Test Final 1
Job ID: Test-Final-1-081425224931
2025-08-14
Completed
Generating your report with AI insights. This may take a moment...
Overall Alignment
89.3%
Controls Aligned
327 / 366
Frameworks
2
NIST
CIS
Assessment frameworks applied
Key Controls
168 / 179
Overall Alignment
Framework Breakdown
Key Controls Status
Framework Compliance Overview
| Framework | Total Controls | Aligned | Gaps | Compliance Progress |
|---|---|---|---|---|
| CIS | 41 | 40 | 1 |
|
| NIST | 325 | 287 | 38 |
|
| OVERALL | 366 | 327 | 39 |
|
Document Analysis Details
2.0_IS_Acceptable_Use_Policy.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 6 |
|
| NIST | 325 | 88 |
|
4.0_IS_Organization_of_Information_Security_Policy_1.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 3 |
|
| NIST | 325 | 71 |
|
7.0_IS_Asset_Management_Policy.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 14 |
|
| NIST | 325 | 87 |
|
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 5 |
|
| NIST | 325 | 70 |
|
7.2_IS_End_User_Device_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 9 |
|
| NIST | 325 | 60 |
|
7.1_IS_Asset_Management_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 8 |
|
| NIST | 325 | 38 |
|
19.0_IS_Cloud_Computing_Security_Policy.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 6 |
|
| NIST | 325 | 74 |
|
2.1_IS_Acceptable_Use_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 3 |
|
| NIST | 325 | 65 |
|
6.1_IS_Data_Security_Standards.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 11 |
|
| NIST | 325 | 94 |
|
5.0_IS_Human_Resource_Security_Policy_1.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 3 |
|
| NIST | 325 | 63 |
|
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 2 |
|
| NIST | 325 | 45 |
|
6.0_IS_Data_Security_Policy_1.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 14 |
|
| NIST | 325 | 106 |
|
3.0_IS_Information_Security_Policy_2.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 4 |
|
| NIST | 325 | 111 |
|
26.0_IS_Vulnerability_Management_Policy.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 11 |
|
| NIST | 325 | 53 |
|
23.0_IS_Network_and_Firewall_Security_Policy.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 8 |
|
| NIST | 325 | 101 |
|
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 2 |
|
| NIST | 325 | 44 |
|
19.1_IS_Cloud_Computing_Security_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 15 |
|
| NIST | 325 | 121 |
|
20.0_IS_Risk_Management_Policy_2.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 0 |
|
| NIST | 325 | 59 |
|
27.0_IS_Lazard_Reference_Timeout_Standard.pdf 2 frameworks
| Framework | Total | Aligned | Coverage |
|---|---|---|---|
| CIS | 41 | 3 |
|
| NIST | 325 | 24 |
|
41 Total Controls
| Control ID | Control Name | Status | Evidence Section | Document | Actions |
|---|---|---|---|---|---|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | This policy is applicable to all Lazard employees, contracto... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Responsibilities for the protection of individual assets... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Asset inventory should be kept accurate, and it should be re... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | All Firm workstations and laptops should be inventoried for ... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Aspects of endpoint device solution that should be evaluated... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Data Protection... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Asset Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 1.1 |
Establish and Maintain Detailed Enterprise Asset Inventory
Key Control
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 1.2 |
Address Unauthorized Assets
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 1.3 |
Utilize an Active Discovery Tool
|
Aligned | c) The Asset inventory should be kept accurate, and it shoul... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 1.3 |
Utilize an Active Discovery Tool
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 1.4 |
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 1.5 |
Use a Passive Asset Discovery Tool
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 1.5 |
Use a Passive Asset Discovery Tool
|
Aligned | Automated vulnerability scans should be used to scan all ide... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 2.1 |
Establish and Maintain a Software Inventory
Key Control
|
Aligned | Inventory of Assets... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.1 |
Establish and Maintain a Software Inventory
Key Control
|
Aligned | All Firm workstations and laptops should be inventoried for ... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 2.1 |
Establish and Maintain a Software Inventory
Key Control
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 2.1 |
Establish and Maintain a Software Inventory
Key Control
|
Aligned | Inventory and Control of Software Assets... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 2.2 |
Ensure Authorized Software is Currently Supported
Key Control
|
Aligned | Software/Applications... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.2 |
Ensure Authorized Software is Currently Supported
Key Control
|
Aligned | EXCEPTION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| 2.2 |
Ensure Authorized Software is Currently Supported
Key Control
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Exceptions to this policy can be requested by submitting a p... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Section regarding emergency exceptions to software policy... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Use only Lazard managed equipment for business-related work;... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Section 1.12 - EXCEPTION... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Access rights to the Lazard networks and network services... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Policy exceptions process... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | Detailed explanation of why the exception is necessary and D... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| 2.3 |
Address Unauthorized Software
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| 2.4 |
Utilize Automated Software Inventory Tools
|
Aligned | Inventory of Assets... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 2.4 |
Utilize Automated Software Inventory Tools
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 2.7 |
Allowlist Authorized Scripts
|
Gap | Use technical controls, such as digital signatures and version control, to ensure that only authoriz... | ||
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | 1.4 SECURITY & PROPRIETARY INFORMATION... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | 1.5 MAINTENANCE... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | 1.4 MAINTAINANCE... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | Responsibilities of application owners and collaboration wit... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | b) Classifying and securing data according to the criteria s... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.1 |
Establish and Maintain a Data Management Process
Key Control
|
Aligned | MAINTAINANCE... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| 3.2 |
Establish and Maintain a Data Inventory
Key Control
|
Aligned | c) The Asset inventory should be kept accurate, and it shoul... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.2 |
Establish and Maintain a Data Inventory
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.2 |
Establish and Maintain a Data Inventory
Key Control
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.4 SECURITY & PROPRIETARY INFORMATION... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Access Control | Policy & Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Equipment and media containing confidential information shou... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Only approved end-user devices may be attached to the LAN (p... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | In particular, the use of any unauthorized networking device... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Network Access Control (NAC) technology is used to monitor c... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.2.1 Access Control... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | 1.2.2 Information Resources... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Classifying and securing data according to the criteria stip... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | Access privileges of all users, especially those with the ab... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | The principle of least privilege should be employed by:... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 3.3 |
Configure Data Access Control Lists
|
Aligned | User access policies and procedures should be established... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.4 |
Enforce Data Retention
Key Control
|
Aligned | An exit strategy for recovering, transferring, or destroying... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| 3.4 |
Enforce Data Retention
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.4 |
Enforce Data Retention
Key Control
|
Aligned | Data retention policies are driven by legal and regulatory r... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.4 |
Enforce Data Retention
Key Control
|
Aligned | Log file retention requirements... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | IT Asset Retirement and Disposal... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | Exit Strategy for Data Management... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | Data Wiping and Removal Procedures... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.5 |
Securely Dispose of Data
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.6 |
Encrypt Data on End-User Devices
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | DOCUMENT CLASSIFICATION... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | 1.0 PURPOSE... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.7 |
Establish and Maintain a Data Classification Scheme
|
Aligned | Incident Categorization... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| 3.8 |
Document Data Flows
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | Use of Removable Devices and Data Security... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.9 |
Encrypt Data on Removable Media
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
Key Control
|
Aligned | Details on Encryption see section “Encryption requirements” ... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.11 |
Encrypt Sensitive Data at Rest
Key Control
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.12 |
Segment Data Processing and Storage Based on Sensitivity
|
Aligned | Restricted Data... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.12 |
Segment Data Processing and Storage Based on Sensitivity
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
Key Control
|
Aligned | Inventory of Assets... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
Key Control
|
Aligned | Data Loss Prevention Mechanism... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.13 |
Deploy a Data Loss Prevention Solution
Key Control
|
Aligned | The section discusses DLP and its role in safeguarding perso... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | An exit strategy for recovering, transferring, or destroying... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Event logs should be produced based on the Lazard Logging St... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Lazard should use file integrity monitoring or change detect... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Log files should be protected from tampering or unauthorized... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| 3.14 |
Log Sensitive Data Access
Key Control
|
Aligned | Access Control and User Access Policies... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
Key Control
|
Aligned | Across High-Risk Technology Assets... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
Key Control
|
Aligned | Secure Configuration of Enterprise Assets & Software... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.1 |
Establish and Maintain a Secure Configuration Process
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Key Control
|
Aligned | IT management should establish, implement, and actively mana... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Key Control
|
Aligned | 1.4 MAINTAINANCE... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Key Control
|
Aligned | Configuration Management | Policies & Procedures, Configurat... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Key Control
|
Aligned | i. Routers and other network devices will be accessed by mea... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 4.2 |
Establish and Maintain a Secure Configuration Process for Network Infrastructure
Key Control
|
Aligned | Baseline security requirements for applications and infrastr... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 4.3 |
Configure Automatic Session Locking on Enterprise Assets
|
Aligned | 1.1.4 Smartphones, Mobile, and Other Wireless Devices... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.3 |
Configure Automatic Session Locking on Enterprise Assets
|
Aligned | Working Sessions and INFORMATION SECURITY GOALS... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | Network Segregation and Segmentation... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | 6. Personal firewalls software should be installed and subje... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | Network Infrastructure Management and Network Monitoring & D... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | Network and Firewall Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| 4.4 |
Implement and Manage a Firewall on Servers
|
Aligned | Network Controls... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 4.5 |
Implement and Manage a Firewall on End-User Devices
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| 4.5 |
Implement and Manage a Firewall on End-User Devices
|
Aligned | Devices that are Internet-facing and outside the Lazard fire... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 4.6 |
Securely Manage Enterprise Assets and Software
Key Control
|
Aligned | Equipment and media containing confidential information shou... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 4.6 |
Securely Manage Enterprise Assets and Software
Key Control
|
Aligned | Secure Configuration of Enterprise Assets & Software... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 4.6 |
Securely Manage Enterprise Assets and Software
Key Control
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| 4.7 |
Manage Default Accounts on Enterprise Assets and Software
|
Aligned | General User Account... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 4.9 |
Configure Trusted DNS Servers on Enterprise Assets
|
Aligned | infrastructure configuration standards including firewall, I... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | Section a) and b)... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | User agrees that designated staff can, under certain circums... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| 4.11 |
Enforce Remote Wipe Capability on Portable End-User Devices
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| 4.12 |
Separate Enterprise Workspaces on Mobile End-User Devices
Key Control
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| 4.12 |
Separate Enterprise Workspaces on Mobile End-User Devices
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | Assets ownership and responsibilities... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | 1.2.3 Account Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| 5.1 |
Establish and Maintain an Inventory of Accounts
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| 1.1.2 |
Access Control Policy
|
Aligned | Only approved end-user devices may be attached to the LAN (p... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 1.1.3 |
Network Access Control
|
Aligned | Network Access Control (NAC) technology is used to monitor c... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| 1 |
Inventory & Control of Enterprise Assets
|
Aligned | Secure Configuration of Enterprise Assets & Software... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 1 |
Inventory & Control of Enterprise Assets
|
Aligned | Inventory & Control of Enterprise Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 1 |
Inventory & Control of Enterprise Assets
|
Aligned | Inventory & Control of Enterprise Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 2 |
Inventory & Control of Software Assets
|
Aligned | Secure Configuration of Enterprise Assets & Software... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 2 |
Inventory & Control of Software Assets
|
Aligned | Inventory & Control of Software Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| 2 |
Inventory & Control of Software Assets
|
Aligned | Inventory & Control of Software Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Infrastructure Management and Network Monitoring & D... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-8 |
Configuration Management | System Component Inventory
Key Control
|
Aligned | NIST SP 800-53 Rev 5... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
325 Total Controls
| Control ID | Control Name | Status | Evidence Section | Document | Actions |
|---|---|---|---|---|---|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4 SECURITY & PROPRIETARY INFORMATION... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Compliance... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | User access policies and procedures should be established... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | User access policies and procedures should be established... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | b) Classifying and securing data according to the criteria s... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Approving access to the data in accordance with Access contr... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control | Policy & Procedures... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Mobile Device Policy, Teleworking, Security of Kit and Asset... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Policy... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exceptions... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | vi. Authorization process is developed and implemented to en... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Policy and Procedures... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access control policy and procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | The practice of protecting information and information syste... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Acceptable Use – Establishes the acceptable use of informati... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | XI. Access should be restricted to the information assets in... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY and 1.2 APPLICABILITY... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exceptions and Implementation... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | ix. Defining and periodically reviewing access restrictions ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | ix. Defining and periodically reviewing access restrictions ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2 REQUIREMENTS... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | Access Control Policy and Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-10 |
Concurrent Session Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-11 |
Device Lock
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-11 |
Device Lock
Key Control
|
Aligned | Section 10 and 1.1.4... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-11 |
Device Lock
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-11 |
Device Lock
Key Control
|
Aligned | Working Sessions and INFORMATION SECURITY GOALS... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| AC-12 |
Session Termination
|
Aligned | 1.9 LEAVING LAZARD... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-12 |
Session Termination
|
Aligned | Use case #4... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | v. Users are provided access only to those services that the... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | Access Control | Policy & Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | Only approved end-user devices may be attached to the LAN (p... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | Access Control Procedures... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-14 |
Permitted Actions Without Identification or Authentication
Key Control
|
Aligned | accessing federal systems may be required to protect federal... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | The section discusses attributes of an identity and their ro... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Shareholders personal information such as Social Security Nu... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | All data classified as production, including all customer in... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Internal and external audit reports.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Regulatory agency reports, unless specified by the regulator... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Reports produced by Information Security Data (e.g., vulnera... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Data such as balance sheet and profit and loss figures, Laza... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | All personal data that is not required solely for identifica... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Lazard should define, document, implement, and maintain poli... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Access Control | Policy & Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | Data Security – Establishes controls and framework for class... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-16 |
