Test DATA
Job ID: Test-DATA--082125225022
2025-08-21
Completed
Generating your report with AI insights. This may take a moment...
Overall Alignment
86.5%
Controls Aligned
32 / 37
Frameworks
1
CIS
Assessment frameworks applied
Key Controls
3 / 3
Overall Alignment
Framework Breakdown
Key Controls Status
Framework Compliance Overview
| Framework | Total Controls | Aligned | Gaps | Compliance Progress |
|---|---|---|---|---|
| CIS | 37 | 32 | 5 |
|
| OVERALL | 37 | 32 | 5 |
|
Document Analysis Details
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 9 |
|
anonymized_6.1_IS_Data_Security_Standards.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 12 |
|
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 1 |
|
anonymized_7.1_IS_Asset_Management_Standard.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 7 |
|
anonymized_7.0_IS_Asset_Management_Policy.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 8 |
|
anonymized_3.0_IS_Information_Security_Policy_2.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 2 |
|
anonymized_2.1_IS_Acceptable_Use_Standard.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 3 |
|
anonymized_7.2_IS_End_User_Device_Standard.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 6 |
|
anonymized_6.0_IS_Data_Security_Policy_1.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 7 |
|
anonymized_2.0_IS_Acceptable_Use_Policy.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 3 |
|
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 7 |
|
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf 1 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 37 | 5 |
|
37 Total Controls
| Control ID | Control Name | Status | Evidence Section | Document | Actions |
|---|---|---|---|---|---|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
|
Aligned | Asset Management – Establishes controls for asset identifica... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 1.2 |
Address Unauthorized Assets
|
Aligned | 1.2 REQUIREMENTS - Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 1.3 |
Utilize an Active Discovery Tool
|
Gap | Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure... | ||
| 1.4 |
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
|
Aligned | MAINTAINANCE... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 1.5 |
Use a Passive Asset Discovery Tool
|
Gap | Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and us... | ||
| 2.1 |
Establish and Maintain a Software Inventory
Key Control
|
Aligned | Inventory of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.2 |
Ensure Authorized Software is Currently Supported
|
Aligned | 1.17 EXCEPTION... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Software... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 2.4 |
Utilize Automated Software Inventory Tools
|
Aligned | Inventory of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.7 |
Allowlist Authorized Scripts
|
Gap | Use technical controls, such as digital signatures and version control, to ensure that only authoriz... | ||
| 3.1 |
Establish and Maintain a Data Management Process
|
Aligned | User Access Authorization and Information Owner Responsibili... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
|
Aligned | 1.1 Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
|
Aligned | 1.8 DATA RETENTION and 1.9 ROLES & RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
|
Aligned | LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 3.2 |
Establish and Maintain a Data Inventory
|
Gap | Establish and maintain a data inventory based on the enterprise’s data management process. Inventory... | ||
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.2.3 System and Application Access Control - Information Ac... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Access Control Policy... |
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Define desktop and end-user device security access controls.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.2.1 Access Control... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 3.4 |
Enforce Data Retention
|
Aligned | Evidence of account and privilege reviews should document th... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 3.4 |
Enforce Data Retention
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.4 |
Enforce Data Retention
|
Aligned | 1.8 DATA RETENTION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.5 |
Securely Dispose of Data
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.5 |
Securely Dispose of Data
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.5 |
Securely Dispose of Data
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.5 |
Securely Dispose of Data
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Encryption of sensitive data on High-risk Technology assets... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Only USB sticks and other removable devices that have been a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | vi. Encryption is to be used to protect the confidentiality ... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Definition of Confidentiality, Integrity, and Availability... |
anonymized_3.0_IS_Information_Security_Policy_2.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | 1.5 DATA CLASSIFICATION... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Data Security classification policy... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.8 |
Document Data Flows
|
Gap | Document data flows. Data flow documentation includes service provider data flows and should be base... | ||
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | Encrypt data on removable media... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | 1.1.5 Removable Storage Devices... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
anonymized_2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
|
Aligned | Encrypt sensitive data at rest on servers, applications, and... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
|
Aligned | Devices should be password-protected and encrypted.... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.12 |
Segment Data Processing and Storage Based on Sensitivity
|
Aligned | Data Handling Procedures... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
|
Aligned | Inventory of Assets... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
|
Aligned | Section 3: Data Loss Prevention Mechanism... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.14 |
Log Sensitive Data Access
|
Aligned | Log sensitive data access, including modification and dispos... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 3.14 |
Log Sensitive Data Access
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 3.14 |
Log Sensitive Data Access
|
Aligned | 1.3 IT Asset (NEW) and other assets Retirement and Disposal... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.14 |
Log Sensitive Data Access
|
Aligned | Asset Disposal & Re-Use... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
|
Aligned | Configuration management database should maintain the versio... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
