabilities, which aligns with the principles of risk assessment.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, including the need for approval for exceptions and the role of InfoSec in this process.
Document Content
Matched Section
Section: Criticality Analysis
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
AI Justification
The text discusses the importance of criticality analysis in identifying and prioritizing system components and functions that require protection, aligning directly with the intent of RA-9.
Document Content
Matched Section
Section: Security Categorization
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
AI Justification
The text mentions that criticality analysis can influence the protection measures required by development contractors and is part of security categorization, which aligns with RA-2.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the derivation of security and privacy requirements and the flexibility in implementing controls based on risk, which aligns with the essence of SA-4.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for system and communications protection, including the approval process for exceptions to these policies.
Document Content
Matched Section
Section: Usage Restrictions and Compliance
Content: Individual managers reserve the right to place additional restrictions on personal use. These allowances are not exhaustive and could also be accomplished from personal devices allowed to be used on the Test enterprise network.
Content: Individual managers reserve the right to place additional restrictions on personal use. These allowances are not exhaustive and could also be accomplished from personal devices allowed to be used on the Test enterprise network.
AI Justification
The text discusses restrictions on personal use and compliance with acceptable usage policies, which aligns with the control's focus on usage restrictions for system components.
Document Content
Matched Section
Section: Monitoring of User’s device and Installation of Software on User’s device
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application. 2. Monitoring can be conducted live or through automated programs that detect and flag unsafe practices. 3. User may be asked and required to hand over his/her Test managed device as part of an internal investigation. 1. User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application. 2. User agrees not to remove, disable, or in any way interfere with Test installed software.
Content: 1. User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Test managed application. 2. Monitoring can be conducted live or through automated programs that detect and flag unsafe practices. 3. User may be asked and required to hand over his/her Test managed device as part of an internal investigation. 1. User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application. 2. User agrees not to remove, disable, or in any way interfere with Test installed software.
AI Justification
The monitoring of the user's device and the installation of software aligns with the control's focus on the capabilities of mobile devices and the potential risks associated with their sensors.
Document Content
Matched Section
Section: System & Communications Protection | Resource Availability
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.
AI Justification
The text discusses managed interfaces and boundary protection measures, which aligns with the SC-7 control regarding the management of interfaces and the protection of organizational networks.
Document Content
Matched Section
Section: Information management and retention requirements cover the full life cycle of information
Content: Control: SI-12: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
Content: Control: SI-12: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
AI Justification
The text discusses the importance of managing and retaining information throughout its life cycle, which aligns with the requirements of SI-12.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: IV. Maintaining Security while using Organizationally Owned & Managed Information Systems & Assets
Content: To maintain security, users SHOULD: a. Ensure they do not turn off the antivirus software or take any other action to inhibit automatic updates. b. Promptly report any indication that automatic updates are not working properly to the Help desk.
Content: To maintain security, users SHOULD: a. Ensure they do not turn off the antivirus software or take any other action to inhibit automatic updates. b. Promptly report any indication that automatic updates are not working properly to the Help desk.
AI Justification
The chunk discusses the importance of maintaining security through updates and reporting issues related to automatic updates, which aligns with the need to remediate system flaws.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Test systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Test should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Test systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Test should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The text discusses the importance of monitoring system activities to maintain security and ensure legitimate usage, which aligns with the objectives of system monitoring as outlined in control SI-4.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: For Windows network authentication, the system use notification banner should describe privacy expectations, monitoring activities, and any applicable laws, regulations, and company policy compliance requirements.
Content: For Windows network authentication, the system use notification banner should describe privacy expectations, monitoring activities, and any applicable laws, regulations, and company policy compliance requirements.
AI Justification
The mention of monitoring activities in the context of system use notifications and ensuring compliance with laws and policies aligns with the need for monitoring remote access activities.
Document Content
Matched Section
Section: Malicious code protection mechanisms include both signature- and nonsignature-based technologies.
Content: Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective.
Content: Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective.
AI Justification
The text discusses various methods and technologies to protect against malicious code, including detection mechanisms and secure coding practices.
Document Content
Matched Section
Section: Organizations may determine that, in response to the detection of malicious code, different actions may be warranted.
Content: In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended.
Content: In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended.
AI Justification
The text mentions monitoring practices to ensure that software does not perform unintended functions, which aligns with the need for monitoring systems for malicious activities.
Document Content
Matched Section
Section: Installation of Software on User’s device.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Test managed application.
AI Justification
The chunk discusses monitoring of user devices and the installation of required software, which relates to ensuring the integrity of software and preventing unauthorized changes.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: a. When accessing Test systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Test should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: a. When accessing Test systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Test should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The section discusses system use notifications and monitoring activities to ensure security and compliance, which aligns with the transitional states and notifications described in SI-6.
Document Content
Matched Section
Section: Section 6 - Unacceptable Uses of Test’s Systems
Content: 4. Posting Test information on public Internet sites such as system configurations, details of products or vendors utilized by Test, personally identifiable information (PII) 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Test’s email system. 6. Unauthorized downloading of software and/or files from Internet. 7. The installation and use of peer-to-peer file sharing applications such as BitTorrent on Test systems. 8. Using Test’s Internet to deliberately propagate any virus, worm, or any other code with malicious intent such as spyware, hacking tools, and Trojans. 9. Using high bandwidth streaming media applications such as Google Music, YouTube Music, Netflix, Hulu, or internet radio, etc. unless required for a valid business purpose.
Content: 4. Posting Test information on public Internet sites such as system configurations, details of products or vendors utilized by Test, personally identifiable information (PII) 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Test’s email system. 6. Unauthorized downloading of software and/or files from Internet. 7. The installation and use of peer-to-peer file sharing applications such as BitTorrent on Test systems. 8. Using Test’s Internet to deliberately propagate any virus, worm, or any other code with malicious intent such as spyware, hacking tools, and Trojans. 9. Using high bandwidth streaming media applications such as Google Music, YouTube Music, Netflix, Hulu, or internet radio, etc. unless required for a valid business purpose.
AI Justification
The chunk discusses various unacceptable uses of Test's systems, including the handling of email attachments and unauthorized downloads, which relate to the control's focus on protecting against spam and malicious code.
Document Content
Matched Section
Section: V. Bring Your Own Device
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
AI Justification
The chunk discusses the wiping or removal of data from personal devices, which aligns with the control's focus on data disposal at any time during the system development life cycle.
anonymized_2.0_IS_Acceptable_Use_Policy.pdf NIST
60 matches foundDocument Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for access control policies and procedures, including the approval process for exceptions, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: 1.10 REMOTE ACCESS TO Test’s SYSTEMS
Content: Please refer to Test’s Global IT Policies and Standards for policy requirements regarding remote access to Test’s systems.
Content: Please refer to Test’s Global IT Policies and Standards for policy requirements regarding remote access to Test’s systems.
AI Justification
The chunk discusses remote access to Test's systems and refers to policies regarding remote access, which aligns with the definition and requirements outlined in AC-17.
Document Content
Matched Section
Section: 1.10 REMOTE ACCESS TO Test’s SYSTEMS
Content: Please refer to Test’s Global IT Policies and Standards for policy requirements regarding remote access to Test’s systems.
Content: Please refer to Test’s Global IT Policies and Standards for policy requirements regarding remote access to Test’s systems.
AI Justification
The mention of access restrictions for remote access aligns with AC-3, which addresses enforcing access restrictions.
Document Content
Matched Section
Section: 1.14 BRING YOUR OWN DEVICE (BYOD)
Content: a) Personal devices used for work are permitted with prior approval and fall under the same safeguards and controls as Test-owned equipment to ensure that Test networks and data remain safe and protected.
Content: a) Personal devices used for work are permitted with prior approval and fall under the same safeguards and controls as Test-owned equipment to ensure that Test networks and data remain safe and protected.
AI Justification
The text discusses the use of personal devices for work and the associated security responsibilities, which aligns with the definition and requirements of mobile devices as outlined in AC-19.
Document Content
Matched Section
Section: Information Sharing and Security Classification Policy
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
AI Justification
The chunk discusses proprietary information and sensitive material, which aligns with the control's focus on information that may be restricted and the need for formal determinations regarding sharing.
Document Content
Matched Section
Section: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy
Content: This includes but is not limited to blogging and social media usage.
Content: This includes but is not limited to blogging and social media usage.
AI Justification
The chunk discusses the handling of proprietary information and sensitive material, which aligns with the control's focus on restricting access to nonpublic information.
Document Content
Matched Section
Section: Account Management Requirements
Content: The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The text discusses the management of user accounts, including the responsibilities of users regarding their accounts and the prohibition of shared accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Test should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Test’s information systems are the property of Test.
Content: Test should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Test’s information systems are the property of Test.
AI Justification
The text discusses the enforcement of access control policies and the mechanisms in place to ensure that access is controlled based on the identity of subjects, which aligns with the requirements of AC-25.