Security and Privacy Attributes
Key Control
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | 1.7 CLOUD SYSTEMS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Access Control | Remote Access... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | g) It is essential for Lazard to use VPN (Virtual Private Ne... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Teleworking... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Teleworking... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Access Control | Remote Access... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Remote Access Security... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | v. All external connections to Lazard networks or Informatio... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Ensure that the security controls are in place while using m... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Ensure that the security controls are in place while using m... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Section 1.2.2 Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Monitoring devices are typically employed at the managed int... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Remote access is a type of network access that involves comm... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Section 10: Only approved end-user devices may be attached t... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | In particular, the use of any unauthorized networking device... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Section 10 regarding approved devices and network access con... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Section 1.2.5 Wired Public Internet Connections... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Password Management for Access... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | The practice of protecting information and information syste... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Remote Access... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-17 |
Remote Access
Key Control
|
Aligned | Access rights to the Lazard networks and network services... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-18 |
Wireless Access
|
Aligned | Access Control | Wireless Access... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-18 |
Wireless Access
|
Aligned | Wireless technologies and their security aspects... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-18 |
Wireless Access
|
Aligned | Access Control | Wireless Access... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-18 |
Wireless Access
|
Aligned | Wireless technologies and authentication protocols... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | High-Risk Technology Assets... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Lost Devices... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Rules and Standards for managing security for BYOD... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | deviations from standard security baseline configurations... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Mobile Device Policy... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Access Control | Access Control for Mobile Devices... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Mobile Device Policy... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Mobile Device Security... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | 1.2.2 Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Ensure that the security controls are in place while using m... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Ensure that the security controls are in place while using m... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Overview and Scope & Applicability... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Section 7: Configuration of remote access security.... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Only approved end-user devices may be attached to the LAN (p... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Protection and control of mobile devices... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Procedures for the network service usage to restrict access ... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | Configuration Management | System Component Inventory... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-19 |
Access Control for Mobile Devices
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | User access policies and procedures should be established, a... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | User access policies and procedures should be established... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Responsibilities of Data Custodians... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | f) Access privileges of all users, especially those with the... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | ID management responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Application Security Administrators (Systems Administrators)... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | User Access Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Definition of User, Privileged User, User Account, Service A... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | vi. Authorization process is developed and implemented to en... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access to Information Resources should be controlled through... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Segregate access control roles between access request, acces... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | vi. Authorization process is developed and implemented to en... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | v. Users are provided access only to those services that the... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | v. Users are provided access only to those services that the... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | The reference to account management activities of AC-2 using... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Section v. Remote Management and the principle of least priv... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | controls for applications and systems that contain, process,... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access Control... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | ix. Defining and periodically reviewing access restrictions ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | 1.2.2 Information Resources... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access rights to the Lazard networks and network services... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Access to Enterprise Servers... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-2 |
Account Management
Key Control
|
Aligned | Information Security Policies for Supplier Relationships... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | Lost Devices... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | External entities using Lazard cloud services... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | Access Control | Use of External Systems... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | 1.2.2 Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | Adequate security for mobile devices... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-20 |
Use of External Systems
Key Control
|
Aligned | External System Access Principles... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Disseminating information about employees or lists of Lazard... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Data Privacy and Data Governance... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Confidential Data... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Access Control... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Access to nonpublic personal, restricted, confidential, or p... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | PURPOSE... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | Defining and periodically reviewing access restrictions and ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-21 |
Information Sharing
Key Control
|
Aligned | 1.2.1 Access Control... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | Access Control Procedures... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | Disseminating internal or confidential organization document... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | Making unprofessional comments about Lazard in public forums... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | Public Data and Internal Use Only Data... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | 8.0 Access Control & Identity Management Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | PURPOSE... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AC-22 |
Publicly Accessible Content
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-23 |
Data Mining Protection
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | User access policies and procedures should be established... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Access Control Policy... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Segregate access control roles between access request, acces... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Access Control Procedures... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | Access Control... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-24 |
Access Control Decisions
|
Aligned | ix. Defining and periodically reviewing access restrictions ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Overview and Scope & Applicability... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | ix. Defining and periodically reviewing access restrictions ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-25 |
Reference Monitor
Key Control
|
Aligned | Responsibilities for reviewing and authorizing access during... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.7 CLOUD SYSTEMS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policies... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | segregated and access restricted to prevent inappropriate di... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | User access policies and procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Endpoint Protection (Anti-Virus & Malware)... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Control: SC-3... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Applicability... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Section 1.6 - EXCEPTION... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Enforcement... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | vii. Controls such as file access limitation, time limit for... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | iv. Control over User access to information services is enfo... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | 1.2.2 Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Policy & Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Identification & Authentication | Authenticator Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Prevent unauthorized access to information systems, network ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Policy & Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access is based on an employee/contractor’s role and should ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Prevent unauthorized access to information systems, network ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | iv. Control over User access to information services is enfo... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | iv. Control over User access to information services is enfo... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | iv. Control over User access to information services is enfo... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policies and Device Management... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Section 12 regarding Network Access Control (NAC)... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Section 12 regarding Network Access Control technology.... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Section 1.2.5 Wired Public Internet Connections... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control Policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | End-user Device Security Policy, Internet Security & Usage P... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Section 1.8 - Exceptions to the policy... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Enforcement... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | ix. Defining and periodically reviewing access restrictions ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Requests for the granting of access to Lazard enterprise ser... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access rights to the Lazard enterprise servers should be rev... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access rights to the Lazard enterprise servers should be rev... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-3 |
Access Enforcement
Key Control
|
Aligned | Access Control | Access Enforcement... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Confidential data is personal identifiable information (PII)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Equipment Siting & Protection... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Section 6-10 regarding dissemination of information and unau... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | AC-4... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | 6.0 Data Security Policy and 8.0 Access Control Policy... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Network Infrastructure Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | controls for applications and systems that contain, process,... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-4 |
Information Flow Enforcement
Key Control
|
Aligned | 1.2.1 Access Control... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Use of Privileged Utility Programs... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | User access policies and procedures should be established... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregation of Duties... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregation of Duties... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregation of Duties... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregation of Duties... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Access Control | Account Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Access Control | Account Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Responsibilities during a BC/DR event... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | 1.3 SEGREGATION OF DUTIES... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-5 |
Separation of Duties
Key Control
|
Aligned | Segregation of Duties Principle... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control to Program Source Code... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Roles and Responsibilities for Cloud Security Program Govern... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Data Custodians responsibilities... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | security responsibilities by employees under their supervisi... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Privileged (Application Administration) Account... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control | Policy & Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Privileged users should understand their roles and responsib... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control | Account Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Privileged users should understand their roles and responsib... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Section v. Remote Management and the principle of least priv... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Section v. Remote Management and subsection f) The principle... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Actions can be taken to safeguard individual authenticators,... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access rights to the Lazard networks and network services... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | 1.3 SEGREGATION OF DUTIES... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-6 |
Least Privilege
|
Aligned | Access Control | Least Privilege... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | Multi-Factor Authentication (MFA) is required to access the ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | Account Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AC-7 |
Unsuccessful Logon Attempts
|
Aligned | Use case #4... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | Upon use of Lazard’s Systems... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | Roles & Responsibilities... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | Rules of behavior for organizational and non-organizational ... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | Section t) A login/warning banner should be displayed on all... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AC-8 |
System Use Notification
|
Aligned | 1.2.2 Information Resources... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AC-9 |
Previous Logon Notification
|
Aligned | t) A login/warning banner should be displayed on all system ... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Security Awareness Training Responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | VII. Lazard adopts the NIST CSF and ISO 27001 standards as t... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | Human Resource Security - Establishes controls to reduce the... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY and 1.2 APPLICABILITY... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | CLOUD SECURITY TRAINING & AWARENESS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness and Skills Training... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness and Skills Training... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness and Skills Training... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | 1.7 INFORMATION SECURITY EDUCATION & TRAINING... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Roles and Responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness Training responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security responsibilities by employees under their supervisi... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Access Control | Concurrent Session Control... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Information Security Awareness, Education & Training... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness & Skills Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Awareness and Training... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AT-2 |
Literacy Training and Awareness
Key Control
|
Aligned | Security Awareness & Skills Training... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Role-Based Training Requirements... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness and Skills Training... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Role-Based Training... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness Training Responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Access Control | Concurrent Session Control... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Information Security Awareness, Education & Training... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Information Security Awareness, Education & Training... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Information Security Awareness, Education & Training... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Information Security Awareness, Education and Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Awareness & Training | Role-based Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Personnel Security | Policy & Procedures... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Role-Based Training Responsibilities... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Access Control | Policy & Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-3 |
Role-based Training
Key Control
|
Aligned | Security Awareness & Skills Training... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AT-4 |
Training Records
Key Control
|
Aligned | 1.9 ROLES & RESPONSIBILITIES... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AT-6 |
Training Feedback
|
Aligned | Security Awareness & Skills Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | The Information Security Team should oversee the Cloud Secur... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Audit and accountability policy and procedures... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Policy exception process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Audit and accountability policy and procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Section 1.5 - Exceptions to the policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Review of any impacting legal changes to ensure Lazard compl... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Audit and Accountability Policy and Procedures... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Audit and accountability policy and procedures... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AU-1 |