|
Aligned | Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
|
Aligned | 1.11 MAINTENANCE... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
|
Aligned | Network Monitoring & Defense... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 4.3 |
Configure Automatic Session Locking on Enterprise Assets
|
Aligned | Session Locking Policy... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | Section 6: Personal firewalls software should be installed a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.5 |
Implement and Manage a Firewall on End-User Devices
|
Aligned | Section 6: Personal firewalls software should be installed a... |
anonymized_7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.6 |
Securely Manage Enterprise Assets and Software
|
Aligned | Section discussing program source code libraries and configu... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 4.6 |
Securely Manage Enterprise Assets and Software
|
Aligned | Secure Configuration of Enterprise Assets & Software... |
anonymized_6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.7 |
Manage Default Accounts on Enterprise Assets and Software
|
Aligned | User ID Management and Default Account Handling... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 4.7 |
Manage Default Accounts on Enterprise Assets and Software
|
Aligned | Service Accounts... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 4.9 |
Configure Trusted DNS Servers on Enterprise Assets
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 4.9 |
Configure Trusted DNS Servers on Enterprise Assets
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
anonymized_6.1_IS_Data_Security_Standards.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | V. Bring Your Own Device... |
anonymized_2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | LEAVING Test... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 4.12 |
Separate Enterprise Workspaces on Mobile End-User Devices
|
Aligned | Endpoint Security Device Management... |
anonymized_7.1_IS_Asset_Management_Standard.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | Management of Privileged Access Rights... |
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | Assets ownership and responsibilities... |
anonymized_7.0_IS_Asset_Management_Policy.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | Service Accounts... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.8.2.2 |
Labeling of Information
|
Aligned | Labeling of Information... |
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Access Control Management... |
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
anonymized_8.1_IS_Access_Control_Identity_Management_Standard_1.pdf CIS
9 matches foundDocument Content
Matched Section
Section: User Access Authorization and Information Owner Responsibilities
Content: c) All User access authorization forms should be retained for a period of at least two (2) years and be classified as Confidential. d) Information owners are responsible for reviewing and approving all requests for access to Information Resources and applications for which they are responsible.
Content: c) All User access authorization forms should be retained for a period of at least two (2) years and be classified as Confidential. d) Information owners are responsible for reviewing and approving all requests for access to Information Resources and applications for which they are responsible.
AI Justification
The text discusses the retention of user access authorization forms and the responsibilities of information owners, which aligns with the need for a documented data management process that includes data handling and retention requirements.
Document Content
Matched Section
Section: 1.2.3 System and Application Access Control - Information Access Restriction
Content: b) The information and communication system privileges of all Users, systems, and independently operating programs such as agents, should be restricted based on the need to know. E.g., read, write, delete, and execute rights should be granted as per business need.
Content: b) The information and communication system privileges of all Users, systems, and independently operating programs such as agents, should be restricted based on the need to know. E.g., read, write, delete, and execute rights should be granted as per business need.
AI Justification
The section discusses restricting access based on the need to know and maintaining an access control matrix, which aligns with configuring data access control lists.
Document Content
Matched Section
Section: Evidence of account and privilege reviews should document the date that the review occurred, who conducted the review, and what action (if any) was taken. Records should be maintained for a minimum period of twelve (12) months.
Content: Evidence of account and privilege reviews should document the date that the review occurred, who conducted the review, and what action (if any) was taken. Records should be maintained for a minimum period of twelve (12) months.
Content: Evidence of account and privilege reviews should document the date that the review occurred, who conducted the review, and what action (if any) was taken. Records should be maintained for a minimum period of twelve (12) months.
AI Justification
The section discusses the maintenance of records related to account and privilege reviews, indicating a process for retaining data for a specified minimum period.
Document Content
Matched Section
Section: Log sensitive data access, including modification and disposal.
Content: subsequently recover them. This includes both masking within applications such as replacing sensitive data with ‘#’ or other character and masking within data storage using approved encryption methods.
Content: subsequently recover them. This includes both masking within applications such as replacing sensitive data with ‘#’ or other character and masking within data storage using approved encryption methods.
AI Justification
The section discusses the importance of masking sensitive data and ensuring that it is not displayed in clear text, which aligns with logging access to sensitive data.
Document Content
Matched Section
Section: Configuration management database should maintain the version control of all programs and strict change control procedures need to be followed for any modifications to the program source library.
Content: f) Configuration management database should maintain the version control of all programs and strict change control procedures need to be followed for any modifications to the program source library.
Content: f) Configuration management database should maintain the version control of all programs and strict change control procedures need to be followed for any modifications to the program source library.
AI Justification
The chunk discusses maintaining a configuration management database and strict change control procedures, which aligns with establishing and maintaining a documented secure configuration process.