Document Content
Matched Section
Section: 1.2 GENERAL USER RESPONSIBILITIES
Content: All Systems and information contained on those systems are the property of Test and constitute valuable business assets of Test. Test provides users with access to these Systems for appropriate business-related use.
Content: All Systems and information contained on those systems are the property of Test and constitute valuable business assets of Test. Test provides users with access to these Systems for appropriate business-related use.
AI Justification
The section outlines user responsibilities and the conditions under which access to systems is granted, which aligns with the concept of access control policies that govern user access to organizational systems.
Document Content
Matched Section
Section: Account Management and User Responsibilities
Content: account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The text discusses the responsibilities of users regarding their accounts and the prohibition of sharing accounts, which aligns with the principle of separation of duties to prevent abuse of privileges.
Document Content
Matched Section
Section: Data Security classification policy
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
AI Justification
The chunk discusses sensitive material and mentions social media usage, which aligns with the control's focus on unauthorized disclosure and data leakage.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy.
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy.
AI Justification
The text discusses the responsibilities related to auditing information systems for compliance and handling security incidents, which aligns with the requirements of audit and accountability policies.
Document Content
Matched Section
Section: b) Retrieve and share information with the authorities in response to a request received from the authority. c) Monitor Internet usage.
Content: c) Monitor Internet usage. i. No employee should have any expectation of privacy regarding his or her Internet usage.
Content: c) Monitor Internet usage. i. No employee should have any expectation of privacy regarding his or her Internet usage.
AI Justification
The chunk discusses monitoring Internet usage and the lack of privacy expectation for employees, which aligns with the session auditing practices outlined in AU-14.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy.
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy.
AI Justification
The responsibilities outlined for the Information Technology Department and the CISO include auditing information systems and handling security incidents, which aligns with the requirements for audit record review and reporting.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy.
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy.
AI Justification
The responsibilities outlined in the chunk indicate a focus on auditing information systems for compliance, which aligns with the requirements for audit information and protection as described in AU-9.
Document Content
Matched Section
Section: Scope
Content: Test should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Test should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The chunk discusses the need to define, document, implement, and maintain policies for controlling access to and use of information resources, which aligns with understanding where information is processed and stored.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The text discusses the need for configuration management policies and procedures, including how exceptions to these policies should be handled, which aligns with the control's focus on establishing and maintaining such policies.
Document Content
Matched Section
Section: 1.10 REMOTE ACCESS TO Test’s SYSTEMS and 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Test’s computer systems, networks or applications using another employee’s user
Content: Accessing Test’s computer systems, networks or applications using another employee’s user
AI Justification
The text discusses the identification and authentication requirements for users accessing organizational systems, which aligns with IA-2's focus on unique identification and authentication of users.
Document Content
Matched Section
Section: Account Management and Password Protection
Content: All Users should use only those IDs that have been assigned for their use. Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation.
Content: All Users should use only those IDs that have been assigned for their use. Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation.
AI Justification
The text discusses the management and protection of user passwords and the responsibilities of users regarding their accounts, which aligns with the requirements for authenticators.
Document Content
Matched Section
Section: User Responsibilities and Password Protection
Content: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation.
Content: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Test’s Systems. Disclosing passwords is a serious security violation.
AI Justification
The chunk discusses the identification and authentication of users, emphasizing the responsibility of users for their accounts and the protection of passwords, which aligns with the requirements for non-organizational users.
Document Content
Matched Section
Section: Detailed explanation of why the exception is necessary.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
AI Justification
The text discusses the importance of incident response policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: l Is Responsible for handling security incidents reported by employees
Content: l Is Responsible for handling security incidents reported by employees
AI Justification
The responsibilities outlined for the CISO and IT Department align with the need for incident response capabilities and handling security incidents as described in control IR-4.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: l Should report any suspicious communication or notice of any computer virus to the Help Desk.
Content: l Should report any suspicious communication or notice of any computer virus to the Help Desk.
AI Justification
The mention of reporting suspicious communications aligns with the need for incident-related information gathering as part of incident response.
Document Content
Matched Section
Section: Detailed explanation of why the exception is necessary and Detailed mitigation information, if available.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
AI Justification
The text discusses the importance of maintenance policies and procedures, including their development and the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The chunk discusses the use of removable storage devices and the associated risks, which aligns with the control's focus on managing access to both digital and non-digital media.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The chunk discusses the use of removable storage devices and the inherent risks associated with them, which aligns with the control's focus on managing and protecting system media.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the use of removable storage devices and the associated risks, aligning with the control's focus on restricting and managing the use of system media.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having a physical and environmental protection policy and procedures, including the process for exceptions to these policies, which aligns with the control's focus on policy and procedures.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The chunk discusses the process of approving exceptions to the policy, which aligns with the planning and procedural aspects of control PL-1.
Document Content
Matched Section
Section: Rules of behavior for organizational users
Content: These rules are in place to protect the employee and Test. Inappropriate use exposes Test and the employee to risks including virus attacks, compromise of network systems and services, and legal issues. It is the responsibility of every employee to know these guidelines, and to conduct their activities accordingly.
Content: These rules are in place to protect the employee and Test. Inappropriate use exposes Test and the employee to risks including virus attacks, compromise of network systems and services, and legal issues. It is the responsibility of every employee to know these guidelines, and to conduct their activities accordingly.
AI Justification
The text discusses the importance of rules of behavior for employees to protect both the organization and the employees themselves from various risks.
Document Content
Matched Section
Section: 1.2 GENERAL USER RESPONSIBILITIES
Content: All Systems and information contained on those systems are the property of Test and constitute valuable business assets of Test. Test provides users with access to these Systems for appropriate business-related use. Upon use of Test’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Test and its business, or the employment relationship between Test and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Test accessing, reviewing, monitoring, and/or restricting all such use. e. Test reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Test reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Content: All Systems and information contained on those systems are the property of Test and constitute valuable business assets of Test. Test provides users with access to these Systems for appropriate business-related use. Upon use of Test’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Test and its business, or the employment relationship between Test and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Test accessing, reviewing, monitoring, and/or restricting all such use. e. Test reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Test reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
AI Justification
The chunk discusses user responsibilities regarding the use of systems, including monitoring and access rights, which aligns with the need for oversight in security and privacy testing and training.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: CISO or his/her designee l Is Responsible for resolving user queries on this policy l Is Responsible for handling security incidents reported by employees
Content: CISO or his/her designee l Is Responsible for resolving user queries on this policy l Is Responsible for handling security incidents reported by employees
AI Justification
The text mentions responsibilities that align with the role of a senior information security officer, including handling security incidents and ensuring compliance with policies.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department and CISO or his/her designee
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy. l Is Responsible for resolving al Test user queries regarding use of information systems. CISO or his/her designee l Is Responsible for resolving user queries on this policy l Is Responsible for handling security incidents reported by employees l Is Responsible for necessary approvals for genuine business need l Is Responsible for approving any exceptions to this policy l Should be aware of and ensure compliance to the requirements of the Acceptable use policy. l Should report any suspicious communication or notice of any computer virus to the Help Desk.
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy. l Is Responsible for resolving al Test user queries regarding use of information systems. CISO or his/her designee l Is Responsible for resolving user queries on this policy l Is Responsible for handling security incidents reported by employees l Is Responsible for necessary approvals for genuine business need l Is Responsible for approving any exceptions to this policy l Should be aware of and ensure compliance to the requirements of the Acceptable use policy. l Should report any suspicious communication or notice of any computer virus to the Help Desk.
AI Justification
The responsibilities outlined for the Information Technology Department and CISO align with the need for personnel security policies and procedures, particularly in auditing compliance and handling security incidents.
Document Content
Matched Section
Section: Role Responsibility Information Technology Department
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy. l Is Responsible for resolving al Test user queries regarding use of information systems. CISO or his/her designee l Is Responsible for resolving user queries on this policy l Is Responsible for handling security incidents reported by employees l Is Responsible for necessary approvals for genuine business need l Is Responsible for approving any exceptions to this policy l Should be aware of and ensure compliance to the requirements of the Acceptable use policy. l Should report any suspicious communication or notice of any computer virus to the Help Desk.
Content: l Is responsible for Periodically auditing the information systems for compliance to Acceptable use policy. l Is Responsible for resolving al Test user queries regarding use of information systems. CISO or his/her designee l Is Responsible for resolving user queries on this policy l Is Responsible for handling security incidents reported by employees l Is Responsible for necessary approvals for genuine business need l Is Responsible for approving any exceptions to this policy l Should be aware of and ensure compliance to the requirements of the Acceptable use policy. l Should report any suspicious communication or notice of any computer virus to the Help Desk.
AI Justification
The text outlines specific responsibilities related to security and compliance, indicating the roles and responsibilities associated with security policies.