Policy and Procedures
Key Control
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AU-10 |
Non-repudiation
|
Aligned | Individual who has approved management responsibility for an... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-11 |
Audit Record Retention
Key Control
|
Aligned | Section b to h regarding log files and their management.... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-11 |
Audit Record Retention
Key Control
|
Aligned | Data retention policies are driven by legal and regulatory r... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-12 |
Audit Record Generation
|
Aligned | Secure data disposal should follow the Data Security Policy ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AU-12 |
Audit Record Generation
|
Aligned | Audit & Accountability | Audit Record Generation... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | 6. Disseminating information about employees or lists of Laz... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | d. Automated vulnerability scans should be used to scan all ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | Restricted Data... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | A.14.1.3 Protecting Application Services Transactions... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | The practice of protecting information and information syste... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| AU-13 |
Monitoring for Information Disclosure
Key Control
|
Aligned | DOCUMENT CLASSIFICATION... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-14 |
Session Audit
Key Control
|
Aligned | f) Appropriate logging and monitoring should be applied to e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Aligned | Event Logging and Log Management... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Aligned | f) Appropriate logging and monitoring should be applied to e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-16 |
Cross-organizational Audit Logging
Key Control
|
Aligned | i) Network services provided by third parties are assumed to... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | Upon use of Lazard’s Systems, be it directly or indirectly, ... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | Lazard reserves the right to audit networks and systems on a... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | Event Logging and Review Procedures... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | f) Appropriate logging and monitoring should be applied to e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-2 |
Event Logging
Key Control
|
Aligned | Incident Verification... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | Audit & Accountability | Content of Audit Records... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | Event logs should be produced based on the Lazard Logging St... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | Lazard should use file integrity monitoring or change detect... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | Log files should be protected from tampering or unauthorized... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | All servers and network equipment should retrieve time infor... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | All log files should be maintained for at least 6 months.... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | ii. Shareholders personal information such as Social Securit... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | iv. Internal and external audit reports.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | vi. Reports produced by Information Security Data (e.g., vul... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | viii. All personal data that is not required solely for iden... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-3 |
Content of Audit Records
Key Control
|
Aligned | Evidence Gathering and Documentation... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | Audit & Accountability | Policy & Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | Audit & Accountability | Audit Record Generation... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | b. Event logs should be produced based on the Lazard Logging... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | h. All log files should be maintained for at least 6 months.... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-4 |
Audit Log Storage Capacity
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-5 |
Response to Audit Logging Process Failures
Key Control
|
Aligned | Audit & Accountability | Event Logging... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-5 |
Response to Audit Logging Process Failures
Key Control
|
Aligned | Event logs and log file management procedures... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-5 |
Response to Audit Logging Process Failures
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-5 |
Response to Audit Logging Process Failures
Key Control
|
Aligned | f) Appropriate logging and monitoring should be applied to e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | b. Event logs should be produced based on the Lazard Logging... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Role Responsibility... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Voice Communications Equipment protection and Maintenance... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | f) Appropriate logging and monitoring should be applied to e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | IV. Lazard′s Information Security Policies should be periodi... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| AU-6 |
Audit Record Review, Analysis, and Reporting
Key Control
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| AU-7 |
Audit Record Reduction and Report Generation
Key Control
|
Aligned | Audit & Accountability | Audit Record Reduction & Report Gen... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-7 |
Audit Record Reduction and Report Generation
Key Control
|
Aligned | Event logs production and log file reviews... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-8 |
Time Stamps
|
Gap | Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated... | ||
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | Audit & Accountability | Policy & Procedures, Event Logging,... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | 1.2.4 Logging & Alerting... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | 1.7 PROTECTION OF LOG INFORMATION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AU-9 |
Protection of Audit Information
Key Control
|
Aligned | f) Appropriate logging and monitoring should be applied to e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Lazard′s Information Security Policies should be periodicall... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Roles & Responsibilities... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions Policy Implementation... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | Assessment, Authorization & Monitoring | Control Assessments... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | c. Inventories of all hardware and software installed on the... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | d. Automated vulnerability scans should be used to scan all ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | f. All vulnerabilities and their remediation progress should... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | Assessment, Authorization & Monitoring... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CA-2 |
Control Assessments
Key Control
|
Aligned | Configuration Management | Policies & Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | 1.7 CLOUD SYSTEMS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | 16.0 Information Security Aspects of Business Continuity Man... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | Control References and Policies related to Data Security and... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | i. Appropriate interfaces are created to segregate Lazard’s ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | Security mechanisms, service levels and management requireme... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | Control: CA-3: System information exchange requirements appl... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-3 |
Information Exchange
Key Control
|
Aligned | System information exchange requirements... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-5 |
Plan of Action and Milestones
|
Aligned | Assessment, Authorization & Monitoring | Plan of Action & Mi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CA-5 |
Plan of Action and Milestones
|
Aligned | Risk Mitigator/Responder... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| CA-5 |
Plan of Action and Milestones
|
Aligned | Incident Response Recovery and Post Incident Activity... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CA-5 |
Plan of Action and Milestones
|
Aligned | Conflicting duties and areas of responsibility should be seg... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Baseline security requirements should be established for dev... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Detailed explanation of why the exception is necessary.... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Responsibilities for reviewing and authorizing access during... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CA-6 |
Authorization
Key Control
|
Aligned | Authorization levels should be defined and documented.... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Access Control | Information Flow Enforcement, Access Contro... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Access Control | Information Flow Enforcement, Access Contro... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Assessment, Authorization & Monitoring | Continuous Monitori... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | c. Inventories of all hardware and software installed on the... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Configuration Management | Policies & Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Maintaining processes to track cybersecurity related risk ac... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| CA-7 |
Continuous Monitoring
Key Control
|
Aligned | Responsible for conducting technology and cyber risk assessm... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| CA-8 |
Penetration Testing
|
Aligned | Assessment, Authorization & Monitoring | Penetration Testing... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CA-8 |
Penetration Testing
|
Aligned | 1.2.6 Penetration Testing... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CA-8 |
Penetration Testing
|
Aligned | Control: CA-8... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-8 |
Penetration Testing
|
Aligned | Configuration Management | Policies & Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-9 |
Internal System Connections
Key Control
|
Aligned | This policy is applicable to all Lazard employees, contracto... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CA-9 |
Internal System Connections
Key Control
|
Aligned | Overview... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CA-9 |
Internal System Connections
Key Control
|
Aligned | controls for applications and systems that contain, process,... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CA-9 |
Internal System Connections
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Chunk: 1.12 EXCEPTION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Chunk: 1.5... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management and Information Sec... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | As part of the control selection processes, organizations de... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CM-1 |
Policy and Procedures
|
Aligned | Configuration Management Policy and Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CM-10 |
Software Usage Restrictions
Key Control
|
Aligned | Configuration Management | Configuration Change Control... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-10 |
Software Usage Restrictions
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-11 |
User-installed Software
Key Control
|
Aligned | Software/Applications... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-12 |
Information Location
Key Control
|
Aligned | Highly confidential business or personal information.... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CM-12 |
Information Location
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-12 |
Information Location
Key Control
|
Aligned | Scope and Applicability... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-12 |
Information Location
Key Control
|
Aligned | Information Location... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-12 |
Information Location
Key Control
|
Aligned | 1.2.2 Information Resources... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | User Data Management and Monitoring... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | Data destruction procedures and handling of data throughout ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | Data Governance and Data Privacy... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | Applicability... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | Data Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-13 |
Data Action Mapping
Key Control
|
Aligned | Configuration Management | Configuration Management Plan... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-14 |
Signed Components
|
Aligned | Discussion on digital certificates and their role in verifyi... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-14 |
Signed Components
|
Aligned | Software/Applications... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Baseline security control requirements should be established... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Change management and Installation of software on operationa... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Change management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Configuration Management | Baseline Configuration... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Exceptions to replacing unsupported system components includ... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-2 |
Baseline Configuration
|
Aligned | Baseline configurations for systems and system components... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Baseline security control requirements should be established... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | System change control procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Change management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Technical review of applications after operating platform ch... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Secure Configuration of Enterprise Assets and Software... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Configuration Management Processes... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | p) Telephone lines that could enable remote access into the ... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | q) Only firewalls approved by Information Security will be u... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | r) Network devices (Routers, switches, WIFI access points, e... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Configuration Management | Configuration Change Control... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | In such cases, the control can be treated as a hybrid contro... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-3 |
Configuration Change Control
Key Control
|
Aligned | Configuration Change Control... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Impact Analyses... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Secure Configuration of Enterprise Assets and Software... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Testing Decisions for Flaw Remediation... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Section 1.2.5 (a)... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Review of any impacting legal changes to ensure Lazard compl... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Configuration control throughout the system development life... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Definition... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Impact assessment(s) related to the incident.... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CM-4 |
Impact Analyses
Key Control
|
Aligned | Job Description (JD) and Management Responsibilities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Changes to cloud security systems and procedures... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | segregated and access restricted to prevent inappropriate di... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Restrictions on software installation... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | System administrators responsibilities regarding application... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Applicability... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Section 10 and 11 regarding approved end-user devices and un... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Access Control Policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-5 |
Access Restrictions for Change
Key Control
|
Aligned | Access rights to the Lazard enterprise servers should be rev... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Baseline security control requirements... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Restrictions on software installation... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Section 4: Configuration of security measures and software.... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Security mechanisms, service levels and management requireme... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | End-user Device Security Policy, Internet Security & Usage P... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-6 |
Configuration Settings
|
Aligned | Configuration Management | System Component Inventory... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | c. Inventories of all hardware and software installed on the... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | d. Automated vulnerability scans should be used to scan all ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Data Protection... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Section 4: All PCs and laptops should be equipped with up-to... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CM-7 |
Least Functionality
|
Aligned | Network and Firewall Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | 1.2 GENERAL USER RESPONSIBILITIES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Inventory and Control of Enterprise Assets... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | NIST SP 800-53 Rev 5... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Inventories of all hardware and software installed on the co... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | IT Asset Procurement... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Section 2: All Firm workstations and laptops should be inven... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | System Component Inventory... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Security categorization processes facilitate the development... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | 1.2. Hardware, Software, Applications and Data - Inventory o... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-8 |
System Component Inventory
Key Control
|
Aligned | Inventory & Control of Enterprise Assets... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CM-9 |
Configuration Management Plan
Key Control
|
Aligned | Configuration Management Plan... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CM-9 |
Configuration Management Plan
Key Control
|
Aligned | Configuration Management | Policies & Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning | Policy & Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning Policy and Procedures... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exceptions Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning Policy and Procedures... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning Policy and Procedures... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Containment Phase of Incident Response... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CP-1 |
Policy and Procedures
Key Control
|
Aligned | Contingency Planning Policy and Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CP-10 |
System Recovery and Reconstitution
|
Aligned | Section 7: All applications and systems utilizing a Cloud Se... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CP-10 |
System Recovery and Reconstitution
|
Aligned | Data Recovery... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-10 |
System Recovery and Reconstitution
|
Aligned | Recovery... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CP-10 |
System Recovery and Reconstitution
|
Aligned | Glossary - Business continuity and disaster recovery (BCDR o... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CP-11 |
Alternate Communications Protocols
|
Aligned | Contingency Planning | Contingency Plan... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-12 |
Safe Mode
Key Control
|
Gap |
For systems that support critical mission and business functions—including military operations...