Document Content
Matched Section
Section: Session Locking Policy
Content: Administrators are responsible to ensure that the screen lock is always functional after an idle period of 15 minutes.
Content: Administrators are responsible to ensure that the screen lock is always functional after an idle period of 15 minutes.
AI Justification
The text specifies that administrators are responsible for ensuring that the screen lock is functional after an idle period of 15 minutes, which aligns with the requirement for automatic session locking.
Document Content
Matched Section
Section: Section discussing program source code libraries and configuration management.
Content: b) Where possible, program source code libraries should not be held on production systems. c) All updates or issues of the program sources to developers should be carried out through an authorized request. d) User Accounts should have the least amount of privilege required to perform their business processes, thereby limiting access to source code. e) An audit log should be maintained of all access to program source libraries. f) Configuration management database should maintain the version control of all programs and strict change control procedures need to be followed for any modifications to the program source library.
Content: b) Where possible, program source code libraries should not be held on production systems. c) All updates or issues of the program sources to developers should be carried out through an authorized request. d) User Accounts should have the least amount of privilege required to perform their business processes, thereby limiting access to source code. e) An audit log should be maintained of all access to program source libraries. f) Configuration management database should maintain the version control of all programs and strict change control procedures need to be followed for any modifications to the program source library.
AI Justification
The chunk discusses managing program source code libraries, maintaining version control, and following strict change control procedures, which aligns with securely managing enterprise assets and software.
Document Content
Matched Section
Section: User ID Management and Default Account Handling
Content: User IDs should be unique across all systems and uniquely associated with that single person to whom it has been assigned. User IDs should not be utilized by anyone except the individual to whom the IDs have been issued. Shared IDs should only be permitted where they are necessary for business or operational reasons and the use should be approved and documented. All Users with access to Test¢s Information Resources should use the User ID that has been specifically assigned to them. The only exception being preauthorized shared accounts. Default parameters, such as password length, composition, change schedules and other controls based on the account management standards, should be set when creating new User accounts. All default, pre-set, or temporary passwords and accounts assigned internally should be set to a unique value per User and changed immediately after first use.
Content: User IDs should be unique across all systems and uniquely associated with that single person to whom it has been assigned. User IDs should not be utilized by anyone except the individual to whom the IDs have been issued. Shared IDs should only be permitted where they are necessary for business or operational reasons and the use should be approved and documented. All Users with access to Test¢s Information Resources should use the User ID that has been specifically assigned to them. The only exception being preauthorized shared accounts. Default parameters, such as password length, composition, change schedules and other controls based on the account management standards, should be set when creating new User accounts. All default, pre-set, or temporary passwords and accounts assigned internally should be set to a unique value per User and changed immediately after first use.
AI Justification
The section discusses the management of user IDs, including the prohibition of shared IDs and the requirement for unique user IDs, which aligns with managing default accounts.
Document Content
Matched Section
Section: Management of Privileged Access Rights
Content: a) All Users that require privileged access should also be provided their own personal accounts for normal business use. Privileged access accounts are to be stringently monitored through an approved Privileged Session Manager which allow recording of sessions and have logging/security agents which deliver information to a global SIEM.
Content: a) All Users that require privileged access should also be provided their own personal accounts for normal business use. Privileged access accounts are to be stringently monitored through an approved Privileged Session Manager which allow recording of sessions and have logging/security agents which deliver information to a global SIEM.
AI Justification
The text discusses the management of accounts, including the need for accounts to be enabled for a specific limited time and the monitoring of privileged access accounts, which aligns with maintaining an inventory of accounts.
anonymized_6.1_IS_Data_Security_Standards.pdf CIS
13 matches foundDocument Content
Matched Section
Section: Software
Content: Use of software for Test work or development should be properly licensed for Test and used only under the terms and conditions of the licenses.
Content: Use of software for Test work or development should be properly licensed for Test and used only under the terms and conditions of the licenses.
AI Justification
The text specifies that software used for Test work must be properly licensed and used under the terms of the licenses, which aligns with ensuring unauthorized software is not used.
Document Content
Matched Section
Section: 1.1 Data Handling Procedures
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Test: Activity Medium Procedure Public Internal Confidential Restricted Collection All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Test: Activity Medium Procedure Public Internal Confidential Restricted Collection All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
AI Justification
The chunk outlines the handling requirements for data based on its classification, which aligns with establishing a documented data management process.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Disposal (in accordance with Retention Policy) Paper Place all copies of information in a shredding bin. Place unattended copies of information found after business hours in a shredding bin as well.
Content: Disposal (in accordance with Retention Policy) Paper Place all copies of information in a shredding bin. Place unattended copies of information found after business hours in a shredding bin as well.