Document Content
Matched Section
Section: 1.2 GENERAL USER RESPONSIBILITIES
Content: All Systems and information contained on those systems are the property of Test and constitute valuable business assets of Test. Test provides users with access to these Systems for appropriate business-related use. Upon use of Test’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Test and its business, or the employment relationship between Test and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Test accessing, reviewing, monitoring, and/or restricting all such use. e. Test reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Test reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Content: All Systems and information contained on those systems are the property of Test and constitute valuable business assets of Test. Test provides users with access to these Systems for appropriate business-related use. Upon use of Test’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Test and its business, or the employment relationship between Test and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Test accessing, reviewing, monitoring, and/or restricting all such use. e. Test reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Test reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
AI Justification
The text discusses user consent regarding the use of Test's systems and the monitoring of their activities, which aligns with the principles of consent as outlined in control PT-4.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of risk assessment policies and procedures, including the need for approval for exceptions, which aligns with the control's focus on establishing risk management strategies.
Document Content
Matched Section
Section: Security categorization process as an organization-wide activity
Content: Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards.
Content: Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards.
AI Justification
The text discusses the security categorization process, its importance in understanding potential adverse impacts, and its role in organizational operations, which aligns directly with the RA-2 control.
Document Content
Matched Section
Section: Vulnerability Monitoring and Analysis
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the processes involved in identifying and addressing vulnerabilities.
Document Content
Matched Section
Section: Security Categorization
Content: Control: RA-5: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans).
Content: Control: RA-5: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans).
AI Justification
The text emphasizes the need for security categorization of information and systems, which guides the frequency and comprehensiveness of vulnerability monitoring.
Document Content
Matched Section
Section: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets.
Content: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
Content: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
AI Justification
The text discusses the importance of risk assessments considering various factors such as threats, vulnerabilities, and impacts, which aligns with the requirements of RA-3.
Document Content
Matched Section
Section: Organizations can conduct risk assessments at all three levels in the risk management hierarchy.
Content: Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle.
Content: Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle.
AI Justification
The mention of conducting risk assessments at various levels and stages in the system development life cycle aligns with the requirements of RA-2.
Document Content
Matched Section
Section: Risk assessment is an ongoing activity carried out throughout the system development life cycle.
Content: Risk assessment is an ongoing activity carried out throughout the system development life cycle.
Content: Risk assessment is an ongoing activity carried out throughout the system development life cycle.
AI Justification
The text emphasizes the ongoing nature of risk assessments and their role in control selection, which is relevant to RA-9.
Document Content
Matched Section
Section: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
AI Justification
The text discusses the importance of criticality analysis in identifying and prioritizing system components and functions that require protection, which aligns directly with RA-9.
Document Content
Matched Section
Section: Such analysis is conducted as part of security categorization in RA-2.
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
AI Justification
The text mentions that criticality analysis is conducted as part of security categorization, which aligns with RA-2.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, including the need for exceptions to be approved and documented, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: SA-20: Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk.
Content: Control: SA-20: Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.
Content: Control: SA-20: Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.
AI Justification
The chunk directly references the control SA-20, which discusses the need for organizations to determine trust levels of system components and the potential for reimplementation or custom development.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The chunk discusses the process of defining and implementing security requirements and exceptions, which aligns with the concept of deriving security and privacy functional requirements.
Document Content
Matched Section
Section: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle.
Content: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
Content: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.
AI Justification
The text discusses the implementation of security and privacy engineering principles throughout the system development life cycle, which aligns directly with control SA-8.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied.
AI Justification
The text discusses the importance of having a system and communications protection policy and procedures, including the process for handling exceptions to the policy.
Document Content
Matched Section
Section: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
AI Justification
The chunk discusses sensitive material and proprietary information, which relates to the security and privacy attributes that can be associated with such information.
Document Content
Matched Section
Section: 1.4 SECURITY & PROPRIETARY INFORMATION
Content: To ensure confidentiality, integrity and availability of Test copyright and proprietary information, the following requirements should be followed: a) All mobile and computing devices that connect to the internal network should comply with the Access Control Policy2.
Content: To ensure confidentiality, integrity and availability of Test copyright and proprietary information, the following requirements should be followed: a) All mobile and computing devices that connect to the internal network should comply with the Access Control Policy2.
AI Justification
The chunk discusses the requirements for mobile and computing devices that connect to the internal network, which aligns with the control's focus on the management and restrictions of mobile code to prevent potential damage.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The text discusses the risks associated with removable storage devices and emphasizes the need for permission from IT and Information Security departments, which aligns with the control's focus on managing connection ports and I/O devices to prevent data exfiltration and malicious code introduction.
Document Content
Matched Section
Section: Control: SC-8: Protecting the confidentiality and integrity of transmitted information
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques. Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.
AI Justification
The text discusses the protection of confidentiality and integrity of transmitted information, which aligns directly with control SC-8.
Document Content
Matched Section
Section: 1.5 ORGANIZATIONALY OWNED & MANAGED INFO SYSTEMS & ASSETS
Content: a) Test-owned and managed assets are kept up to date with security patches and antivirus software.
Content: a) Test-owned and managed assets are kept up to date with security patches and antivirus software.
AI Justification
The chunk discusses the importance of keeping systems updated with security patches and antivirus software, which aligns with the need to remediate system flaws as outlined in control SI-2.
Document Content
Matched Section
Section: Requirements for handling suspicious emails
Content: Users should not open email attachments which are suspect due to their subject, content, or address regardless of whether the sender is well-known or not. Users should perform due diligence to attempt to find out if the message is trustworthy and was sent intentionally. Any suspicious email should be reported to helpdesk. Any suspicion of Phishing should be reported to helpdesk as Phishing as in Security Awareness Guidelines detailed.
Content: Users should not open email attachments which are suspect due to their subject, content, or address regardless of whether the sender is well-known or not. Users should perform due diligence to attempt to find out if the message is trustworthy and was sent intentionally. Any suspicious email should be reported to helpdesk. Any suspicion of Phishing should be reported to helpdesk as Phishing as in Security Awareness Guidelines detailed.
AI Justification
The section discusses user responsibilities in handling potentially malicious emails and the reporting of suspicious activities, which aligns with the control's focus on protecting organizational information from cyber threats.
Document Content
Matched Section
Section: System monitoring includes external and internal monitoring.
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions.
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions.
AI Justification
The text discusses the importance of system monitoring, including both external and internal monitoring, and the tools and techniques used for effective monitoring.
Document Content
Matched Section
Section: 1.4 SECURITY & PROPRIETARY INFORMATION
Content: Employees should use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
Content: Employees should use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
AI Justification
The chunk discusses the need for caution when dealing with email attachments from unknown senders, which aligns with the control's focus on spam protection mechanisms.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for managing supply chain risks, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Supply Chain Risk Management Overview
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
AI Justification
The text discusses the risks associated with external providers and the importance of managing supply chain risks, which aligns directly with the SR-2 control.
Document Content
Matched Section
Section: Supply Chain Risk Management Plans
Content: Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes.
Content: Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes.
AI Justification
The text emphasizes the need for tailored SCRM plans and the development of trustworthy system components, which aligns with the SA-20 control regarding the acquisition and development of critical components.
anonymized_3.0_IS_Information_Security_Policy_2.pdf NIST
142 matches foundDocument Content
Matched Section
Section: Access control policy and procedures
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of access control policies and procedures in relation to security and privacy assurance, aligning with the requirements of AC-1.
Document Content
Matched Section
Section: Access Control
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
AI Justification
The text discusses the identification of authorized system users, specification of access privileges, and the management of different types of accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: Access Control
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
AI Justification
The chunk discusses the establishment of controls to manage access to information assets, which aligns with the concept of access control decisions and enforcement.
Document Content
Matched Section
Section: Access Control
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
AI Justification
The chunk discusses the establishment of controls to manage access to information assets, which aligns with the definition of access control policies.
Document Content
Matched Section
Section: Information Security Awareness, Education and Training
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
AI Justification
The text discusses the determination of training content based on roles and responsibilities, which aligns directly with the requirements of AT-3.
Document Content
Matched Section
Section: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
AI Justification
The chunk discusses the importance of information security awareness and training, which aligns with the requirements for providing literacy training to system users.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
AI Justification
The mention of role-based training aligns with the need for tailored training based on specific organizational requirements and user roles.
Document Content
Matched Section
Section: Awareness and training policy and procedures
Content: Control: AT-1: Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: AT-1: Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of awareness and training policies and procedures in relation to security and privacy, aligning with the AT-1 control.
Document Content
Matched Section
Section: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of establishing controls to ensure identification, evaluation, and management of risk aligns with the RA-1 control.
Document Content
Matched Section
Section: Definition of Confidentiality and Information Security
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
AI Justification
The chunk discusses the protection of data against unauthorized access and disclosure, which aligns with the control's focus on preventing data leakage.
Document Content
Matched Section
Section: Definition of Information Security
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
AI Justification
The definition of Information Security aligns with governance principles by emphasizing the protection of information systems.
Document Content
Matched Section
Section: Risk Policy, Cloud Policy, End-user Device Security Policy, Internet Security & Usage Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives. Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities. Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives. Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities. Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
AI Justification
The text discusses the establishment of various policies and procedures related to risk management, security, and privacy, which aligns with the requirements of CA-1.