Critical Gap - Key Control Missing
|
||
| CP-13 |
Alternative Security Mechanisms
Key Control
|
Aligned | 8.0 Access Control Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CP-13 |
Alternative Security Mechanisms
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-13 |
Alternative Security Mechanisms
Key Control
|
Aligned | Maintain business continuity to counteract interruptions to ... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-13 |
Alternative Security Mechanisms
Key Control
|
Aligned | Use case #4... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Data Recovery... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Contingency Planning... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Contingency Planning | Contingency Plan... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Contingency Planning | Contingency Plan... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Section (f) regarding maintaining business continuity and pr... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Contingency Planning for Systems... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | Contingency planning for systems... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CP-2 |
Contingency Plan
Key Control
|
Aligned | NIST SP 800-53 Rev 5... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Contingency Planning | Policy & Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Contingency Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Preparation... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Responsibilities during a BC/DR event, test, or execution.... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| CP-3 |
Contingency Training
Key Control
|
Aligned | Control: CP-3... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CP-4 |
Contingency Plan Testing
|
Aligned | Contingency Planning | Policy & Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-4 |
Contingency Plan Testing
|
Aligned | Contingency Plan Testing... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| CP-4 |
Contingency Plan Testing
|
Aligned | Preparation... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| CP-6 |
Alternate Storage Site
Key Control
|
Aligned | Section 7: All applications and systems utilizing a Cloud Se... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CP-6 |
Alternate Storage Site
Key Control
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-6 |
Alternate Storage Site
Key Control
|
Aligned | Business continuity plans should include provisions for veri... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| CP-7 |
Alternate Processing Site
Key Control
|
Aligned | Section 7: All applications and systems utilizing a Cloud Se... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CP-7 |
Alternate Processing Site
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CP-8 |
Telecommunications Services
Key Control
|
Aligned | Contingency Planning | Telecommunications Services... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| CP-8 |
Telecommunications Services
Key Control
|
Aligned | Security mechanisms, service levels and management requireme... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| CP-8 |
Telecommunications Services
Key Control
|
Aligned | Section d) and e)... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | Highly confidential business or personal information.... |
6.1_IS_Data_Security_Standards.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | Exit Strategy for Data Management... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CP-9 |
System Backup
Key Control
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Identification and Authentication | Identification and Authe... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Identification and Authentication Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Identification and authentication policy and procedures... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | Identification and authentication policy and procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Multi-Factor Authentication (MFA) is required to access the ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | f) The use of multifactor authentication should be enforced.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-10 |
Adaptive Authentication
|
Aligned | Account Management, Access Control Management, Audit Log Man... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | 1.2 Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | 1.1.4 Smartphones, Mobile, and Other Wireless Devices... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-11 |
Re-authentication
Key Control
|
Aligned | Use case #4... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-12 |
Identity Proofing
Key Control
|
Aligned | Account Management, User Registration & De-Registration... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Authentication Mechanism... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Multi-Factor Authentication (MFA) is required to access the ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Multi-Factor Authentication (MFA) is required to access the ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | The Information Security Team should enforce compliance with... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and Authentication | Identification and Authe... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and Authentication | Identification and Authe... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | iii. Appropriate authentication mechanisms are applied for U... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and authentication requirements for non-organ... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and authentication requirements... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | h) A current network architecture must be maintained that in... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Identification and Authentication Requirements... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | INFORMATION SECURITY GOALS... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| IA-2 |
Identification and Authentication (Organizational Users)
Key Control
|
Aligned | Access rights to the Lazard networks and network services... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | V. Bring Your Own Device... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Identification and Authentication | Device Identification an... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Identification and Authentication | Device Identification an... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Device Identification and Authentication... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Identification & Authentication | Device Identification & Au... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Section 10 and 12... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | Section discussing approved devices and restrictions on pers... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IA-3 |
Device Identification and Authentication
Key Control
|
Aligned | A.13.1.1 Network Controls... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | Privileged User Accounts and Application Administration Acco... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-4 |
Identifier Management
Key Control
|
Aligned | Section 10 and 11 regarding approved end-user devices and ne... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Authentication Mechanism such as credentials, Access Keys/To... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Password Management and Multi-Factor Authentication... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Management of secret authentication information of users, Pa... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Identification & Authentication | Authenticator Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Section 4: Password and Authentication Management... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Section 7: Remote Access Configuration... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | i. Routers and other network devices will be accessed by mea... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | iii. Passwords should be changed at a minimum of every 90 da... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Authenticator management includes issuing and revoking authe... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| IA-5 |
Authenticator Management
Key Control
|
Aligned | Access Control | Policy & Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IA-6 |
Authentication Feedback
|
Gap | Authentication feedback from systems does not provide information that would allow unauthorized indi... | ||
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Authentication Mechanism... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Multi-Factor Authentication (MFA) is required to access the ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Individual who has approved management responsibility for an... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Identification & Authentication | Cryptographic Module Authe... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | b) Lazard employees should authenticate using their Network ... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-7 |
Cryptographic Module Authentication
Key Control
|
Aligned | Responsibilities for reviewing and authorizing access... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Authentication Mechanism... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and authentication requirements for non-organ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Multi-Factor Authentication (MFA) is required to access the ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and Authentication | Identification and Authe... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and Authentication | Authenticator Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | User registration and de-registration, Management of secret ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Account Management, Access Control Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Section j) Where feasible, an authorized user’s password(s) ... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and Authentication Requirements for Non-Organ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Identification and authentication of non-organizational user... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| IA-8 |
Identification and Authentication (Non-organizational Users)
Key Control
|
Aligned | Access rights to the Lazard networks and network services... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| IA-9 |
Service Identification and Authentication
Key Control
|
Aligned | Authentication Mechanism... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IA-9 |
Service Identification and Authentication
Key Control
|
Aligned | 1.4 NEW HIRE IDS & PASSWORDS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IA-9 |
Service Identification and Authentication
Key Control
|
Aligned | Security features of network services include, but are not l... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Policy statement requiring the exception.... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Policy statement requiring the exception.... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Incident Response Policy and Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Policy Exceptions Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Section 1.5 - Exceptions to the policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-1 |
Policy and Procedures
|
Aligned | CSIRP Scope... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | CLOUD SECURITY TRAINING & AWARENESS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response Training... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response | Incident Response Training... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response | Incident Response Training... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-2 |
Incident Response Training
|
Aligned | Incident Response Recovery and Post Incident Activity... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | a. The Information Security Team should enforce, comply, and... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Data Recovery... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Incident Response Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Incident Response Testing... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Incident Response Recovery and Post Incident Activity... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-3 |
Incident Response Testing
|
Aligned | Incident Response Management... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | a. The Information Security Team should enforce, comply, and... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | b. Steps taken when managing a cloud security incident shoul... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Data Recovery... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Incident Response Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Incident Handling Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Incident Handling... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Learning from Information Security Incidents Improvement... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Incident Response | Incident Monitoring... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Assessment of & Decision on Information Security Events... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | d. All exceptions and anomalies identified during the log fi... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | X. All breaches of information security should be reported t... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Detection and Analysis... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Contact with Authorities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Incident Response Management... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-4 |
Incident Handling
Key Control
|
Aligned | Incident Response | Incident Handling... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | a. The Information Security Team should enforce, comply, and... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Incident Response | Incident Handling... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Learning from Information Security Incidents... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | f. All vulnerabilities and their remediation progress should... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | b. Event logs should be produced based on the Lazard Logging... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Incident Response... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Incident Classification section... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-5 |
Incident Monitoring
|
Aligned | Incident Response Management... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | a. The Information Security Team should enforce, comply, and... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | Assessment of & Decision on Information Security Events... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | X. All breaches of information security should be reported t... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | Incident Prioritization (Severity)... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-6 |
Incident Reporting
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-7 |
Incident Response Assistance
|
Aligned | Incident Response Procedures... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-7 |
Incident Response Assistance
|
Aligned | Incident Response | Incident Response Training... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| IR-7 |
Incident Response Assistance
|
Aligned | Incident Response Recovery and Post Incident Activity... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-7 |
Incident Response Assistance
|
Aligned | Incident Response Management... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-8 |
Incident Response Plan
Key Control
|
Aligned | a. The Information Security Team should enforce, comply, and... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| IR-8 |
Incident Response Plan
Key Control
|
Aligned | Incident Response Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-8 |
Incident Response Plan
Key Control
|
Aligned | Incident Response Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| IR-8 |
Incident Response Plan
Key Control
|
Aligned | X. All breaches of information security should be reported t... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| IR-8 |
Incident Response Plan
Key Control
|
Aligned | Incident Response Recovery and Post Incident Activity... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| IR-8 |
Incident Response Plan
Key Control
|
Aligned | 1.4 CONTACT WITH AUTHORITIES... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| IR-9 |
Information Spillage Response
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| IR-9 |
Information Spillage Response
|
Aligned | 1.3 DATA OWNER RESPONSIBILITIES... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| IR-9 |
Information Spillage Response
|
Aligned | Containment Phase... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | The technical and organizational controls define minimum req... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.0 PURPOSE and 1.2 SCOPE & APPLICABILITY... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Maintenance policy and procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy exception process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Chunk: 1.5... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Maintenance policy and procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| MA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| MA-2 |
Controlled Maintenance
Key Control
|
Aligned | MAINTENANCE... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MA-2 |
Controlled Maintenance
Key Control
|
Aligned | 4. Voice Communications Equipment... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MA-2 |
Controlled Maintenance
Key Control
|
Aligned | System Maintenance Information... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| MA-3 |
Maintenance Tools
Key Control
|
Gap |
Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues ...
Critical Gap - Key Control Missing
|
||
| MA-4 |
Nonlocal Maintenance
|
Aligned | With Lazard IT Department Personnel only, there may be selec... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MA-4 |
Nonlocal Maintenance
|
Aligned | h) A current network architecture must be maintained that in... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| MA-4 |
Nonlocal Maintenance
|
Aligned | INFORMATION SECURITY GOALS... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | m) Remote maintenance ports for Lazard′s information and com... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | Personnel Security | Policy & Procedures... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| MA-5 |
Maintenance Personnel
Key Control
|
Aligned | Is responsible for reviewing and authorizing access to infor... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| MA-6 |
Timely Maintenance
Key Control
|
Gap |
Organizations specify the system components that result in increased risk to organizational operatio...
Critical Gap - Key Control Missing
|
||
| MA-7 |
Field Maintenance
|
Gap | Field maintenance is the type of maintenance conducted on a system or system component after the sys... | ||
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Media protection policy and procedures... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Media protection policy and procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Media Protection Policy and Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| MP-1 |
Policy and Procedures
Key Control
|
Aligned | Responsibilities for the protection of individual assets and... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Handling of Assets | Management of Removable Media... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-2 |
Media Access
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Policy & Procedures, Media Access, Media ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Handling of Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Media Access... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Media Access... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Media Access... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-2 |
Media Access
|
Aligned | Media Protection | Media Access... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Label information with 'Internal', 'Confidential' or 'Restri... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Handling of Assets | Management of Removable Media... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | DOCUMENT CLASSIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | DOCUMENT CLASSIFICATION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Media Protection | Media Marking... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Media Protection | Media Marking... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Media Protection | Media Marking... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | DOCUMENT CLASSIFICATION... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | Personnel Security | Policy & Procedures... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| MP-3 |
Media Marking
|
Aligned | DOCUMENT CLASSIFICATION... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Handling of Assets | Management of Removable Media | Physica... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Data processing using Lazard-authorized encrypted removable ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Media Protection | Policy & Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Media Protection | Media Storage... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-4 |
Media Storage
Key Control
|
Aligned | Media Protection | Media Storage... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Handling of Assets | Management of Removable Media | Physica... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Data Protection... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Media Protection | Media Transport... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-5 |
Media Transport
Key Control
|
Aligned | Media Protection | Media Transport... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Data destruction procedures for cloud service providers... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Access... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Secure Disposal or Re-Use of Equipment... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media Protection | Media Sanitization... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | Media sanitization applies to all digital and non-digital sy... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| MP-6 |
Media Sanitization
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Management of Removable Media... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Data processing using Lazard-authorized encrypted removable ... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Media Protection | Media Use... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Media Protection | Media Use... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | Protection of network devices and approved devices... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| MP-7 |
Media Use
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Handling of Assets | Management of Removable Media... |
6.1_IS_Data_Security_Standards.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | 1.12 REMOVEABLE STORAGE DEVICES... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Data Destruction Procedures... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Media Protection | Media Downgrading... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Media Protection | Media Downgrading... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| MP-8 |
Media Downgrading
|
Aligned | Media Protection | Media Downgrading... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Physical and Environmental Protection Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Section 1.5 - Policy Exceptions... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Physical and Environmental Protection Policy and Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Physical and Environmental Protection Policy and Procedures... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| PE-1 |
Policy and Procedures
Key Control
|
Aligned | Policy statement requiring the exception.... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PE-10 |
Emergency Shutoff
|
Gap | Emergency power shutoff primarily applies to organizational facilities that contain concentrations o... | ||
| PE-11 |
Emergency Power
|
Gap | An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency p... | ||
| PE-12 |
Emergency Lighting
Key Control
|
Gap |
The provision of emergency lighting applies primarily to organizational facilities that contain conc...