AI Justification
The text discusses the disposal of documents and electronic media in accordance with a retention policy, which aligns with the requirement to retain data according to documented processes.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Place all copies of information in a shredding bin. Place unattended copies of information found after business hours in a shredding bin as well. Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable.
Content: Place all copies of information in a shredding bin. Place unattended copies of information found after business hours in a shredding bin as well. Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable.
AI Justification
The text outlines procedures for securely disposing of both paper and electronic data, which aligns with the requirement to securely dispose of data as per documented processes.
Document Content
Matched Section
Section: Encryption of sensitive data on High-risk Technology assets
Content: PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
Content: PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
AI Justification
The text explicitly mentions the need to encrypt PII/NPI data when stored on High-risk Technology assets, which aligns with the control's focus on encryption.
Document Content
Matched Section
Section: Encrypt data on removable media
Content: PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
Content: PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
AI Justification
The section discusses the requirement to encrypt PII/NPI data when stored on high-risk technology assets, which includes portable media like USB drives.
Document Content
Matched Section
Section: Data Handling Procedures
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Test: Activity Medium Procedure Public Internal Confidential Restricted Collection All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. n n n n Verify and validate, with the information source, that the information being collected is reliable and relevant. n n n n Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. - n n n - n n n - - n n - - n n - - n n Labelling All Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Test: Activity Medium Procedure Public Internal Confidential Restricted Collection All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. n n n n Verify and validate, with the information source, that the information being collected is reliable and relevant. n n n n Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. - n n n - n n n - - n n - - n n - - n n Labelling All Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or
AI Justification
The text discusses the implementation of an information classification scheme, which aligns with the requirement to establish and maintain a data classification scheme.
Document Content
Matched Section
Section: Encrypt sensitive data at rest on servers, applications, and databases.
Content: Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
Content: Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
AI Justification
The chunk discusses the requirement to encrypt PII/NPI data elements when stored on high-risk technology assets, aligning with the control's focus on encryption of sensitive data at rest.
Document Content
Matched Section
Section: Data Handling Procedures
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Test: Activity Medium Procedure Public Internal Confidential Restricted Collection All Collect only the information necessary to meet business objectives or fulfill Customer obligations.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Test: Activity Medium Procedure Public Internal Confidential Restricted Collection All Collect only the information necessary to meet business objectives or fulfill Customer obligations.
AI Justification
The section discusses handling requirements based on the information classification scheme, which aligns with segmenting data processing and storage based on sensitivity.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Dispose (in accordance with Retention Policy) Paper Place all copies of information in a shredding bin. Place unattended copies of information found after business hours in a shredding bin as well.
Content: Dispose (in accordance with Retention Policy) Paper Place all copies of information in a shredding bin. Place unattended copies of information found after business hours in a shredding bin as well.
AI Justification
The text discusses the disposal of sensitive information, including paper documents and electronic media, which aligns with logging access to sensitive data.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
Content: Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
AI Justification
The text discusses procedures for securely wiping electronic media and deleting files from devices, which aligns with the control's focus on wiping enterprise data from devices.
Document Content
Matched Section
Section: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
AI Justification
The chunk discusses various aspects of system and communications protection, including trusted path and secure name/address resolution services, which relate to the configuration of trusted DNS servers.
Document Content
Matched Section
Section: System & Communications Protection| Secure Name/address Resolution Service (recursive or Caching Resolver)
Content: System & Communications Protection| Secure Name/address Resolution Service (recursive or Caching Resolver)
Content: System & Communications Protection| Secure Name/address Resolution Service (recursive or Caching Resolver)
AI Justification
The mention of recursive or caching resolver indicates the need for trusted DNS configurations.
anonymized_4.0_IS_Organization_of_Information_Security_Policy_1.pdf CIS
1 matches foundDocument Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The control requires configuring data access control lists based on user needs, which aligns with the Access Control Policy outlined in the document.
anonymized_7.1_IS_Asset_Management_Standard.pdf CIS
7 matches foundDocument Content
Matched Section
Section: IT Asset (NEW) and other assets Retirement and Disposal
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The chunk discusses the establishment of procedures for asset disposal and data security, which aligns with the need for a documented data management process that addresses data sensitivity and disposal requirements.
Document Content
Matched Section
Section: MAINTAINANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The section mentions a periodical review of the standard and associated documents to identify and implement measures for improvement, which aligns with the requirement to review and update documentation annually.
Document Content
Matched Section
Section: IT Asset (NEW) and other assets Retirement and Disposal
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The section outlines procedures for asset disposal, including data security measures for sensitive data, which aligns with the need to securely dispose of data as per its sensitivity.
Document Content
Matched Section
Section: 1.3 IT Asset (NEW) and other assets Retirement and Disposal
Content: b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The section discusses the establishment of data security procedures to protect sensitive data, which aligns with the need for a data classification scheme.