Document Content
Matched Section
Section: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
AI Justification
The text discusses the importance of baseline configurations for systems, including their documentation, review, and the need to maintain them as organizational systems change.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: Control: CM-1: Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: CM-1: Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of configuration management policies and procedures, their development, and their relationship with security and privacy programs.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
AI Justification
The mention of establishing procedures for security and privacy programs aligns with the concept of ensuring least functionality in configuration management.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: Configuration Management | Configuration Management Plan
Content: Configuration Management | Configuration Management Plan
AI Justification
The text emphasizes the need for a configuration management plan as part of the overall security and privacy policies.
Document Content
Matched Section
Section: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
AI Justification
The text discusses the importance of configuration settings that affect the security and privacy posture of systems, aligning directly with the definition of CM-6.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
AI Justification
The mention of common secure configurations and the need to implement them aligns with the principle of least functionality, which is part of CM-7.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
AI Justification
The text discusses limiting component functionality and removing unnecessary services, which aligns directly with the intent of CM-7.
Document Content
Matched Section
Section: Asset Management – Establishes controls for asset identification, inventory, ownership and handling.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The text discusses the importance of maintaining an inventory of system components, which aligns with the requirements of CM-8 for effective accountability and management of IT assets.
Document Content
Matched Section
Section: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
AI Justification
The chunk discusses various aspects of configuration management, including systematic proposal, justification, implementation, and review of system changes, which aligns with the requirements of CM-3.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
AI Justification
The mention of configuration management implies a focus on ensuring systems are configured to provide only essential capabilities, which aligns with CM-7.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: Configuration Management | Configuration Management Plan
Content: Configuration Management | Configuration Management Plan
AI Justification
The reference to a configuration management plan aligns with CM-9, which emphasizes the need for a structured approach to configuration management.
Document Content
Matched Section
Section: System & Services Acquisition | Developer Configuration Management
Content: System & Services Acquisition | Developer Configuration Management
Content: System & Services Acquisition | Developer Configuration Management
AI Justification
The mention of including representatives from development organizations on Configuration Control Boards aligns with SA-10, which focuses on developer involvement in configuration management.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The chunk discusses the importance of ensuring continuous business operations and availability of information, which aligns with the concept of using alternative security mechanisms to support business continuity.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text discusses the importance of contingency planning for systems, which aligns with the control's focus on ensuring continuity of operations and system restoration.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.
Content: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.
AI Justification
The text discusses configuration management activities throughout the system development life cycle, including the creation and implementation of configuration management plans.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed.
Content: Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed.
AI Justification
The text implies the need for controlling configuration items and ensuring that only necessary components are included in the configuration management process.
Document Content
Matched Section
Section: System & Services Acquisition | Developer Configuration Management
Content: Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems.
Content: Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems.
AI Justification
The text mentions the role of developers in the configuration management process, particularly in the context of change management and approval processes.
Document Content
Matched Section
Section: Contingency planning policy and procedures
Content: Control: CP-1: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures.
Content: Control: CP-1: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures.
AI Justification
The text discusses the importance of contingency planning policies and procedures, which aligns directly with CP-1.
Document Content
Matched Section
Section: Contingency planning policy and procedures
Content: Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure.
Content: Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure.
AI Justification
The mention of procedures for security and privacy programs and the need for updates based on various events aligns with the need for a contingency plan.
Document Content
Matched Section
Section: Contingency planning policy and procedures
Content: Simply restating controls does not constitute an organizational policy or procedure.
Content: Simply restating controls does not constitute an organizational policy or procedure.
AI Justification
The text implies the need for training related to the implementation of policies and procedures, which aligns with CP-3.
Document Content
Matched Section
Section: Identification and authentication policy and procedures
Content: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, which aligns directly with control IA-1.
Document Content
Matched Section
Section: Network and Firewall Security Policy
Content: Network and Firewall Security Policy - Establishes the security-related controls and standards necessary to ensure the effective implementation and monitoring of network security, and to protect critical Company information that is transmitted via various Test networks, including public, internal, and trusted external networks.
Content: Network and Firewall Security Policy - Establishes the security-related controls and standards necessary to ensure the effective implementation and monitoring of network security, and to protect critical Company information that is transmitted via various Test networks, including public, internal, and trusted external networks.
AI Justification
The mention of security-related controls and standards necessary for network security aligns with the Access Control Policy.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text discusses the importance of incident response policies and procedures, their development, and the need for collaboration between security and privacy programs, which aligns directly with control IR-1.
Document Content
Matched Section
Section: Evaluation of Policies
Content: The policies effectiveness, demonstrated by the nature, number and impact of recorded security incidents.
Content: The policies effectiveness, demonstrated by the nature, number and impact of recorded security incidents.
AI Justification
The chunk discusses the evaluation of policies and their effectiveness in relation to recorded security incidents, which aligns with the testing of incident response capabilities.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text discusses the importance of incident response capabilities and how they are integrated into organizational systems and processes.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The chunk discusses the establishment of controls for managing information security incidents, which aligns with the requirements for documenting incidents as outlined in IR-5.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The section discusses the management of information security incidents, which includes reporting and communication aspects, aligning with the requirements of incident reporting outlined in IR-6.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The chunk discusses the establishment of controls for managing information security incidents, which aligns with the need for a coordinated approach to incident response as described in control IR-8.
Document Content
Matched Section
Section: Incident response training is associated with the assigned roles and responsibilities of organizational personnel.
Content: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training.
Content: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training.
AI Justification
The text discusses the importance of incident response training tailored to the roles and responsibilities of personnel, which aligns directly with the intent of control IR-2.
Document Content
Matched Section
Section: Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing.
Content: Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Content: Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
AI Justification
The mention of incident response plan testing as a factor that may update training content aligns with the testing aspect of control IR-3.
Document Content
Matched Section
Section: Incident response training includes user training in identifying and reporting suspicious activities.
Content: Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.
Content: Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.
AI Justification
The text refers to the need for training related to incident response plans, which is the focus of control IR-8.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the importance of maintenance policies and procedures in relation to security and privacy assurance, which aligns with the MA-1 control.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the roles and access requirements of maintenance personnel, which aligns with the control's focus on maintenance activities and access authorizations.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The mention of physical access for maintenance personnel aligns with the control's focus on authorizing physical access to systems.
Document Content
Matched Section
Section: Physical and Environmental Security
Content: Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
Content: Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
AI Justification
The chunk discusses asset management and access control, which are relevant to the physical and procedural controls for media protection.
Document Content
Matched Section
Section: Asset Management and Cryptography
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets. (g) Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets. (g) Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The text discusses the importance of protecting both digital and non-digital media during transport, including the use of cryptography and maintaining accountability.
Document Content
Matched Section
Section: Physical and Environmental Security
Content: Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
Content: Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
AI Justification
The section discusses controls to prevent unauthorized physical access, which aligns with the need to enforce authorizations for entry and exit of system components.
Document Content
Matched Section
Section: Media protection policy and procedures
Content: Control: MP-1: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: MP-1: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of media protection policies and procedures, aligning with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of risk policy and the establishment of controls to manage risk aligns with the need for a risk assessment policy.
Document Content
Matched Section
Section: Cloud Policy
Content: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The policies mentioned for safeguarding confidential and restricted information align with access control measures.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
AI Justification
The end-user device security policy aligns with account management and access control for devices used by employees and vendors.
Document Content
Matched Section
Section: Internet Security & Usage Policy
Content: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
Content: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
AI Justification
The Internet Security & Usage Policy addresses security controls that protect the confidentiality and integrity of information, which relates to the protection of information at rest.
Document Content
Matched Section
Section: Physical and Environmental Security
Content: Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
Content: Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
AI Justification
The chunk discusses controls related to physical and environmental security, which aligns with the need for physical access authorizations.
Document Content
Matched Section
Section: Physical and Environmental Security
Content: Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
Content: Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
AI Justification
The chunk discusses the establishment of controls to prevent unauthorized physical access, which aligns with the requirements of PE-3.
Document Content
Matched Section
Section: Physical and environmental protection policy and procedures
Content: Control: PE-1: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: PE-1: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the establishment of policies and procedures related to physical and environmental protection, which aligns with the requirements of control PE-1.
Document Content
Matched Section
Section: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of a Risk Policy that establishes controls for identification, evaluation, and management of risk aligns with the objectives of control RA-1.
Document Content
Matched Section
Section: Cloud Policy - Establishes controls that define the requirements for safeguards and controls
Content: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The Cloud Policy and End-user Device Security Policy establish controls for safeguarding information, which aligns with access control principles.
Document Content
Matched Section
Section: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
AI Justification
The End-user Device Security Policy establishes controls for devices accessing information, which is relevant to access control.
Document Content
Matched Section
Section: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies
Content: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
Content: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
AI Justification
The Internet Security & Usage Policy addresses security controls for internet usage, which aligns with system and communications protection.