Critical Gap - Key Control Missing
|
||
| PE-13 |
Fire Protection
|
Gap | The provision of fire detection and suppression systems applies primarily to organizational faciliti... | ||
| PE-14 |
Environmental Controls
Key Control
|
Aligned | Physical & Environmental Protection | Delivery & Removal... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-15 |
Water Damage Protection
|
Gap | The provision of water damage protection primarily applies to organizational facilities that contain... | ||
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | Access Restrictions and User Access Policies... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | Physical Access Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | Section p) and r)... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | vi. Authorizing and periodically reviewing access entitlemen... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-16 |
Delivery and Removal
Key Control
|
Aligned | 1.2.6 Physical Security Perimeter and Entry Controls... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PE-17 |
Alternate Work Site
Key Control
|
Aligned | Contingency Planning | Alternate Processing Site... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-18 |
Location of System Components
Key Control
|
Aligned | Section 9: Equipment and media containing confidential infor... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PE-19 |
Information Leakage
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-19 |
Information Leakage
|
Aligned | d) A data loss prevention (DLP) mechanism should be implemen... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-19 |
Information Leakage
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Physical & Environmental Protection | Physical Access Author... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | h. Should ensure that physical access to assets is managed a... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | m) Remote maintenance ports for Lazard′s information and com... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Physical and Environmental Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Personnel Security | Policy & Procedures... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-2 |
Physical Access Authorizations
Key Control
|
Aligned | Security Personnel... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PE-20 |
Asset Monitoring and Tracking
Key Control
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-20 |
Asset Monitoring and Tracking
Key Control
|
Aligned | c) The Asset inventory should be kept accurate, and it shoul... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-20 |
Asset Monitoring and Tracking
Key Control
|
Aligned | Section 1.3 ROLES & RESPONSIBILITIES... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PE-21 |
Electromagnetic Pulse Protection
|
Gap | An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a rang... | ||
| PE-22 |
Component Marking
Key Control
|
Aligned | Physical & Environmental Protection | Information Leakage... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-22 |
Component Marking
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PE-23 |
Facility Location
|
Gap | Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terror... | ||
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Access Control Policies and Procedures... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | Physical access control applies to employees and visitors.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | h. Should ensure that physical access to assets is managed a... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | h. Should ensure that physical access to assets is managed a... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | It is paramount that the established security perimeter and ... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PE-3 |
Physical Access Control
Key Control
|
Aligned | 1.2.6 Physical Security Perimeter and Entry Controls... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PE-4 |
Access Control for Transmission
|
Aligned | Equipment Siting & Protection... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-4 |
Access Control for Transmission
|
Aligned | Cabling security... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-4 |
Access Control for Transmission
|
Aligned | Equipment and media containing confidential information shou... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PE-4 |
Access Control for Transmission
|
Aligned | Section p) Telephone lines that could enable remote access i... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PE-4 |
Access Control for Transmission
|
Aligned | Physical & Environmental Protection | Delivery & Removal... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PE-5 |
Access Control for Output Devices
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-5 |
Access Control for Output Devices
Key Control
|
Aligned | Personnel Security | Monitoring Physical Access... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-5 |
Access Control for Output Devices
Key Control
|
Aligned | h. Should ensure that physical access to assets is managed a... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-6 |
Monitoring Physical Access
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PE-6 |
Monitoring Physical Access
Key Control
|
Aligned | Upon use of Lazard’s Systems, be it directly or indirectly, ... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PE-6 |
Monitoring Physical Access
Key Control
|
Aligned | Physical and Environmental Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PE-6 |
Monitoring Physical Access
Key Control
|
Aligned | Responsibilities related to reviewing and authorizing access... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PE-8 |
Visitor Access Records
Key Control
|
Aligned | Access Control Policy... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PE-9 |
Power Equipment and Cabling
|
Aligned | Physical & Environmental Protection | Power Equipment & Cabl... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PE-9 |
Power Equipment and Cabling
|
Aligned | Equipment Siting & Protection... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.17 EXCEPTION... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.0 PURPOSE and 1.2 SCOPE & APPLICABILITY... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy exception process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Planning policy and procedures for the controls in the PL fa... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Information Security Policy – Communicates management direct... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance and Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance and Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Information Security Incident Management and Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy exception process and implementation of security requ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| PL-1 |
Policy and Procedures
|
Aligned | Policy statement requiring the exception.... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PL-10 |
Baseline Selection
Key Control
|
Aligned | Control References... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PL-10 |
Baseline Selection
Key Control
|
Aligned | Control Baselines... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-10 |
Baseline Selection
Key Control
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PL-10 |
Baseline Selection
Key Control
|
Aligned | Baseline security requirements... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PL-10 |
Baseline Selection
Key Control
|
Aligned | Control: PL-10... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PL-10 |
Baseline Selection
Key Control
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Control: PL-11... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Baseline security control requirements should be established... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Tailoring Actions and Customization of Controls... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | 1.6 EXCEPTION... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | The practice of protecting information and information syste... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Clause 8.3 Design & Development... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PL-11 |
Baseline Tailoring
|
Aligned | Control: PL-11... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PL-2 |
System Security and Privacy Plans
|
Aligned | 1.5 CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PL-2 |
System Security and Privacy Plans
|
Aligned | Section 1.2.2 Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PL-2 |
System Security and Privacy Plans
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-2 |
System Security and Privacy Plans
|
Aligned | Section 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Control Name... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Roles & Responsibilities... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Further, Users could be held individually liable for illegal... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Identification & Authentication | Authenticator Management... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Access Control Roles and Responsibilities... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Any User found to have violated any of these policies may be... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | 1.7 ENFORCEMENT... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | The requirement to protect individual authenticators may be ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | Rules of behavior represent a type of access agreement for o... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PL-4 |
Rules of Behavior
Key Control
|
Aligned | 1.2.1 Access Control... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PL-7 |
Concept of Operations
Key Control
|
Gap |
The CONOPS may be included in the security or privacy plans for the system or in other system develo...
Critical Gap - Key Control Missing
|
||
| PL-8 |
Security and Privacy Architectures
|
Aligned | Section 2.1 Acceptable Use Standard and Access Control Polic... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PL-8 |
Security and Privacy Architectures
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-8 |
Security and Privacy Architectures
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PL-9 |
Central Management
Key Control
|
Aligned | Central management refers to organization-wide management an... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PL-9 |
Central Management
Key Control
|
Aligned | Central management refers to organization-wide management an... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PL-9 |
Central Management
Key Control
|
Aligned | Incident Lifecycle... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Cloud Security Program Management... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | 1.0 PURPOSE... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Organization of Information Security – Establishes a managem... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | XII. There may be instances where there is a justifiable bus... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | the organization’s cybersecurity program... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Control: PM-1... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | Information Security Program Plan Overview... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| PM-1 |
Information Security Program Plan
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | Authorization processes for organizational systems and envir... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | Role Responsibility... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | 1.5 ROLES & RESPONSIBILITIES... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | Authorization processes for organizational systems and envir... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PM-10 |
Authorization Process
Key Control
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.0 PURPOSE... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Section 1.5 - Exceptions to the policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Information Security Incident Management and Compliance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Protection needs are technology-independent capabilities tha... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Responsibilities for the protection of individual assets and... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-11 |
Mission and Business Process Definition
Key Control
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-12 |
Insider Threat Program
Key Control
|
Aligned | Insider threat programs include controls to detect and preve... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-12 |
Insider Threat Program
Key Control
|
Aligned | Personnel Security | Policy & Procedures... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-13 |
Security and Privacy Workforce
Key Control
|
Aligned | Security and privacy workforce development and improvement p... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-13 |
Security and Privacy Workforce
Key Control
|
Aligned | Security responsibilities by employees under their supervisi... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-13 |
Security and Privacy Workforce
Key Control
|
Aligned | Information Security Awareness, Education & Training... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PM-13 |
Security and Privacy Workforce
Key Control
|
Aligned | Security Awareness & Skills Training... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-13 |
Security and Privacy Workforce
Key Control
|
Aligned | Program Management | Security & Privacy Workforce... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 2.1 Acceptable Use Standard and 8.0 Access Control Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Processes, procedures, and controls to safeguard Lazard’s en... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | The Information Security Team should periodically conduct a ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Assessment, Authorization & Monitoring | Control Assessments... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 1.2.7 Vulnerability Scanning... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | 1.3 ROLES & RESPONSIBILITIES... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Security Awareness Training Responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Access Control | Concurrent Session Control, System & Commun... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Information Security Awareness, Education & Training... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | the organization’s cybersecurity program... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Job Description (JD) and Management Responsibilities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Management Responsibilities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-14 |
Testing, Training, and Monitoring
|
Aligned | Management Responsibilities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-15 |
Security and Privacy Groups and Associations
|
Aligned | Assessment, Authorization & Monitoring | Continuous Monitori... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-16 |
Threat Awareness Program
|
Aligned | 1.2.1 General Requirements... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
|
Aligned | 1.0 PURPOSE... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-17 |
Protecting Controlled Unclassified Information on External Systems
|
Aligned | DOCUMENT CLASSIFICATION... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-18 |
Privacy Program Plan
|
Gap | A privacy program plan is a formal document that provides an overview of an organization’s pri... | ||
| PM-19 |
Privacy Program Leadership Role
|
Gap | The privacy officer is an organizational official. For federal agencies—as defined by applicab... | ||
| PM-2 |
Information Security Program Leadership Role
|
Aligned | 1.11 DOCUMENT INFORMATION... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | 1.11 DOCUMENT INFORMATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | Roles and Responsibilities for Governance of Cloud Security ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | POSITION... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | 1.10 DOCUMENT INFORMATION... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | 1.5 ROLES & RESPONSIBILITIES... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-2 |
Information Security Program Leadership Role
|
Aligned | 1.11 DOCUMENT INFORMATION... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PM-20 |
Dissemination of Privacy Program Information
|
Gap | For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include p... | ||
| PM-21 |
Accounting of Disclosures
Key Control
|
Aligned | Section ii to viii regarding personal and sensitive informat... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-22 |
Personally Identifiable Information Quality Management
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-23 |
Data Governance Body
Key Control
|
Aligned | Data Governance Body responsibilities and data protection re... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-23 |
Data Governance Body
Key Control
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-23 |
Data Governance Body
Key Control
|
Aligned | Data retention policies are driven by legal and regulatory r... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-23 |
Data Governance Body
Key Control
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-24 |
Data Integrity Board
|
Aligned | The accuracy, completeness, and quality of data as it is mai... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-25 |
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-25 |
Minimization of Personally Identifiable Information Used in Testing, Training, and Research
Key Control
|
Aligned | Handling of personal information and data classified as prod... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PM-26 |
Complaint Management
|
Gap | Complaints, concerns, and questions from individuals can serve as valuable sources of input to organ... | ||
| PM-27 |
Privacy Reporting
Key Control
|
Gap |
Through internal and external reporting, organizations promote accountability and transparency in or...
Critical Gap - Key Control Missing
|
||
| PM-28 |
Risk Framing
|
Aligned | Program Management | Risk Framing... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-28 |
Risk Framing
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-28 |
Risk Framing
|
Aligned | Assets ownership and responsibilities... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-28 |
Risk Framing
|
Aligned | Risk Framing... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| PM-28 |
Risk Framing
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-29 |
Risk Management Program Leadership Roles
|
Aligned | 1.5 ROLES & RESPONSIBILITIES... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-29 |
Risk Management Program Leadership Roles
|
Aligned | Information Security Policies for Supplier Relationships... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-3 |
Information Security and Privacy Resources
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-3 |
Information Security and Privacy Resources
|
Aligned | 1.5 ROLES & RESPONSIBILITIES... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-30 |
Supply Chain Risk Management Strategy
|
Aligned | Supply Chain Risk Management... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-30 |
Supply Chain Risk Management Strategy
|
Aligned | Supply Chain Risk Management | Supply Chain Risk Management ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-30 |
Supply Chain Risk Management Strategy
|
Aligned | Risk Management Performance... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
Key Control
|
Aligned | Access Control | Information Flow Enforcement, Access Contro... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
Key Control
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
Key Control
|
Aligned | Continuous Vulnerability Management... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PM-31 |
Continuous Monitoring Strategy
Key Control
|
Aligned | Maintaining processes to track cybersecurity related risk ac... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-32 |
Purposing
Key Control
|
Aligned | 1.0 PURPOSE... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PM-32 |
Purposing
Key Control
|
Aligned | Lazard System and Application Owners should prepare and reco... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PM-4 |
Plan of Action and Milestones Process
|
Aligned | Assessment, Authorization & Monitoring | Plan of Action & Mi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-4 |
Plan of Action and Milestones Process
|
Aligned | Program Management | Plan of Action & Milestones Process... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-4 |
Plan of Action and Milestones Process
|
Aligned | Risk Mitigator/Responder... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-5 |
System Inventory
|
Aligned | Inventory and Control of Enterprise Assets... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-5 |
System Inventory
|
Aligned | NIST SP 800-53 Rev 5... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-5 |
System Inventory
|
Aligned | Inventories of all hardware and software... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-5 |
System Inventory
|
Aligned | Inventory & Control of Enterprise Assets... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-6 |
Measures of Performance
|
Aligned | Program Management | Measures of Performance... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-6 |
Measures of Performance
|
Aligned | Develops policy, standards and guidelines and approves solut... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-6 |
Measures of Performance
|
Aligned | 1.4.4 Risk Management Performance... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-7 |
Enterprise Architecture
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Program Management | Critical Infrastructure Plan... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | 1.2 POLICY... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Protection Strategies and Policy Exceptions... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Section p) and r)... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Section (b) and (c) regarding identifying threats and vulner... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-8 |
Critical Infrastructure Plan
|
Aligned | Risk Assessment... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Program Management | Risk Management Strategy... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Program Management | Risk Management Strategy... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | 1.2 POLICY... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Privacy risk assessments are used to prioritize the risks th... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Assets ownership and responsibilities... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PM-9 |
Risk Management Strategy
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Policy and Procedures for Security Controls... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Personnel security policy and procedures for the controls in... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Security responsibilities by employees under their supervisi... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Personnel security policy and procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Personnel security policy and procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Personnel Security Policy and Procedures... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Job Description and Security Roles and Responsibilities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Segregation of Duties and Compensating Controls... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-1 |
Policy and Procedures
Key Control
|
Aligned | Contact with Authorities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Position risk designations reflect Office of Personnel Manag... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | 2.1 Acceptable Use Standard and 8.0 Access Control Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Personnel Security | Position Risk Designation... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Position risk designations reflect Office of Personnel Manag... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Personnel Security | Position Risk Designation... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Personnel Security | Position Risk Designation... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-2 |
Position Risk Designation
Key Control
|
Aligned | Position risk designations reflect Office of Personnel Manag... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Personnel Security | Personnel Screening... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Baseline security requirements should be established for dev... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Personnel Security | Personnel Screening... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Human Resource Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Personnel Security | Personnel Screening... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-3 |
Personnel Screening
Key Control
|
Aligned | Access Control | Policy & Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | 1.9 LEAVING LAZARD... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | User accounts management upon employment status changes... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | User accounts management upon termination... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | User accounts management upon termination... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | User accounts management upon termination... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | 20.5.2 Non-Compliance... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | a) Managers / HR should ensure that all Lazard employees and... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | c) In cases where an employee or external party User has kno... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-4 |
Personnel Termination
Key Control
|
Aligned | Access rights to the Lazard information resources should be ... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| PS-5 |
Personnel Transfer
Key Control
|
Aligned | LEAVING LAZARD... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-5 |
Personnel Transfer
Key Control
|
Aligned | Service Account: Upon termination of the service account own... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | User Consent and Acknowledgment... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | 1.6 INFORMATION SECURITY AWARENESS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | Scope & Applicability... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | The requirement to protect individual authenticators may be ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | Other types of access agreements include nondisclosure agree... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-6 |
Access Agreements
|
Aligned | Acceptable Use of Assets... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | This policy is applicable to all Lazard employees, contracto... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | External entities using Lazard cloud services... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Processes, structures, and internal control mechanisms for l... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Applicability... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | External Provider Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Application Credential Management Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | a) Managers / HR should ensure that all Lazard employees and... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-7 |
External Personnel Security
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Disciplinary Actions for Policy Violations... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | 1.6 ENFORCEMENT/COMPLIANCE... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | 1.18 ENFORCEMENT/COMPLIANCE... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Non-Compliance... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | ENFORCEMENT Non-Compliance... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | 1.8 DISCIPLINARY PROCESS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Section discussing user liability and policy violations... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Disciplinary Actions for Policy Violations... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Violation of these policies by anyone other than an employee... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | 1.7 ENFORCEMENT... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PS-8 |
Personnel Sanctions
Key Control
|
Aligned | Section 1.4 - Consequences for Violations... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Table 3 - Cloud Security Roles... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Security responsibilities by employees under their supervisi... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | 1.5 ROLES & RESPONSIBILITIES... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Personnel Security | Position Descriptions... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PS-9 |
Position Descriptions
Key Control
|
Aligned | Information Security Roles & Responsibilities... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | Control References... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.0 PURPOSE and 1.2 SCOPE & APPLICABILITY... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy and the process for requesting exce... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.0 PURPOSE... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| PT-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | User Agreement on Data Management and Monitoring... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | Shareholders personal information such as Social Security Nu... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | Internal and external audit reports.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PT-2 |
Authority to Process Personally Identifiable Information
Key Control
|
Aligned | All personal data that is not required solely for identifica... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PT-3 |
Personally Identifiable Information Processing Purposes
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PT-4 |
Consent
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| PT-5 |
Privacy Notice
Key Control
|
Gap |
Privacy notices help inform individuals about how their personally identifiable information is being...