Document Content
Matched Section
Section: 1.3 IT Asset (NEW) and other assets Retirement and Disposal
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The section discusses procedures for asset disposal and emphasizes the importance of protecting sensitive data during the retirement of assets, which aligns with logging access and modifications related to sensitive data.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: a) Test should follow its mobile device security standards as outlined in the Test IS 7.2 End User Device Standard. b) System threat models frameworks (e.g., the OWASP Threat Model Framework) for mobile devices and the resources that are accessed through the mobile devices should be followed. c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time. d) Endpoint device security should be regularly maintained. e) Each organization-issued endpoint device should be fully secured before allowing a user to access it. f) Aspects of endpoint device solution that should be evaluated. 1. protection, 2. authentication, 3. application functionality, 4. solution management, 5. logging, and performance.
Content: a) Test should follow its mobile device security standards as outlined in the Test IS 7.2 End User Device Standard. b) System threat models frameworks (e.g., the OWASP Threat Model Framework) for mobile devices and the resources that are accessed through the mobile devices should be followed. c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time. d) Endpoint device security should be regularly maintained. e) Each organization-issued endpoint device should be fully secured before allowing a user to access it. f) Aspects of endpoint device solution that should be evaluated. 1. protection, 2. authentication, 3. application functionality, 4. solution management, 5. logging, and performance.
AI Justification
The section discusses the need for endpoint device security and management, which aligns with establishing a secure configuration process for enterprise assets.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: a) Test should follow its mobile device security standards as outlined in the Test IS 7.2 End User Device Standard.
Content: a) Test should follow its mobile device security standards as outlined in the Test IS 7.2 End User Device Standard.
AI Justification
The section discusses the management and security of mobile devices, including the need for separate enterprise workspaces and authentication before accessing resources.
anonymized_7.0_IS_Asset_Management_Policy.pdf CIS
8 matches foundDocument Content
Matched Section
Section: Inventory of Assets
Content: All relevant Test information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
Content: All relevant Test information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
AI Justification
The chunk discusses the maintenance of an inventory of assets, including software, which aligns with the requirement to establish and maintain a detailed inventory of licensed software.
Document Content
Matched Section
Section: Inventory of Assets
Content: All relevant Test information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
Content: All relevant Test information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
AI Justification
The section discusses the importance of maintaining an inventory of software and applications as part of asset management, which aligns with the control's focus on utilizing software inventory tools.
Document Content
Matched Section
Section: Asset Disposal & Re-Use
Content: All Test information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Test. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled. Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
Content: All Test information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Test. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled. Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
AI Justification
The section discusses the classification and secure disposal of assets, which aligns with the need to establish a documented data management process that includes handling and disposal requirements.
Document Content
Matched Section
Section: Asset Disposal & Re-Use
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse.
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse.
AI Justification
The section outlines the procedures for securely disposing of assets containing sensitive data, which aligns with the requirement for secure data disposal as per the control.
Document Content
Matched Section
Section: Asset Disposal & Re-Use
Content: All Test information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Test. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled.
Content: All Test information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Test. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled.
AI Justification
The text discusses the need for a classification scheme for Test information, ensuring consistent classification and protection based on the importance of the information.
Document Content
Matched Section
Section: Inventory of Assets
Content: All relevant Test information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
Content: All relevant Test information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
AI Justification
The section discusses maintaining an inventory of assets, which aligns with identifying sensitive data and ensuring its protection.
Document Content
Matched Section
Section: Asset Disposal & Re-Use
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
AI Justification
The section discusses the secure disposal of assets containing sensitive data and emphasizes the need for tracking and documenting the practices related to asset reuse and destruction.
Document Content
Matched Section
Section: Assets ownership and responsibilities
Content: Ownership should be assigned for all assets maintained in the inventory. An Asset Owner should be assigned whenever Assets are acquired by or transferred by the organization. An Asset Owner should be responsible for: Ensuring that Assets are inventoried, and Asset details are up to date.
Content: Ownership should be assigned for all assets maintained in the inventory. An Asset Owner should be assigned whenever Assets are acquired by or transferred by the organization. An Asset Owner should be responsible for: Ensuring that Assets are inventoried, and Asset details are up to date.
AI Justification
The text discusses the need for an inventory of assets, including the responsibilities of an Asset Owner to ensure assets are inventoried and details are up to date, which aligns with maintaining an inventory of accounts.
anonymized_3.0_IS_Information_Security_Policy_2.pdf CIS
2 matches foundDocument Content
Matched Section
Section: Asset Management – Establishes controls for asset identification, inventory, ownership and handling.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The text discusses the establishment and maintenance of an inventory of enterprise assets, which aligns directly with the requirements of control 1.1.