Document Content
Matched Section
Section: Risk Policy, Cloud Policy, End-user Device Security Policy, Internet Security & Usage Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives. Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities. Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives. Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities. Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
AI Justification
The chunk discusses various policies related to information security, which aligns with the need for planning policies and procedures as outlined in control PL-1.
Document Content
Matched Section
Section: Control: PL-11
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
AI Justification
The text discusses the concept of tailoring controls to meet specific organizational needs, which aligns with the control's focus on customizing baseline controls.
Document Content
Matched Section
Section: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls.
Content: Acceptable Use – Establishes the acceptable use of information processing assets for all users.
Content: Acceptable Use – Establishes the acceptable use of information processing assets for all users.
AI Justification
The text discusses establishing acceptable use policies and information security policies, which relate to the rules of behavior for users.
Document Content
Matched Section
Section: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls.
Content: Acceptable Use – Establishes the acceptable use of information processing assets for all users.
Content: Acceptable Use – Establishes the acceptable use of information processing assets for all users.
AI Justification
The mention of acceptable use policies aligns with the need for rules governing user access and behavior.
Document Content
Matched Section
Section: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest.
Content: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline.
Content: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline.
AI Justification
The text discusses predefined sets of controls, which aligns with the definition of control baselines as described in PL-10.
Document Content
Matched Section
Section: The selection of a control baseline is determined by the needs of stakeholders.
Content: The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Content: The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
AI Justification
The mention of control baselines and their selection process relates to the policies and procedures necessary for effective configuration management.
Document Content
Matched Section
Section: Control: PM-11
Content: Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy).
Content: Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy).
AI Justification
The text discusses the importance of understanding protection needs related to confidentiality, integrity, and availability, which aligns with the control's focus on technology-independent capabilities to counter threats.
Document Content
Matched Section
Section: 1.10 CONTROL REFERENCES
Content: Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.
Content: Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures.
AI Justification
The mention of documenting mission and business process definitions in accordance with organizational policies aligns with the need for established policies for information security.
Document Content
Matched Section
Section: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
AI Justification
The chunk discusses the importance of role-based training programs and the development of security and privacy capabilities, which aligns directly with the objectives of PM-13.
Document Content
Matched Section
Section: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
AI Justification
The text discusses central management of controls and processes, which aligns with the principles of configuration management.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
AI Justification
The mention of centrally managed controls relates to the configuration management process.
Document Content
Matched Section
Section: Assessment, Authorization, and Monitoring | Control Assessments
Content: Assessment, Authorization, and Monitoring | Control Assessments
Content: Assessment, Authorization, and Monitoring | Control Assessments
AI Justification
The text references assessments in support of authorizations, which aligns with the control for security assessments.
Document Content
Matched Section
Section: Assessment, Authorization, and Monitoring | Continuous Monitoring
Content: Assessment, Authorization, and Monitoring | Continuous Monitoring
Content: Assessment, Authorization, and Monitoring | Continuous Monitoring
AI Justification
The text emphasizes the importance of continuous monitoring in the context of centrally managed controls.
Document Content
Matched Section
Section: Role Responsibility
Content: CISO l Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. l Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program. l Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation.
Content: CISO l Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. l Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program. l Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation.
AI Justification
The responsibilities outlined for the CISO and Global Risk Committee emphasize the importance of maintaining compliance with regulations and sharing information related to cybersecurity, which aligns with the need for ongoing contact with security and privacy groups.
Document Content
Matched Section
Section: Vendor Risk Management
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
AI Justification
The chunk discusses the establishment of controls related to vendor risk management, which aligns with the supply chain risk management strategy outlined in PM-30.
Document Content
Matched Section
Section: Role Responsibility
Content: CISO l Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. l Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program. l Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation. l Is responsible for ensuring that the goals set forth in the cybersecurity program are in line with the business objectives of the organization. Global Risk Committee l Is responsible for developing, implementing, and maintaining processes to track cybersecurity related risk across the organization. l Is responsible for providing progress reports and metrics related to cybersecurity including but not limited to: (cid:127) Vulnerabilities (cid:127) Patching (cid:127) Attack Surface
Content: CISO l Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. l Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program. l Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation. l Is responsible for ensuring that the goals set forth in the cybersecurity program are in line with the business objectives of the organization. Global Risk Committee l Is responsible for developing, implementing, and maintaining processes to track cybersecurity related risk across the organization. l Is responsible for providing progress reports and metrics related to cybersecurity including but not limited to: (cid:127) Vulnerabilities (cid:127) Patching (cid:127) Attack Surface
AI Justification
The CISO and Global Risk Committee are responsible for overseeing and guiding the organization's cybersecurity goals and risk management activities, aligning with the control's focus on leadership in risk management.
Document Content
Matched Section
Section: NIST CSF Subcategory Control Reference Control Name
Content: NIST CSF Subcategory Control Reference Control Name NIST SP 800-53 Rev 5 -1 -1 controls from all security control families
Content: NIST CSF Subcategory Control Reference Control Name NIST SP 800-53 Rev 5 -1 -1 controls from all security control families
AI Justification
The chunk discusses the importance of maintaining an inventory of systems, which aligns with the guidance provided in PM-5 regarding system inventories.
Document Content
Matched Section
Section: NIST CSF Subcategory Control Reference Control Name
Content: NIST CSF Subcategory Control Reference Control Name NIST SP 800-53 Rev 5 -1 -1 controls from all security control families
Content: NIST CSF Subcategory Control Reference Control Name NIST SP 800-53 Rev 5 -1 -1 controls from all security control families
AI Justification
The mention of system inventory in the context of organizational systems aligns with CM-8, which focuses on maintaining an inventory of system components.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The chunk discusses the integration of information security into the entire lifecycle of information systems, which aligns with the requirement for integrating security and privacy considerations into the enterprise architecture.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The mention of developing security architectures at the system level corresponds with the control's focus on ensuring that security and privacy architectures are consistent with organizational requirements.
Document Content
Matched Section
Section: Disciplinary Actions and Exceptions
Content: violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
Content: violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the concept of organizational sanctions.
Document Content
Matched Section
Section: Information Security Roles & Responsibilities
Content: Information Security Roles & Responsibilities
Content: Information Security Roles & Responsibilities
AI Justification
The chunk discusses roles and responsibilities related to information security, which aligns with the specification of security and privacy roles in organizational position descriptions.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
AI Justification
The mention of role-based training indicates a focus on training requirements associated with specific roles, aligning with the intent of PS-9.
Document Content
Matched Section
Section: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls
Content: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls: (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls: (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The chunk discusses the establishment of policies related to information security, including the classification and handling of information assets, which aligns with the security categorization process outlined in RA-2.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: (b) Identify high probability and business impacting threats, and vulnerabilities that exist within Test.
Content: (b) Identify high probability and business impacting threats, and vulnerabilities that exist within Test.
AI Justification
The section discusses identifying threats and vulnerabilities, which aligns with the requirements of conducting risk assessments as outlined in control RA-3.
Document Content
Matched Section
Section: Continuous Vulnerability Management
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the need for continuous monitoring and updates to vulnerability tools.
Document Content
Matched Section
Section: Assessment, Authorization, and Monitoring | Continuous Monitoring
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
AI Justification
The text emphasizes the use of continuous vulnerability monitoring tools and the importance of ongoing analysis of components.
Document Content
Matched Section
Section: Assessment, Authorization, and Monitoring | Control Assessments
Content: Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan.
Content: Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan.
AI Justification
The text mentions control assessments, such as red team exercises, as a source of potential vulnerabilities.
Document Content
Matched Section
Section: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The text discusses the importance of risk assessment policies and procedures in managing risks related to information security, aligning with the RA-1 control.
Document Content
Matched Section
Section: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: Cloud Policy - Establishes controls that define the requirements for safeguards and controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The mention of controls related to safeguarding information aligns with access control policies.
Document Content
Matched Section
Section: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Test network facilities.
AI Justification
The End-user Device Security Policy addresses controls for devices accessing information, which relates to remote access controls.
Document Content
Matched Section
Section: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
Content: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
Content: Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information.
AI Justification
The Internet Security & Usage Policy addresses controls for internet usage and security, aligning with system and communications protection.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: The charter of the Information Security function is to: (a) Protect Test’s information assets from all threats, whether internal or external, deliberate or accidental. (b) Identify high probability and business impacting threats, and vulnerabilities that exist within Test.
Content: The charter of the Information Security function is to: (a) Protect Test’s information assets from all threats, whether internal or external, deliberate or accidental. (b) Identify high probability and business impacting threats, and vulnerabilities that exist within Test.
AI Justification
The text discusses the importance of criticality analysis and the identification of critical system components and functions, which aligns with the principles of risk assessment and management.