Critical Gap - Key Control Missing
|
||
| PT-6 |
System of Records Notice
|
Gap | The PRIVACT requires that federal agencies publish a system of records notice in the Federal Registe... | ||
| PT-7 |
Specific Categories of Personally Identifiable Information
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PT-7 |
Specific Categories of Personally Identifiable Information
Key Control
|
Aligned | Shareholders personal information such as Social Security Nu... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| PT-8 |
Computer Matching Requirements
|
Gap | The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matchi... | ||
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
6.1_IS_Data_Security_Standards.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Assessment Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy and technical and organizational co... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk assessments completed for all organization events and p... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4.1 RISK REGISTER... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Risk assessments completed for all organization events and p... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Incident Lifecycle... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| RA-1 |
Policy and Procedures
Key Control
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-10 |
Threat Hunting
|
Aligned | Incident Response | Incident Handling... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-10 |
Threat Hunting
|
Aligned | maintaining processes to track cybersecurity related risk ac... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-10 |
Threat Hunting
|
Aligned | Network Monitoring & Defense... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security categorization processes facilitate the development... |
6.1_IS_Data_Security_Standards.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Classification of Information... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk Assessment | Security Categorization... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | 2.1 Acceptable Use Standard... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk assessments can also be conducted at various steps in t... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security categorization of information and systems guides th... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Such analysis is conducted as part of security categorizatio... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security Categorization Process... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Assessment, Authorization & Monitoring... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | 1.0 PURPOSE... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk Assessment | Risk Categorization... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security categorization processes facilitate the development... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Network Monitoring & Defense... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk Assessment | Risk Categorization... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Security Categorization... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-2 |
Security Categorization
|
Aligned | Risk Assessment | Risk Categorization... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk assessments consider threats, vulnerabilities, likeliho... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk Assessment | System Development Life Cycle... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Vulnerability Ownership & Remediation Responsibility... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk Assessment | Risk Categorization... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk Assessment... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Risk Assessment and Reporting... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Incident Lifecycle... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| RA-3 |
Risk Assessment
Key Control
|
Aligned | Responsibilities for information security risk management ac... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
6.1_IS_Data_Security_Standards.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | The Information Security Team should periodically conduct a ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability monitoring includes scanning for patch levels;... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | The Information Security Team should periodically conduct a ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | The Information Security Team should periodically conduct a ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability Monitoring and Scanning... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Technical compliance review... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Technical review of applications after operating platform ch... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Risk Assessment | Vulnerability Monitoring & Scanning... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Automated vulnerability scans should be used to scan all ide... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | A.14.1.3 Protecting Application Services Transactions... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Vulnerability Monitoring... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Risk Assessment... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-5 |
Vulnerability Monitoring and Scanning
|
Aligned | Material Reactive Services... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| RA-6 |
Technical Surveillance Countermeasures Survey
|
Gap | A technical surveillance countermeasures survey is a service provided by qualified personnel to dete... | ||
| RA-7 |
Risk Response
|
Aligned | Detailed explanation of why the exception is necessary and D... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Risk Assessment | Risk Response... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Detailed mitigation information, if available.... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Policy statement requiring the exception.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Detailed explanation of why the exception is necessary and D... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Information Security Incident Management and Risk Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Risk Management Performance... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Incident Lifecycle... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Detailed mitigation information, if available.... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| RA-7 |
Risk Response
|
Aligned | Policy statement requiring the exception.... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| RA-8 |
Privacy Impact Assessments
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality analysis is performed when an architecture or de... |
6.1_IS_Data_Security_Standards.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk Assessment | Criticality Analysis... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk assessments can play an important role in control selec... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality analysis is performed when an architecture or de... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk Assessment | Criticality Analysis... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Assessment, Authorization & Monitoring... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk Assessment | Risk Categorization... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk Assessment | Criticality Analysis... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Criticality Analysis... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| RA-9 |
Criticality Analysis
Key Control
|
Aligned | Risk Assessment | Criticality Analysis... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.15 EXCEPTION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | System and services acquisition policy and procedures... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.12 EXCEPTION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | Policy exception process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | System and services acquisition policy and procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | Section 1.5 - Policy Exceptions... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security and Service Delivery... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| SA-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Aligned | 2.1 Acceptable Use Standard and 8.0 Access Control Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Aligned | 1.5 CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Aligned | Secure Configuration of Enterprise Assets and Software... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Aligned | Protecting Application Services Transactions... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Aligned | Configuration Management | Policies & Procedures, Configurat... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-10 |
Developer Configuration Management
Key Control
|
Aligned | Configuration Management Activities... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | Developmental testing and evaluation confirms that the requi... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | Processes, procedures, and controls to safeguard Lazard’s en... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | The Information Security Team should periodically conduct a ... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | The Information Security Team should utilize specialized sof... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | Management of technical vulnerabilities... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | Protecting Application Services Transactions... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-11 |
Developer Testing and Evaluation
|
Aligned | Configuration Management | Policies & Procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-15 |
Development Process, Standards, and Tools
Key Control
|
Aligned | System & Services Acquisition | Developer Security & Privacy... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-15 |
Development Process, Standards, and Tools
Key Control
|
Aligned | Development tools and processes integrity... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-16 |
Developer-provided Training
|
Aligned | Awareness & Training | Role-based Training... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-16 |
Developer-provided Training
|
Aligned | Security Awareness Training Program responsibilities... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SA-16 |
Developer-provided Training
|
Aligned | Security Awareness & Skills Training... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-17 |
Developer Security and Privacy Architecture and Design
|
Aligned | Section 2.1 Acceptable Use Standard and Access Control Polic... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-17 |
Developer Security and Privacy Architecture and Design
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | Security and privacy functional requirements are typically d... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | Cloud Security Management... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | Technical and Organizational Controls... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | The IT team should identify the security features and manage... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-2 |
Allocation of Resources
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-20 |
Customized Development of Critical Components
Key Control
|
Aligned | 2.1 Acceptable Use Standard and 8.0 Access Control Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-20 |
Customized Development of Critical Components
Key Control
|
Aligned | Access Control Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-20 |
Customized Development of Critical Components
Key Control
|
Aligned | Controls can be viewed as descriptions of the safeguards and... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-20 |
Customized Development of Critical Components
Key Control
|
Aligned | Supply Chain Risk Management... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-20 |
Customized Development of Critical Components
Key Control
|
Aligned | Management of technical vulnerabilities... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-21 |
Developer Screening
Key Control
|
Aligned | Baseline security requirements should be established for dev... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-21 |
Developer Screening
Key Control
|
Aligned | System & Services Acquisition | Developer Screening... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SA-21 |
Developer Screening
Key Control
|
Aligned | Access Control | Policy & Procedures... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | h. A regular schedule will be developed for patching of all ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | i. System components and devices attached to the Lazard netw... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | j. Patching should include updates to all operating systems ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | k. Other patches not designated as critical by the vendor sh... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | u) There are cases where Lazard will allow external connecti... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-22 |
Unsupported System Components
Key Control
|
Aligned | Support for system components includes software patches, fir... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-23 |
Specialization
Key Control
|
Aligned | Security features of network services include, but are not l... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | Baseline security requirements should be established for dev... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | Security mechanisms, service levels and management requireme... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | System Development Life Cycle... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | System Development Life Cycle Process... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SA-3 |
System Development Life Cycle
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Security and privacy functional requirements are typically d... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Management of technical vulnerabilities... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | System & Services Acquisition | Development Process, Standar... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | System & Services Acquisition | Development Process, Standar... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Technical and Organizational Controls... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Security and privacy functional requirements are typically d... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Security mechanisms, service levels and management requireme... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | Control: SA-4... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| SA-4 |
Acquisition Process
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-5 |
System Documentation
|
Aligned | 1.12 GOVERNANCE... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-5 |
System Documentation
|
Aligned | System Documentation... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Control: SA-8: Systems security and privacy engineering prin... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | CLOUD SECURITY MANAGEMENT... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | The security engineering principles in SA-8 help individuals... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Endpoint Security Device Management... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | The IT team should identify the security features and manage... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Control: SA-8... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | System Acquisition, Development and Maintenance... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | 1.4 REQUIREMENT... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Security Engineering Principles... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Control: SA-8: Systems security and privacy engineering prin... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | Security Engineering Principles... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-8 |
Security and Privacy Engineering Principles
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | High-Risk Technology Assets... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | External entities using Lazard cloud services... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Processes, structures, and internal control mechanisms for l... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Supply Chain Risk Management | Supplier Assessments & Review... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Supply Chain Risk Management | Supply Chain Controls & Proce... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | External Connections from System Vendors... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SA-9 |
External System Services
Key Control
|
Aligned | Coordination and oversight of third-party relationships... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Mobile Device Policy, Teleworking, Security of Kit and Asset... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Security responsibilities by employees under their supervisi... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | System and Communications Protection Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | General Network Security & Management (Section 1.2.1) and Re... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Communications Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Policy Exceptions and Implementation... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| SC-1 |
Policy and Procedures
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-10 |
Network Disconnect
|
Aligned | i. Appropriate interfaces are created to segregate Lazard’s ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-10 |
Network Disconnect
|
Aligned | Network Infrastructure Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-10 |
Network Disconnect
|
Aligned | Devices that are Internet-facing and outside the Lazard fire... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-11 |
Trusted Path
|
Gap | Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) ... | ||
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | Cryptographic Key Management and Establishment... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-12 |
Cryptographic Key Establishment and Management
|
Aligned | Cryptography... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Cryptographic Protection and Digital Certificates... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Security features of network services include, but are not l... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Cryptography... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-13 |
Cryptographic Protection
|
Aligned | Cryptography can be employed to support a variety of securit... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-15 |
Collaborative Computing Devices and Applications
|
Aligned | Network Controls... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Disseminating information about employees or lists of Lazard... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Attributes aspects of an identity.... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Shareholders personal information and all data classified as... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Access Control... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-16 |
Transmission of Security and Privacy Attributes
Key Control
|
Aligned | Overview and Scope & Applicability... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-17 |
Public Key Infrastructure Certificates
|
Aligned | Discussion on digital certificates and their verification... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-18 |
Mobile Code
|
Aligned | Procedures for preventing malware execution on endpoint devi... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | 1.11 USER ID & PASSWORD SECURITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | segregated and access restricted to prevent inappropriate di... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | Section 6: Desktops and 1.1.3 Laptops... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-2 |
Separation of System and User Functionality
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection | Architecture and Provis... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | Network Controls... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | Network Infrastructure Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-20 |
Secure Name/Address Resolution Service (Authoritative Source)
Key Control
|
Aligned | 1.2.3 Network Segregation & Segmentation... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection | Architecture and Provis... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-21 |
Secure Name/Address Resolution Service (Recursive or Caching Resolver)
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection | Secure Name/Address Res... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection | Architecture and Provis... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | System & Communications Protection| Secure Name/address Reso... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-22 |
Architecture and Provisioning for Name/Address Resolution Service
|
Aligned | 1.2.3 Network Segregation & Segmentation... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-23 |
Session Authenticity
|
Gap | Protecting session authenticity addresses communications protection at the session level, not at the... | ||
| SC-24 |
Fail in Known State
|
Aligned | Information Security Aspects of Business Continuity Manageme... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-24 |
Fail in Known State
|
Aligned | Recovery... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SC-25 |
Thin Nodes
|
Aligned | The principle of least functionality provides that informati... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-26 |
Decoys
|
Aligned | Section 3 and Section 5... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-27 |
Platform-independent Applications
|
Aligned | Portability and Cloud Services... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Data at rest* Required - Encrypt PII/NPI data element under ... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Data at rest* Required - Encrypt PII/NPI data element under ... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | d. Each email gateway should utilize Lazard Information Secu... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | f. All files received over networks or from any external sto... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Information at rest refers to the state of information when ... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | 10. Employees should take appropriate measures, whenever pos... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | 1.1.4 Smartphones, Mobile, and Other Wireless Devices... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Asset Management, Access Control, Cryptography, Operations S... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | PURPOSE... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SC-28 |
Protection of Information at Rest
Key Control
|
Aligned | Access Control | Security & Privacy Attributes... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-29 |
Heterogeneity
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-3 |
Security Function Isolation
|
Aligned | Access Control | Information Flow Enforcement, Access Contro... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-3 |
Security Function Isolation
|
Aligned | Control: SC-3... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-3 |
Security Function Isolation
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-30 |
Concealment and Misdirection
|
Gap | Concealment and misdirection techniques can significantly reduce the targeting capabilities of adver... | ||
| SC-31 |
Covert Channel Analysis
|
Gap | Developers are in the best position to identify potential areas within systems that might lead to co... | ||
| SC-32 |
System Partitioning
|
Aligned | 1.2.3 Network Segregation & Segmentation... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-34 |
Non-modifiable Executable Programs
Key Control
|
Gap |
The operating environment for a system contains the code that hosts applications, including operatin...