Document Content
Matched Section
Section: Definition of Confidentiality, Integrity, and Availability
Content: Confidentiality The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: Confidentiality The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
AI Justification
The chunk discusses the importance of protecting data, which aligns with the need for a data classification scheme to manage data sensitivity and security.
anonymized_2.1_IS_Acceptable_Use_Standard.pdf CIS
3 matches foundDocument Content
Matched Section
Section: V. Bring Your Own Device
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
Content: Mandatory security controls and safeguards have been identified by Test for managing security for personally owned devices registered, provisioned, and authorized to connect to Test’s network. By participating in Test’s BYOD program, the User agrees to the following: a. Wiping or removal of data of User’s device. 1. User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Test managed application.
AI Justification
The section discusses the wiping or removal of data from the User's personal device, which aligns with securely disposing of data as outlined in the enterprise’s documented data management process.
Document Content
Matched Section
Section: 1.3 RULES OF BEHAVIOR (ROB) - Acceptable Use
Content: Data processing using Test-authorized encrypted removable media (USB drives, external hard drives).
Content: Data processing using Test-authorized encrypted removable media (USB drives, external hard drives).
AI Justification
The section explicitly mentions the use of Test-authorized encrypted removable media for data processing, aligning with the control's focus on encryption for removable media.
Document Content
Matched Section
Section: V. Bring Your Own Device
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
AI Justification
The section explicitly states that designated staff can remotely wipe or remove all data from a user's personal device under certain circumstances, which aligns with the control's requirement for remotely wiping enterprise data from devices.
anonymized_7.2_IS_End_User_Device_Standard.pdf CIS
7 matches foundDocument Content
Matched Section
Section: Define desktop and end-user device security access controls.
Content: ii. Define desktop and end-user device security access controls.
Content: ii. Define desktop and end-user device security access controls.
AI Justification
The section discusses defining access controls for desktop and end-user devices, which aligns with configuring data access control lists based on user needs.
Document Content
Matched Section
Section: Devices should be password-protected and encrypted.
Content: Devices should be password-protected and encrypted.
Content: Devices should be password-protected and encrypted.
AI Justification
The chunk discusses the need for devices to be encrypted and password-protected, which aligns with the control's focus on encrypting sensitive data on end-user devices.
Document Content
Matched Section
Section: Only USB sticks and other removable devices that have been approved by Test IT, and that support password-protection and encryption, should be used.
Content: Only USB sticks and other removable devices that have been approved by Test IT, and that support password-protection and encryption, should be used.
Content: Only USB sticks and other removable devices that have been approved by Test IT, and that support password-protection and encryption, should be used.
AI Justification
The mention of using approved removable devices that support password-protection and encryption further supports the need for encryption of sensitive data.
Document Content
Matched Section
Section: 1.1.5 Removable Storage Devices
Content: Only USB sticks and other removable devices that have been approved by Test IT, and that support password-protection and encryption, should be used.
Content: Only USB sticks and other removable devices that have been approved by Test IT, and that support password-protection and encryption, should be used.
AI Justification
The section discusses the requirement for removable devices to be password-protected and encrypted, which aligns with the control's focus on encryption of data on such media.
Document Content
Matched Section
Section: Devices should be password-protected and encrypted.
Content: Devices should be password-protected and encrypted.
Content: Devices should be password-protected and encrypted.
AI Justification
The chunk discusses the importance of encryption for devices, specifically mentioning that devices should be password-protected and encrypted, which aligns with the control's focus on encrypting sensitive data.
Document Content
Matched Section
Section: Section 6: Personal firewalls software should be installed and subject to update from a central policy server.
Content: Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
Content: Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
AI Justification
The text discusses the installation and management of personal firewalls, which aligns with the control's focus on implementing and managing firewalls on servers.
Document Content
Matched Section
Section: Section 6: Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
Content: Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
Content: Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
AI Justification
The section discusses the installation and management of personal firewalls on end-user devices, aligning with the requirement for a host-based firewall with a default-deny rule.
anonymized_6.0_IS_Data_Security_Policy_1.pdf CIS
7 matches foundDocument Content
Matched Section
Section: 1.8 DATA RETENTION and 1.9 ROLES & RESPONSIBILITIES
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements. Role Responsibility Chief Information Security Officer l Periodic update and distribution of this policy. Data Owner l Assigning appropriate classification to the data. l Monitoring and reviewing data and its classification periodically. l Approving access to the data in accordance with Access control policy. l Ensuring that appropriate data labelling and handling requirements are followed.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements. Role Responsibility Chief Information Security Officer l Periodic update and distribution of this policy. Data Owner l Assigning appropriate classification to the data. l Monitoring and reviewing data and its classification periodically. l Approving access to the data in accordance with Access control policy. l Ensuring that appropriate data labelling and handling requirements are followed.