Document Content
Matched Section
Section: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
Content: Configuration Management | Configuration Settings
AI Justification
The chunk discusses configuration management and the integrity of changes to tools and processes, which aligns with the need for effective supply chain risk assessment and mitigation as described in SA-15.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
Content: Configuration Management | Least Functionality
AI Justification
The mention of configuration management implies a focus on maintaining the least functionality principle, which is relevant to CM-7.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: Configuration Management | Configuration Management Plan
Content: Configuration Management | Configuration Management Plan
AI Justification
The reference to configuration control throughout the system development life cycle aligns with the requirements of a configuration management plan.
Document Content
Matched Section
Section: System & Services Acquisition | Developer Configuration Management
Content: System & Services Acquisition | Developer Configuration Management
Content: System & Services Acquisition | Developer Configuration Management
AI Justification
The focus on development processes and tools in the chunk aligns with the control regarding developer configuration management.
Document Content
Matched Section
Section: Configuration Management | Developer Configuration Management
Content: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction.
Content: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction.
AI Justification
The text discusses the importance of configuration management activities conducted by developers and the need for strict configuration control throughout the system development life cycle.
Document Content
Matched Section
Section: Configuration Management | Least Functionality
Content: Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Content: Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
AI Justification
The text implies the need for maintaining the integrity of changes and preventing unauthorized changes, which aligns with the principle of least functionality.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation.
Content: The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation.
AI Justification
The text outlines the various configuration items that are placed under configuration management, which aligns with the need for a configuration management plan.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the importance of policies and procedures for system and services acquisition, aligning directly with the control's focus on establishing such policies.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The mention of establishing controls for information security across the lifecycle suggests resource allocation for security measures.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text mentions the need for effective management of information security incidents, which aligns with the incident response control.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The reference to ensuring continuous business operations and availability of information aligns with business continuity management controls.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory,
Content: Compliance – Establishes controls to ensure compliance with legal, statutory,
AI Justification
The overall emphasis on policies and procedures for security and privacy assurance aligns with security planning.
Document Content
Matched Section
Section: Vendor Risk Management
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
AI Justification
The chunk discusses the importance of establishing controls and managing risks associated with external service providers, which aligns with the requirements outlined in SA-9.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the importance of system documentation in understanding the implementation and operation of controls, which aligns with the objectives of SA-5.
Document Content
Matched Section
Section: Vendor Risk Management
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
AI Justification
The mention of vendor risk management and the need for documentation supports the control's focus on maintaining quality and completeness of content.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the integration of security and privacy considerations into the system development life cycle, which aligns directly with the principles outlined in control SA-3.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text mentions the importance of security engineering principles in the design, coding, and testing of systems, which aligns with control SA-8.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text refers to the integration of security and privacy architectures into the enterprise architecture consistent with the risk management strategy, aligning with control PM-9.
Document Content
Matched Section
Section: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
AI Justification
The text discusses the derivation of security and privacy functional requirements from high-level requirements, which aligns with SA-4.
Document Content
Matched Section
Section: Documentation provides user and administrator guidance for the implementation and operation of controls.
Content: Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system.
Content: Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system.
AI Justification
The text mentions the need for documentation and policies regarding controls, which aligns with CM-1.
Document Content
Matched Section
Section: In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements.
Content: In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values.
Content: In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values.
AI Justification
The text discusses the selection and implementation of controls, which includes change management aspects, aligning with CM-3.
Document Content
Matched Section
Section: Cryptography
Content: Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The chunk discusses controls related to the effective use of cryptography, which aligns with the requirements for cryptographic key management and establishment.
Document Content
Matched Section
Section: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls
Content: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls: (a) Acceptable Use – Establishes the acceptable use of information processing assets for all users. (b) Information Security Policy – Communicates management direction and support for information security in accordance with business requirements and relevant laws and regulations and sets expectations for associates. (c) Organization of Information Security – Establishes a management framework to initiate and control the implementation and operation of information security within the organization. (d) Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets. (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: VII. Test adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls: (a) Acceptable Use – Establishes the acceptable use of information processing assets for all users. (b) Information Security Policy – Communicates management direction and support for information security in accordance with business requirements and relevant laws and regulations and sets expectations for associates. (c) Organization of Information Security – Establishes a management framework to initiate and control the implementation and operation of information security within the organization. (d) Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets. (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The text discusses the implementation of security principles throughout the system development life cycle, which aligns with the intent of SA-8.
Document Content
Matched Section
Section: Cryptography
Content: Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The chunk explicitly mentions the establishment of controls for the proper and effective use of cryptography, which aligns with the description of SC-13 regarding the use of cryptography to protect information.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The chunk discusses the importance of maintaining information security throughout the lifecycle of information systems, which aligns with the concept of ensuring systems can fail in a known state to prevent loss of confidentiality, integrity, or availability.
Document Content
Matched Section
Section: Asset Management, Access Control, Cryptography
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets. (g) Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements. (h) Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets. (g) Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements. (h) Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The chunk discusses the establishment of controls for asset management, access control, and cryptography, which are relevant to the protection of information at rest, particularly regarding confidentiality and integrity.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the importance of establishing policies and procedures for system and communications protection, aligning directly with the SC-1 control.
Document Content
Matched Section
Section: Vendor Risk Management
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
AI Justification
The text emphasizes the role of risk management strategy in establishing policies and procedures, which aligns with the PM-9 control.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text mentions the need for effective management of information security incidents, which aligns with the IR-1 control.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text discusses the importance of ensuring continuous business operations and availability of information, which aligns with the CP-1 control.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory,
Content: Compliance – Establishes controls to ensure compliance with legal, statutory,
AI Justification
The text highlights the need for compliance with various regulations and policies, which aligns with the PL-1 control.
Document Content
Matched Section
Section: Operations Security
Content: Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of
Content: Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of
AI Justification
The chunk discusses the establishment of controls to ensure the secure operation of information processing facilities, which aligns with the definition of Operations Security (OPSEC) as it involves protecting information related to sensitive organizational activities.
Document Content
Matched Section
Section: Information Security Incident Management and Information Security Aspects of Business Continuity Management
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The chunk discusses the importance of maintaining communication paths and ensuring operational continuity during incidents, which aligns with the need for alternate communications paths as described in SC-47.
Document Content
Matched Section
Section: Network and Firewall Security Policy
Content: Network and Firewall Security Policy - Establishes the security-related controls and standards necessary to ensure the effective implementation and monitoring of network security, and to protect critical Company information that is transmitted via various Test networks, including public, internal, and trusted external networks.
Content: Network and Firewall Security Policy - Establishes the security-related controls and standards necessary to ensure the effective implementation and monitoring of network security, and to protect critical Company information that is transmitted via various Test networks, including public, internal, and trusted external networks.
AI Justification
The text discusses the implementation of network security controls and standards necessary to protect critical company information, which aligns with the concept of managed interfaces and boundary protection.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the importance of policies and procedures related to system and information integrity, aligning with the requirements of SI-1.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The mention of managing information security incidents aligns with the need for incident response policies and procedures.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The reference to ensuring continuous business operations and availability of information during failures or disasters aligns with contingency planning.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory,
Content: Compliance – Establishes controls to ensure compliance with legal, statutory,
AI Justification
The text emphasizes the need for policies and procedures at the organizational level, which relates to security planning.
Document Content
Matched Section
Section: Role Responsibility
Content: CISO l Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. l Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program. l Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation.
Content: CISO l Is responsible for developing, maintaining, and socializing an annual set of cybersecurity goals for the organization. l Is responsible for providing guidance at a strategic level on the organization’s cybersecurity program. l Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation.
AI Justification
The responsibilities outlined for the CISO and the Global Risk Committee indicate a proactive approach to maintaining cybersecurity awareness and compliance, which aligns with the need for security alerts and advisories as mentioned in control SI-5.
Document Content
Matched Section
Section: Supply chain risk management policy and procedures
Content: Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of supply chain risk management policies and procedures, aligning directly with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Security and privacy program policies and procedures
Content: Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures.
Content: Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures.
AI Justification
The text emphasizes the need for security and privacy programs to collaborate on policy development, which aligns with the control's focus on program management.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The chunk discusses the importance of integrating information security into the entire lifecycle of information systems, which aligns with managing risks associated with supply chain elements and processes.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance; Vendor Risk Management
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems. (m) Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems. (m) Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
AI Justification
The text discusses the importance of managing supply chain risks, which aligns with the control's focus on the risks associated with external providers and the need for coordinated efforts in risk management.
Document Content
Matched Section
Section: Vendor Risk Management
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
Content: Vendor Risk Management – Establishes controls to maintain an agreed level of information security and service delivery.
AI Justification
The chunk discusses vendor risk management and the establishment of controls to maintain information security, which aligns with the assessment and review of supplier risk.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses various strategies and tools for protecting the supply chain, which aligns with the objectives of SR-5.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The chunk discusses the importance of communication and incident management in the context of information security, which aligns with the need for agreements and procedures among supply chain entities to respond effectively to incidents.
Document Content
Matched Section
Section: Operations Security
Content: Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of
Content: Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of
AI Justification
The text discusses the importance of protecting supply chain information and the need for operational security measures related to suppliers, which aligns with the objectives of SR-7.