Critical Gap - Key Control Missing
|
||
| SC-35 |
External Malicious Code Identification
|
Aligned | Section 3 and Section 5... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-35 |
External Malicious Code Identification
|
Aligned | Procedures, supporting business processes, and technical mea... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SC-35 |
External Malicious Code Identification
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-35 |
External Malicious Code Identification
|
Aligned | Section d, e, and f regarding email gateway virus protection... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SC-36 |
Distributed Processing and Storage
Key Control
|
Gap |
Distributing processing and storage across multiple physical locations or logical domains provides a...
Critical Gap - Key Control Missing
|
||
| SC-37 |
Out-of-band Channels
Key Control
|
Aligned | System & Communications Protection | Out-of-Band Channels... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-37 |
Out-of-band Channels
Key Control
|
Aligned | o) Modems and or any out of band management products that co... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-38 |
Operations Security
|
Aligned | System & Communications Protection| Session Authenticity... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-38 |
Operations Security
|
Aligned | System & Communications Protection| Session Authenticity... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-38 |
Operations Security
|
Aligned | Operations Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-39 |
Process Isolation
|
Gap | Systems can maintain separate execution domains for each executing process by assigning each process... | ||
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | Section 6-10 regarding dissemination and unauthorized action... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | Data Destruction Procedures... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | Data Loss Prevention Mechanism... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | Applicability... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | IS Risk Management Policy... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SC-4 |
Information in Shared System Resources
Key Control
|
Aligned | Responsibilities during a BC/DR event, test, or execution... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| SC-40 |
Wireless Link Protection
|
Aligned | Data Protection, Access Control Management, Network Infrastr... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-40 |
Wireless Link Protection
|
Aligned | c. The following controls apply to wireless access points wi... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-40 |
Wireless Link Protection
|
Aligned | Section 10 and 11 regarding approved end-user devices and un... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-40 |
Wireless Link Protection
|
Aligned | Wireless Public Internet Connections (Section 1.2.6)... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-41 |
Port and I/O Device Access
|
Gap | Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/ou... | ||
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | User agrees that designated staff can monitor his/her device... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | 1.14 BRING YOUR OWN DEVICE (BYOD)... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | 1.1.4 Smartphones, Mobile, and Other Wireless Devices... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-42 |
Sensor Capability and Data
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Section 2 and VI. BYOD... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | 1.3 ACCEPTABLE USE... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | segregated and access restricted to prevent inappropriate di... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Mobile Device Policy... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Section 1.6 EXCEPTION... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Section 1.2.2 Access to Networks and Network Services... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Equipment and media containing confidential information shou... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | Section s) and t)... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-43 |
Usage Restrictions
Key Control
|
Aligned | End-user Device Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-44 |
Detonation Chambers
|
Aligned | System & Communications Protection | Detonation Chambers... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-45 |
System Time Synchronization
|
Gap | Time synchronization of system clocks is essential for the correct execution of many system services... | ||
| SC-46 |
Cross Domain Policy Enforcement
Key Control
|
Aligned | Section 9 and 10 regarding equipment and media security and ... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-46 |
Cross Domain Policy Enforcement
Key Control
|
Aligned | Section p) and q)... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | System & Communications Protection| Out-of-Band Channels... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | System & Communications Protection| Alternate Communications... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-47 |
Alternate Communications Paths
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-48 |
Sensor Relocation
Key Control
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-48 |
Sensor Relocation
Key Control
|
Aligned | Adversarial strategies during security events... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
Key Control
|
Aligned | Access Control and User Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.6 EXCEPTION... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
Key Control
|
Aligned | EXCEPTION... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.2.3 Network Segregation & Segmentation... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-49 |
Hardware-enforced Separation and Policy Enforcement
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-5 |
Denial-of-service Protection
|
Aligned | System & Communications Protection | Denial of Service Prote... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-5 |
Denial-of-service Protection
|
Aligned | Network Infrastructure Management... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-5 |
Denial-of-service Protection
|
Aligned | Security mechanisms, service levels and management requireme... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-5 |
Denial-of-service Protection
|
Aligned | Containment strategies for incidents... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | Technical and Organizational Controls... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.6 EXCEPTION... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | EXCEPTION... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | 1.2.3 Network Segregation & Segmentation... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | Divisions & Functions may implement stronger security requir... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| SC-50 |
Software-enforced Separation and Policy Enforcement
Key Control
|
Aligned | Exceptions to the policy should be approved by InfoSec in ad... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| SC-51 |
Hardware-based Protection
|
Gap | None.... | ||
| SC-6 |
Resource Availability
|
Aligned | System & Communications Protection... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Controls... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Control Name... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Development of Lazard Internet sites and Internet activities... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | System & Communications Protection | Boundary Protection... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Control: SC-7... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Controls to prevent or detect the use of known or suspected ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | All files received over networks or from any external storag... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Infrastructure Management... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Infrastructure Management... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Controls... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Access Control Policy... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Access Control | Policy & Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | i. Appropriate interfaces are created to segregate Lazard’s ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Voice Communications Equipment Protection... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Monitoring and Defense... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Infrastructure Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | k) Information Security should explicitly authorize all netw... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network and Firewall Security Policy... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Network Controls... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Segregation in Networks... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Control: SC-8: Protecting the confidentiality and integrity ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Discussion on various types of attacks and incidents related... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SC-7 |
Boundary Protection
Key Control
|
Aligned | Electronic Messaging... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | Control Name... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | 2.1 Acceptable Use Standard... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | 1.7 CLOUD SYSTEMS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | System & Communications Protection... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | System & Communications Protection | Protecting the confiden... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | System and Communications Protection... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | 1.1.6 Telecommunications... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | Security features of network services include, but are not l... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | Communications Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | Control: SC-8: Protecting the confidentiality and integrity ... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SC-8 |
Transmission Confidentiality and Integrity
Key Control
|
Aligned | Electronic Messaging... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | 1.5 EXCEPTION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | 1.15 EXCEPTION... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | System and Information Integrity Policy and Procedures... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | 1.12 EXCEPTION... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | System and information integrity policy and procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Policy Exception Process... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Section 1.5 - Exceptions to the policy... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Data Security – Establishes controls and framework for class... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | II. Lazard understands that information security is critical... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | III. Lazard should ensure that applicable regulatory, legisl... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | IV. Lazard should strive to provide a secure working environ... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | VI. Lazard should develop a detailed set of policies, on a r... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Information Security incidents that are investigated and ana... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Divisions & Functions are free to define and implement stron... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | EXCEPTION... |
27.0_IS_Lazard_Reference_Timeout_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | System and information integrity policy and procedures... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf
|
|
| SI-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SI-10 |
Information Input Validation
|
Aligned | Data Owners are ultimately responsible for the integrity of ... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-11 |
Error Handling
|
Gap | Organizations consider the structure and content of error messages. The extent to which systems can ... | ||
| SI-12 |
Information Management and Retention
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Classification of Information... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | An exit strategy for recovering, transferring, or destroying... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Data retention policies are driven by legal and regulatory r... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Information management and retention requirements cover the ... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Information management and retention requirements... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | 1.0 PURPOSE... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-12 |
Information Management and Retention
|
Aligned | Control: SI-12... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SI-13 |
Predictable Failure Prevention
Key Control
|
Aligned | Configuration Management | System Component Inventory... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-14 |
Non-persistence
|
Aligned | h. A regular schedule will be developed for patching of all ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-14 |
Non-persistence
|
Aligned | Data Protection... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-14 |
Non-persistence
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SI-15 |
Information Output Filtering
|
Gap | Certain types of attacks, including SQL injections, produce output results that are unexpected or in... | ||
| SI-16 |
Memory Protection
|
Aligned | Procedures to prevent malware execution... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-16 |
Memory Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-17 |
Fail-safe Procedures
Key Control
|
Gap |
Failure conditions include the loss of communications among critical system components or between sy...