AI Justification
The section discusses data retention policies and the responsibilities of the Data Owner, which aligns with the need to establish and maintain a documented data management process.
Document Content
Matched Section
Section: 1.8 DATA RETENTION
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
AI Justification
The section discusses data retention policies driven by legal and regulatory requirements, which aligns with the need to retain data according to documented processes.
Document Content
Matched Section
Section: 1.3 DATA OWNER RESPONSIBILITIES
Content: Data Owners have overall responsibility for information security for their application(s) including the following responsibilities: a) Reviewing and verifying, at least annually, that users continue to require current access privileges, including associated privileges (e.g. transferring and/or copying of data). Special attention will be given to privileged users e.g.: Domain administrators and users with access to non-public personal, confidential, or restricted data. Terminated personnel and changes to access privileges should be identified and the information forwarded to the Data Custodian for updating. b) Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible. c) Establishing and reviewing access groupings based upon the data classification process.
Content: Data Owners have overall responsibility for information security for their application(s) including the following responsibilities: a) Reviewing and verifying, at least annually, that users continue to require current access privileges, including associated privileges (e.g. transferring and/or copying of data). Special attention will be given to privileged users e.g.: Domain administrators and users with access to non-public personal, confidential, or restricted data. Terminated personnel and changes to access privileges should be identified and the information forwarded to the Data Custodian for updating. b) Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible. c) Establishing and reviewing access groupings based upon the data classification process.
AI Justification
The responsibilities outlined for Data Owners include reviewing and verifying user access privileges, which aligns with the need to configure data access control lists based on a user’s need to know.
Document Content
Matched Section
Section: 1.5 DATA CLASSIFICATION
Content: a) The confidentiality, integrity, and availability of all data created or retained by Test should be appropriately protected. b) Data classification should consider any relevant legal or regulatory requirements. c) Data Owners should be accountable for their classification. A Data Owner should be in a Managerial level in the respective Test Line of Business (or Division or Function) for which an application that houses the data was originally developed or purchased. d) The default classification is Confidential in the absence of any classification. e) Data should not be downgraded to a lower classification without formal authorization from the Data Owner. It is the Data Owner¢s responsibility to monitor information assets and continuously review the data¢s classification. f) Data Owners should periodically review the risk classifications of the resources for which
Content: a) The confidentiality, integrity, and availability of all data created or retained by Test should be appropriately protected. b) Data classification should consider any relevant legal or regulatory requirements. c) Data Owners should be accountable for their classification. A Data Owner should be in a Managerial level in the respective Test Line of Business (or Division or Function) for which an application that houses the data was originally developed or purchased. d) The default classification is Confidential in the absence of any classification. e) Data should not be downgraded to a lower classification without formal authorization from the Data Owner. It is the Data Owner¢s responsibility to monitor information assets and continuously review the data¢s classification. f) Data Owners should periodically review the risk classifications of the resources for which
AI Justification
The section discusses the establishment and maintenance of a data classification scheme, including accountability and review processes, which aligns with the control's requirements.
Document Content
Matched Section
Section: Section 3: Data Loss Prevention Mechanism
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
AI Justification
The text discusses the implementation of a DLP mechanism to prevent sensitive information leakage, which aligns with the control's focus on identifying and managing sensitive data.
Document Content
Matched Section
Section: 1.11 MAINTENANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses the need for a periodical review of standards and associated documents, which aligns with the requirement to maintain a documented secure configuration process and review it annually.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets & Software
Content: Secure Configuration of Enterprise Assets & Software
Content: Secure Configuration of Enterprise Assets & Software
AI Justification
The chunk discusses the secure configuration of enterprise assets and software, which aligns with the control's focus on managing configurations securely.
anonymized_2.0_IS_Acceptable_Use_Policy.pdf CIS
3 matches foundDocument Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Test's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The chunk discusses the process for requesting exceptions to security policies, which aligns with the need to document exceptions for unsupported software as outlined in control 2.2.
Document Content
Matched Section
Section: Data Security classification policy
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
Content: proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy. This includes but is not limited to blogging and social media usage.
AI Justification
The text discusses the classification of sensitive material, which aligns with establishing a data classification scheme.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Test and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the risks associated with removable storage devices and implies the need for security measures, including encryption, to protect intellectual data.
anonymized_8.0_IS_Access_Control_Identity_Management_Policy_1.pdf CIS
7 matches foundDocument Content
Matched Section
Section: 1.2 REQUIREMENTS - Access Control
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Test’s 8.0 IS Asset Management Policy. Access controls should be deployed on the principle of least privilege to protect the information from unauthorized access.
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Test’s 8.0 IS Asset Management Policy. Access controls should be deployed on the principle of least privilege to protect the information from unauthorized access.