Document Content
Matched Section
Section: Asset Management
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The text mentions the need for asset identification and protection, which aligns with the objectives of asset management.
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf NIST
74 matches foundDocument Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code
Content: Access Control Policy Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code
AI Justification
The text discusses the importance of access control policies and procedures, including their development and implementation within organizations.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units.
Content: a) Information security responsibilities should be defined and allocated within Test business units.
AI Justification
The text discusses the representation of information and the binding of attributes to entities, which aligns with access control mechanisms and responsibilities.
Document Content
Matched Section
Section: Access Control Policy
Content: Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code
Content: Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code
AI Justification
The text discusses the identification of authorized system users, specification of access privileges, and management of different types of accounts, which aligns with the requirements of access control policies.
Document Content
Matched Section
Section: Access Control Policy
Content: Access to Networks & Network Services
Content: Access to Networks & Network Services
AI Justification
The text discusses remote access to organizational systems, the use of encrypted VPNs, and the management of remote access connections, which aligns directly with the control's focus on remote access policies and practices.
Document Content
Matched Section
Section: Access Control Policy
Content: Access to Networks & Network Services
Content: Access to Networks & Network Services
AI Justification
The text mentions enforcing access restrictions for remote access, which is directly related to access enforcement controls.
Document Content
Matched Section
Section: implementation and operation of information security within Test
Content: This policy should also ensure the security of teleworking and use of mobile devices within Test so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Test so that they are adequately protected to prevent leakage of information through them.
AI Justification
The text discusses the security of teleworking and the use of mobile devices, which aligns with the requirements for protecting mobile devices as outlined in AC-19.
Document Content
Matched Section
Section: 4.0 Organization of Information Security Policy
Content: The information contained herein is the property of Test Freres & Co. LLC (“Test") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Test without prior written permission.
Content: The information contained herein is the property of Test Freres & Co. LLC (“Test") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Test without prior written permission.
AI Justification
The text discusses the management of access to nonpublic information and the policies regarding publicly accessible content, which aligns with the requirements of AC-22.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The chunk explicitly mentions 'Access Control Policy', which aligns directly with the definition of AC-3 regarding control access between users and systems.
Document Content
Matched Section
Section: 1.3 SEGREGATION OF DUTIES
Content: a) Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
Content: a) Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
AI Justification
The text chunk explicitly discusses the segregation of conflicting duties and responsibilities to mitigate risks associated with unauthorized modifications or misuse, aligning directly with the principles of separation of duties.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats Working in Secure Areas Equipment Siting & Protection A.13.1.1 Network Controls A.13.1.3 A.13.2.1 Segregation in Networks Information Transfer Policies & Procedures
Content: Access Control Policy Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats Working in Secure Areas Equipment Siting & Protection A.13.1.1 Network Controls A.13.1.3 A.13.2.1 Segregation in Networks Information Transfer Policies & Procedures
AI Justification
The chunk discusses various aspects of access control, which aligns with the concept of access control decisions and enforcement.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls.
Content: Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls.
AI Justification
The text discusses the importance of role-based training tailored to the responsibilities and security requirements of individuals, which aligns with the intent of AT-3.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats Working in Secure Areas Equipment Siting & Protection A.13.1.1 Network Controls A.13.1.3 A.13.2.1 Segregation in Networks Information Transfer Policies & Procedures
Content: Access Control Policy Access to Networks & Network Services Management of Privileged Access Rights Information Access Restriction Use of Privileged Utility Programs Access Control to Program Source Code A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats Working in Secure Areas Equipment Siting & Protection A.13.1.1 Network Controls A.13.1.3 A.13.2.1 Segregation in Networks Information Transfer Policies & Procedures
AI Justification
The chunk discusses various aspects of access control and information flow, which aligns with the principles of Information Flow Control as outlined in AC-4.
Document Content
Matched Section
Section: Awareness & Training
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users.
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users.
AI Justification
The text discusses the provision of literacy training and awareness for system users, which aligns with the need for role-based training to ensure users understand their responsibilities regarding security and privacy.
Document Content
Matched Section
Section: Program Management
Content: Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant.
Content: Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant.
AI Justification
The content addresses the need for ongoing training and updates based on organizational requirements and security incidents, which is relevant to managing a security and privacy workforce.
Document Content
Matched Section
Section: Incident Response
Content: The content addresses the need for operations security and the handling of personally identifiable information.
Content: The content addresses the need for operations security and the handling of personally identifiable information.
AI Justification
The text mentions the need for training related to responding to suspected incidents, which aligns with incident response training requirements.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: AT-3 Awareness & Training | Role-based Training
Content: AT-3 Awareness & Training | Role-based Training
AI Justification
The chunk mentions various training controls, including role-based training, which aligns with the requirement for documentation and training for specific roles.
Document Content
Matched Section
Section: Program Management | Security & Privacy Workforce
Content: PM-13 Program Management | Security & Privacy Workforce
Content: PM-13 Program Management | Security & Privacy Workforce
AI Justification
The mention of maintaining documentation for training aligns with the need for a security and privacy workforce management program.
Document Content
Matched Section
Section: Information Security Awareness, Education and Training
Content: A.7.2.2 Information Security Awareness, Education and Training
Content: A.7.2.2 Information Security Awareness, Education and Training
AI Justification
The chunk refers to security awareness and skills training, which is directly related to the need for education and training in information security.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
AI Justification
The text discusses the importance of defining information security responsibilities and the allocation of these responsibilities within business units, which aligns with the need for policies and procedures in the CA family.
Document Content
Matched Section
Section: Authorization levels should be defined and documented.
Content: Authorization levels should be defined and documented.
Content: Authorization levels should be defined and documented.
AI Justification
The text discusses the need for authorization levels to be defined and documented, which aligns with the requirement for official management decisions to authorize operations and accept risks.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units.
Content: a) Information security responsibilities should be defined and allocated within Test business units.
AI Justification
The text discusses the allocation of information security responsibilities and the importance of defining roles related to security, which aligns with conducting impact analyses as part of security responsibilities.
Document Content
Matched Section
Section: Contingency planning policy and procedures
Content: Control: CP-1: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures.
Content: Control: CP-1: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures.
AI Justification
The text discusses the importance of contingency planning policies and procedures, their development, and their relationship with security and privacy programs.
Document Content
Matched Section
Section: Access Control Policy
Content: Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.
Content: Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.
AI Justification
The text discusses the requirements for unique identification and authentication of users, including the use of passwords, physical authenticators, and biometrics.
Document Content
Matched Section
Section: Incident Response Policy and Procedures
Content: Control: IR-1: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures.
Content: Control: IR-1: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures.
AI Justification
The text discusses the importance of incident response policies and procedures, their development, and the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: Access Control Management
Content: Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14.
Content: Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14.
AI Justification
The chunk discusses the identification and authentication of non-organizational users, which relates to permitted actions without explicit identification.
Document Content
Matched Section
Section: Account Management
Content: Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14.
Content: Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14.
AI Justification
The mention of managing access for non-organizational users aligns with account management practices.
Document Content
Matched Section
Section: Access Control Management
Content: Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.
Content: Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.
AI Justification
The text implies a need to balance ease of access with risk management, which relates to the principle of least privilege.
Document Content
Matched Section
Section: 1.4 CONTACT WITH AUTHORITIES
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The chunk discusses procedures for contacting authorities in relation to security incidents, which aligns with the incident response capabilities outlined in control IR-4.
Document Content
Matched Section
Section: Incident Response Training
Content: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training.
Content: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training.
AI Justification
The text discusses the importance of incident response training tailored to different roles within the organization, which aligns directly with the requirements of control IR-2.
Document Content
Matched Section
Section: Role-based Training
Content: For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration.
Content: For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration.
AI Justification
The mention of role-based training for different personnel in incident response aligns with the requirements of control AT-3.
Document Content
Matched Section
Section: 1.4 CONTACT WITH AUTHORITIES
Content: a) Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner. See the IS Incident Management Policy for more details.
Content: a) Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner. See the IS Incident Management Policy for more details.
AI Justification
The section outlines procedures for reporting incidents to authorities, aligning with the need for timely reporting and designated reporting authorities as specified in IR-6.
Document Content
Matched Section
Section: Incident Response Management
Content: Control: IR-5: Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling.
Content: Control: IR-5: Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling.
AI Justification
The chunk discusses the importance of documenting incidents and maintaining records, which aligns with the requirements of control IR-5.
Document Content
Matched Section
Section: Incident Response Management
Content: IR-4 provides information on the types of incidents that are appropriate for monitoring.
Content: IR-4 provides information on the types of incidents that are appropriate for monitoring.
AI Justification
The chunk references IR-4, which provides information on the types of incidents that are appropriate for monitoring, aligning with the control's focus.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The text discusses the importance of maintenance policies and procedures in relation to security and privacy assurance, aligning with the MA-1 control.
Document Content
Matched Section
Section: Control References
Content: NIST CSF Subcategory Control Reference Control Name ID.AM-6
Content: NIST CSF Subcategory Control Reference Control Name ID.AM-6
AI Justification
The mention of security and privacy programs collaborating suggests a need for awareness and training, which aligns with the ID.AM-6 control.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The chunk discusses access control policies which align with the need to enforce authorizations for entry and exit of system components.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The text discusses the importance of physical and environmental protection policies and procedures, aligning with the requirements outlined in control PE-1.
Document Content
Matched Section
Section: Segregation of duties
Content: Designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.
Content: Designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.
AI Justification
The mention of segregation of duties aligns with the control aimed at preventing unilateral actions that could exceed risk tolerance.
Document Content
Matched Section
Section: Tailoring Controls
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions.
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions.
AI Justification
The text discusses the concept of tailoring controls to meet specific organizational needs, which aligns with the definition and purpose of PL-11.
Document Content
Matched Section
Section: Program Management | Information Security Program Plan
Content: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
Content: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
AI Justification
The text discusses the importance of an information security program plan, detailing its purpose, implementation, and updates, which aligns directly with the control's definition.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The chunk discusses the allocation of information security responsibilities and the identification of roles related to risk management, which aligns with the need for an organization-wide risk management process as outlined in PM-10.
Document Content
Matched Section
Section: Section c) and e)
Content: Test should consider various means to ensure that initiation of an event is separated from its authorization to prevent /minimize possibilities of collusion. Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
Content: Test should consider various means to ensure that initiation of an event is separated from its authorization to prevent /minimize possibilities of collusion. Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
AI Justification
The text discusses the importance of separating initiation from authorization and ensuring that roles and responsibilities are clearly defined, which aligns with the principles of remote access management.
Document Content
Matched Section
Section: Section f)
Content: Mitigating or compensating controls should be established, in those instances where duties cannot be fully segregated. Compensating controls include Audit trails, monitoring activities, supervisory reviews.
Content: Mitigating or compensating controls should be established, in those instances where duties cannot be fully segregated. Compensating controls include Audit trails, monitoring activities, supervisory reviews.
AI Justification
The mention of audit trails and monitoring activities as compensating controls aligns with the need for audit review and analysis.
Document Content
Matched Section
Section: Program Management | Information Security Program Leadership Role
Content: Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems.
Content: Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems.
AI Justification
The text discusses the establishment and requirements of insider threat programs, which aligns directly with control PM-12.
Document Content
Matched Section
Section: 1.4 CONTACT WITH AUTHORITIES
Content: a) Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner. See the IS Incident Management Policy for more details.
Content: a) Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner. See the IS Incident Management Policy for more details.
AI Justification
The section emphasizes the importance of maintaining contact with authorities and regulatory bodies, which aligns with the need for ongoing communication with security and privacy groups to address changing technologies and threats.
Document Content
Matched Section
Section: Program Management | Information Security Program Leadership Role
Content: Program Management | Information Security Program Leadership Role
Content: Program Management | Information Security Program Leadership Role
AI Justification
The chunk explicitly mentions the role of the senior agency information security officer, which aligns directly with control PM-2.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units.
Content: a) Information security responsibilities should be defined and allocated within Test business units.
AI Justification
The section outlines the allocation of information security responsibilities within business units, which aligns with the need for organizations to establish champions for information security.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The text discusses the importance of personnel security policies and procedures, their development, and the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The chunk discusses the allocation of information security responsibilities and the definition of roles related to information security risk management, which aligns with the elements of a risk management strategy.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy for additional information and guidance.
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy for additional information and guidance.
AI Justification
The text discusses the coordination and oversight of third-party relationships, which aligns with the requirements for managing external providers.
Document Content
Matched Section
Section: Personnel Security | Position Descriptions
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
AI Justification
The text discusses the importance of position risk designations and how they relate to personnel security and suitability programs, aligning directly with the control's focus on position risk designations as per OPM policy.
Document Content
Matched Section
Section: Personnel Security | Position Descriptions
Content: Personnel Security | Position Descriptions
Content: Personnel Security | Position Descriptions
AI Justification
The chunk mentions 'Position Descriptions' and 'Information Security Roles & Responsibilities', which aligns with the specification of security and privacy roles.
Document Content
Matched Section
Section: Control: PT-1
Content: Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of policies and procedures related to personally identifiable information, aligning with the PT-1 control.
Document Content
Matched Section
Section: 1.11 CONTROL REFERENCES
Content: NIST CSF Subcategory Control Reference Control Name ID.AM-6 CIS CSC 14 Security Awareness & Skills Training
Content: NIST CSF Subcategory Control Reference Control Name ID.AM-6 CIS CSC 14 Security Awareness & Skills Training
AI Justification
The mention of security and privacy programs collaborating suggests a need for awareness and training in these areas.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The text discusses the importance of risk assessment policies and procedures, their role in security and privacy assurance, and the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
AI Justification
The chunk discusses the allocation of information security responsibilities and the identification of assets, which aligns with the need for security categorization to understand potential adverse impacts.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The chunk discusses the identification of responsibilities for information security risk management activities, which aligns with the need for risk assessments that consider various factors affecting organizational operations and assets.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol. Segregation of duties Designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.
Content: Statement of intent that is implemented as a procedure or protocol. Segregation of duties Designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.
AI Justification
The text discusses the organization's approach to risk management, including the need for a plan of action based on risk response decisions, which aligns with the control's focus on responding to risk.
Document Content
Matched Section
Section: Privacy Impact Assessment
Content: A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks.
Content: A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks.
AI Justification
The text discusses the importance of conducting a privacy impact assessment to evaluate how personally identifiable information is handled and to mitigate privacy risks, which aligns directly with control RA-8.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units.
Content: a) Information security responsibilities should be defined and allocated within Test business units.
AI Justification
The text discusses the importance of defining and allocating information security responsibilities, which aligns with the need for policies and procedures in system and services acquisition.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined.
Content: c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined.
AI Justification
The mention of responsibilities for information security risk management activities aligns with the need for risk assessment policies and procedures.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
AI Justification
The chunk discusses the coordination and oversight of third-party relationships, which aligns with the control's focus on managing risks from external service providers and documenting trust relationships.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The text discusses the importance of system and communications protection policies and procedures, aligning directly with the control SC-1.
Document Content
Matched Section
Section: Segregation of duties
Content: Designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.
Content: Designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.
AI Justification
The mention of segregation of duties relates to access control measures to prevent unilateral actions, which aligns with control AC-1.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance. d) Personnel with defined information security responsibilities may delegate security tasks to others. However, the defined personnel will remain accountable and should determine whether the delegated tasks have been performed correctly. Specifically, the following should take place: i. The assets and information security process should be identified and defined.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance. d) Personnel with defined information security responsibilities may delegate security tasks to others. However, the defined personnel will remain accountable and should determine whether the delegated tasks have been performed correctly. Specifically, the following should take place: i. The assets and information security process should be identified and defined.
AI Justification
The text discusses the importance of defining information security roles and responsibilities within the system development life cycle, which aligns with the principles outlined in SA-3.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance. d) Personnel with defined information security responsibilities may delegate security tasks to others. However, the defined personnel will remain accountable and should determine whether the delegated tasks have been performed correctly. Specifically, the following should take place: i. The assets and information security process should be identified and defined.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance. d) Personnel with defined information security responsibilities may delegate security tasks to others. However, the defined personnel will remain accountable and should determine whether the delegated tasks have been performed correctly. Specifically, the following should take place: i. The assets and information security process should be identified and defined.
AI Justification
The text mentions the integration of security engineering principles in the system development life cycle, which is relevant to SA-8.
Document Content
Matched Section
Section: Access to Networks & Network Services
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
AI Justification
The text discusses managed interfaces, including gateways, routers, and firewalls, which aligns with the control's focus on network security architecture.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: a) Information security responsibilities should be defined and allocated within Test business units. b) Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance. c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text discusses the importance of defining information security responsibilities and the need for policies and procedures related to system and information integrity.
Document Content
Matched Section
Section: Program Management | Service Provider Management
Content: Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.
Content: Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.
AI Justification
The text discusses the complexities and requirements of managing supply chain risks, which aligns directly with the control's focus on the risks associated with external providers and the need for tailored SCRM plans.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The text discusses the importance of supply chain risk management policies and procedures, aligning with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Policy
Content: Statement of intent that is implemented as a procedure or protocol.
Content: Statement of intent that is implemented as a procedure or protocol.
AI Justification
The mention of security and privacy programs collaborating on policies suggests a need for awareness and training.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
AI Justification
The chunk discusses the coordination and oversight of third-party relationships, which aligns with the assessment and review of supplier risk as described in SR-6.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
AI Justification
The text discusses the importance of managing relationships with suppliers and ensuring that security and privacy requirements are documented, which aligns with the principles of Supply Chain OPSEC.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
AI Justification
The text discusses the importance of coordination and oversight of third-party relationships, which aligns with the need for agreements and procedures to facilitate communication among supply chain entities.