AI Justification
The section discusses controlling access to information resources and preventing unauthorized access, which aligns with the need to address unauthorized assets.
Document Content
Matched Section
Section: 1.2.1 Access Control
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Test’s 8.0 IS Asset Management Policy. Access controls should be deployed on the principle of least privilege to protect the information from unauthorized access.
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Test’s 8.0 IS Asset Management Policy. Access controls should be deployed on the principle of least privilege to protect the information from unauthorized access.
AI Justification
The section discusses the need to restrict access based on business requirements and a need-to-know basis, which aligns with configuring data access control lists.
Document Content
Matched Section
Section: vi. Encryption is to be used to protect the confidentiality of remote access sessions.
Content: vi. Encryption is to be used to protect the confidentiality of remote access sessions.
Content: vi. Encryption is to be used to protect the confidentiality of remote access sessions.
AI Justification
The chunk mentions the use of encryption to protect the confidentiality of remote access sessions, which aligns with the need to encrypt sensitive data.
Document Content
Matched Section
Section: Labeling of Information
Content: A.8.2.2 Labeling of Information
Content: A.8.2.2 Labeling of Information
AI Justification
The control aligns with the need to establish a data classification scheme, as it specifically addresses the labeling of information, which is a key aspect of data classification.
Document Content
Matched Section
Section: Network Monitoring & Defense
Content: Content Updates and Annual Review
Content: Content Updates and Annual Review
AI Justification
The chunk mentions a documented revision history and annual review, which aligns with maintaining a secure configuration process.
Document Content
Matched Section
Section: Service Accounts
Content: a. All service accounts are required to be added to Enterprise Password Vault (EPV) or Enterprise Secrets Management Solution (ESMS). Specifically, all on premise, cloud, third-party and SaaS accounts including but not limited to: i. Local accounts of any kind. ii. WDS service accounts. iii. Unix Directory Service (UDS) accounts. iv. Application specific accounts.
Content: a. All service accounts are required to be added to Enterprise Password Vault (EPV) or Enterprise Secrets Management Solution (ESMS). Specifically, all on premise, cloud, third-party and SaaS accounts including but not limited to: i. Local accounts of any kind. ii. WDS service accounts. iii. Unix Directory Service (UDS) accounts. iv. Application specific accounts.
AI Justification
The text discusses the management of service accounts, which includes ensuring they are added to a password management solution and verifying account creation processes, aligning with the control's focus on managing default and service accounts.
Document Content
Matched Section
Section: Service Accounts
Content: All service accounts are required to be added to Enterprise Password Vault (EPV) or Enterprise Secrets Management Solution (ESMS). Specifically, all on premise, cloud, third-party and SaaS accounts including but not limited to: Local accounts of any kind. WDS service accounts. Unix Directory Service (UDS) accounts. Application specific accounts.
Content: All service accounts are required to be added to Enterprise Password Vault (EPV) or Enterprise Secrets Management Solution (ESMS). Specifically, all on premise, cloud, third-party and SaaS accounts including but not limited to: Local accounts of any kind. WDS service accounts. Unix Directory Service (UDS) accounts. Application specific accounts.
AI Justification
The section discusses the management of service accounts, including their registration and approval processes, which aligns with maintaining an inventory of accounts.
anonymized_5.0_IS_Human_Resource_Security_Policy_1.pdf CIS
5 matches foundDocument Content
Matched Section
Section: Access Control Management
Content: Access Control Management
Content: Access Control Management
AI Justification
The control emphasizes the need for access control policies which align with the need to configure data access control lists based on user permissions.
Document Content
Matched Section
Section: Access Control Management
Content: Access Control Management
Content: Access Control Management
AI Justification
This control aligns with the need to restrict access based on a user's need to know, which is a core principle of data access control lists.
Document Content
Matched Section
Section: LEAVING Test
Content: The IT Department should examine any computing or communications equipment issued to or used by terminated employees to ensure that all internal information is retrieved or destroyed from the device prior to reuse of the device or issuance to another employee.
Content: The IT Department should examine any computing or communications equipment issued to or used by terminated employees to ensure that all internal information is retrieved or destroyed from the device prior to reuse of the device or issuance to another employee.
AI Justification
The text discusses the need to ensure that internal information is retrieved or destroyed from devices used by terminated employees, which aligns with the control's focus on wiping enterprise data from devices.
Document Content
Matched Section
Section: LEAVING Test
Content: Refer to the Access Control Policy for additional details.
Content: Refer to the Access Control Policy for additional details.
AI Justification
The reference to the Access Control Policy indicates that there are established guidelines for managing access privileges, which is relevant to the control's focus on access management.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The section discusses the management of IDs and passwords for new hires, which relates to maintaining an inventory of accounts.