Critical Gap - Key Control Missing
|
||
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | Shareholders personal information such as Social Security Nu... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | All data classified as production, including all customer in... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | Internal and external audit reports.... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | Regulatory agency reports, unless specified by the regulator... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | Reports produced by Information Security Data (e.g., vulnera... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | Data such as balance sheet and profit and loss figures, Laza... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | All personal data that is not required solely for identifica... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-18 |
Personally Identifiable Information Quality Operations
Key Control
|
Aligned | The accuracy, completeness, and quality of data as it is mai... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-19 |
De-identification
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-19 |
De-identification
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Management of technical vulnerabilities... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Reporting information security weaknesses... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Technical review of applications after operating platform ch... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Compliance with security policies and standards... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Flaw Remediation and Software Updates... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | System & Information Integrity | Flaw Remediation... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | b. All Information Resources should be scanned on a regular ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | e. Global software updates and configuration changes applied... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | f. Verification of successful software update deployment wil... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | g. All system components and software should be protected fr... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Operating system and system software patches relating to sec... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Software/Applications... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-2 |
Flaw Remediation
Key Control
|
Aligned | Recovery and Post-incident Activity... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Section 1.5 ORGANIZATIONALY OWNED & MANAGED INFO SYSTEMS & A... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Processes, procedures, and controls to safeguard Lazard’s en... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Controls to prevent or detect the use of known or suspected ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Each email gateway should utilize Lazard Information Securit... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | All files received over networks or from any external storag... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-20 |
Tainting
|
Aligned | d) A data loss prevention (DLP) mechanism should be implemen... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-20 |
Tainting
|
Aligned | 1.8 DISCIPLINARY PROCESS... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Data Security – Establishes controls and framework for class... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-20 |
Tainting
|
Aligned | Cyber Security Incident Response Framework... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-21 |
Information Refresh
|
Aligned | Data Disposal and Exit Strategy... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-21 |
Information Refresh
|
Aligned | Data Governance... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-21 |
Information Refresh
|
Aligned | Data retention policies... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-22 |
Information Diversity
Key Control
|
Aligned | Data Owners are ultimately responsible for the integrity of ... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-22 |
Information Diversity
Key Control
|
Aligned | Recovery Plan of Action... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-23 |
Information Fragmentation
|
Aligned | Handling requirements for the following shall be developed a... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-23 |
Information Fragmentation
|
Aligned | Applicability... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Section 3: Activities that could introduce malicious code... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | The Information Security Team should utilize specialized sof... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Procedures, supporting business processes, and technical mea... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | d. Each email gateway should utilize Lazard Information Secu... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | f. All files received over networks or from any external sto... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | g. Every virus that is not automatically cleaned by the viru... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | The protection of data against unintentional, unlawful, or u... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SI-3 |
Malicious Code Protection
|
Aligned | Malicious code protection mechanisms include both signature-... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | 2.1 Acceptable Use Standard... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Incident Response | Incident Monitoring... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | Malicious Code Protection... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System & Information Integrity | System Monitoring... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | A.14.1.3 Protecting Application Services Transactions... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | System monitoring includes external and internal monitoring.... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Overview and Scope & Applicability... |
7.2_IS_End_User_Device_Standard.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Network Controls... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-4 |
System Monitoring
|
Aligned | Network Monitoring & Defense... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-5 |
Security Alerts, Advisories, and Directives
Key Control
|
Aligned | Situational guidance and formal declaration of a cybersecuri... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-6 |
Security and Privacy Function Verification
Key Control
|
Aligned | User Consent and Monitoring Policy... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SI-6 |
Security and Privacy Function Verification
Key Control
|
Aligned | Incident Reporting and Response Process... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | System & Information Integrity | System Monitoring... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Installation of Software on User’s device.... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Procedures, supporting business processes, and technical mea... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Changes to cloud security systems and procedures should be f... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | c. Inventories of all hardware and software installed on the... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | d. Automated vulnerability scans should be used to scan all ... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | f. All vulnerabilities and their remediation progress should... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Data Owners Responsibility for Data Integrity... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Software/Applications... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SI-7 |
Software, Firmware, and Information Integrity
Key Control
|
Aligned | Discussion of various computer-related incidents and attacks... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SI-8 |
Spam Protection
Key Control
|
Aligned | Section 3 and Section 5 regarding unauthorized access and em... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SI-8 |
Spam Protection
Key Control
|
Aligned | Section 7: Procedures, supporting business processes, and te... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SI-8 |
Spam Protection
Key Control
|
Aligned | d. Each email gateway should utilize Lazard Information Secu... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SI-8 |
Spam Protection
Key Control
|
Aligned | i. Appropriate interfaces are created to segregate Lazard’s ... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Exceptions to the policy... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Supply Chain Risk Management | Supply Chain Risk Management ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Information security policy for supplier relationships... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2 POLICY... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | 1.2.1 General Requirements... |
26.0_IS_Vulnerability_Management_Policy.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Supply Chain Risk Management Policy and Procedures... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Supply chain risk management policy and procedures... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | Risk Management Engagement... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SR-1 |
Policy and Procedures
Key Control
|
Aligned | 1.1 SCOPE & APPLICABILITY... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-10 |
Inspection of Systems or Components
|
Aligned | Access Control | Information Flow Enforcement, Access Contro... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-11 |
Component Authenticity
|
Gap | Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-... | ||
| SR-12 |
Component Disposal
Key Control
|
Aligned | Supply Chain Risk Management... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | Disposal (in accordance with Retention Policy)... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | Supply Chain Risk Management... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | User Data Management and Monitoring... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | Data Disposal Responsibilities... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | Handling of Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | Disposal of Media... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | IT Asset (NEW) and other assets Retirement and Disposal... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SR-12 |
Component Disposal
Key Control
|
Aligned | 1.2.2 Asset Disposal & Re-Use... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Supply Chain Risk Management... |
2.0_IS_Acceptable_Use_Policy.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Supply Chain Risk Management | Supply Chain Risk Management ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Supply Chain Risk Management | Supply Chain Controls & Proce... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Supply Chain Risk Management | Supply Chain Risk Management ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Monitoring and review of supplier services... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Address security within supplier agreements... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | IT Asset Procurement... |
7.1_IS_Asset_Management_Standard.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Supply Chain Risk Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Risk Management... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| SR-2 |
Supply Chain Risk Management Plan
Key Control
|
Aligned | Information Security Policies for Supplier Relationships... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| SR-3 |
Supply Chain Controls and Processes
Key Control
|
Aligned | Supply Chain Risk Management | Supplier Assessments & Review... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-3 |
Supply Chain Controls and Processes
Key Control
|
Aligned | Supply Chain Risk Management... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-3 |
Supply Chain Controls and Processes
Key Control
|
Aligned | Monitoring and review of supplier services... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-4 |
Provenance
Key Control
|
Gap |
Every system and system component has a point of origin and may be changed throughout its existence....
Critical Gap - Key Control Missing
|
||
| SR-5 |
Acquisition Strategies, Tools, and Methods
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-5 |
Acquisition Strategies, Tools, and Methods
Key Control
|
Aligned | Supply Chain Risk Management | Acquisition Strategies, Tools... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-5 |
Acquisition Strategies, Tools, and Methods
Key Control
|
Aligned | Managing changes to supplier services... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Aligned | Information security policy for supplier relationships... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-6 |
Supplier Assessments and Reviews
Key Control
|
Aligned | Network Security Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SR-7 |
Supply Chain Operations Security
Key Control
|
Aligned | Access Control | Information Flow Enforcement... |
6.1_IS_Data_Security_Standards.pdf
|
|
| SR-7 |
Supply Chain Operations Security
Key Control
|
Aligned | Operations Security... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | Supply Chain Risk Management | Supply Chain Risk Management ... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | Network Security Management... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| SR-8 |
Notification Agreements
Key Control
|
Aligned | Incident Communication and Reporting... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| SR-9 |
Tamper Resistance and Detection
|
Aligned | Protection of data against unintentional, unlawful, or unaut... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| A.13.2.1 |
Information Transfer Policies & Procedures
|
Aligned | Any information that can be freely used and easily accessibl... |
6.1_IS_Data_Security_Standards.pdf
|
|
| A.13.2.1 |
Information Transfer Policies & Procedures
|
Aligned | Confidential data protection and information transfer... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Data Protection
|
Aligned | Data Protection... |
6.1_IS_Data_Security_Standards.pdf
|
|
| PR.IP-6 |
Data Protection
|
Aligned | Data Protection... |
6.1_IS_Data_Security_Standards.pdf
|
|
| A.10.1.1 |
Policy on the Utilization of Cryptographic Controls
|
Aligned | Control Name... |
6.1_IS_Data_Security_Standards.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | Control Name... |
6.1_IS_Data_Security_Standards.pdf
|
|
| A.13.1.1 |
Network Controls
|
Aligned | Network Controls... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| AC-2g |
Account Management
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-2(7) |
Account Management - Monitoring
|
Aligned | 1.2 SYSTEM USE NOTIFICATION... |
2.1_IS_Acceptable_Use_Standard.pdf
|
|
| AC-2(7) |
Account Management - Monitoring
|
Aligned | Managers... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| CA-6(1) |
Authorization of Information Exchanges
|
Aligned | 1.7 CLOUD SYSTEMS... |
19.0_IS_Cloud_Computing_Security_Policy.pdf
|
|
| CA-6(1) |
Authorization of Information Exchanges
|
Aligned | Joint authorization of the systems exchanging information... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PR.IP-2 |
Information Security Policies and Procedures
|
Aligned | Audit plans and business continuity planning... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-2 |
Information Security Policies and Procedures
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-2 |
Information Security Policies and Procedures
|
Aligned | Audit plans and business continuity planning... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-2 |
Information Security Policies and Procedures
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-2 |
Information Security Policies and Procedures
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RS.RP-1 |
Response Planning
|
Aligned | Audit plans and business continuity planning... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| RS.RP-1 |
Response Planning
|
Aligned | Business continuity planning requirements... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | Policies and procedures should be established, and supportin... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.DS-8 |
Data Protection
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-3 |
Configuration Management
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-3 |
Configuration Management
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-3 |
Configuration Management
|
Aligned | service-level expectations, and operational continuity requi... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-7 |
Information Security Continuous Monitoring
|
Aligned | Audit plans and business continuity planning... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| PR.IP-7 |
Information Security Continuous Monitoring
|
Aligned | Configuration Management | Configuration Change Control... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| PR.IP-7 |
Information Security Continuous Monitoring
|
Aligned | Continuous Vulnerability Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| A.17.1.1 |
Planning information security continuity
|
Aligned | Contingency Planning | Contingency Plan... |
19.1_IS_Cloud_Computing_Security_Standard.pdf
|
|
| A.11.2.5 |
Physical Media Transfer
|
Aligned | Handling of Assets... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| AC-2(1) |
Account Management
|
Aligned | The controls and control enhancements that are candidates fo... |
6.0_IS_Data_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access Control Policy... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.1 |
Access Control Policy
|
Aligned | Access to Networks & Network Services... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Management of Privileged Access Rights
|
Aligned | Management of Privileged Access Rights... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Management of Privileged Access Rights
|
Aligned | Access to Networks & Network Services... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Management of Privileged Access Rights
|
Aligned | Access to Networks & Network Services... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.1.2 |
Management of Privileged Access Rights
|
Aligned | Access to Networks & Network Services... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.2.3 |
Information Access Restriction
|
Aligned | Information Access Restriction... |
5.0_IS_Human_Resource_Security_Policy_1.pdf
|
|
| A.9.2.3 |
Information Access Restriction
|
Aligned | Management of Privileged Access Rights... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.2.3 |
Information Access Restriction
|
Aligned | Management of Privileged Access Rights... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| PR.AT-2 |
Information Security Awareness, Education and Training
|
Aligned | Access Control | Concurrent Session Control... |
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf
|
|
| CM-6d |
Configuration Monitoring
|
Aligned | 1.2.1 General Network Security... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| PR.AC-5 |
Access Control Policy
|
Aligned | Access Control | Use of External Systems... |
23.0_IS_Network_and_Firewall_Security_Policy.pdf
|
|
| AM-1 |
Asset Management Policy
|
Aligned | Asset Management... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| ID.GV-1 |
Data Protection
|
Aligned | The accuracy, completeness, and quality of data as it is mai... |
3.0_IS_Information_Security_Policy_2.pdf
|
|
| ID.RA-5 |
Continuous Vulnerability Management
|
Aligned | Risk Assessment... |
20.0_IS_Risk_Management_Policy_2.pdf
|
|
| PR.DS-5 |
Segregation of Duties
|
Aligned | Physical & Environmental Protection | Asset Monitoring & Tra... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PR.DS-5 |
Segregation of Duties
|
Aligned | Qualified Personnel in System Development... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| PR.DS-5 |
Segregation of Duties
|
Aligned | Access Control Policy... |
7.0_IS_Asset_Management_Policy.pdf
|
|
| CA-2(1) |
Control Assessment
|
Aligned | Incident Lifecycle... |
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Information Access Restriction... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Information Access Restriction... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
| A.9.4.1 |
Information Access Restriction
|
Aligned | Information Access Restriction... |
4.0_IS_Organization_of_Information_Security_Policy_1.pdf
|
|
2.0_IS_Acceptable_Use_Policy.pdf CIS
6 matches foundDocument Content
Matched Section
Section: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments.
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments including but not limited to data centers and business workplace facilities.
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments including but not limited to data centers and business workplace facilities.
AI Justification
The chunk discusses the applicability of policies to all employees and contractors, emphasizing the importance of asset management and compliance with policies regarding the organization's data and systems.
Document Content
Matched Section
Section: 1.4 SECURITY & PROPRIETARY INFORMATION
Content: To ensure confidentiality, integrity and availability of Lazard copyright and proprietary information, the following requirements should be followed: a) All mobile and computing devices that connect to the internal network should comply with the Access Control Policy2.
Content: To ensure confidentiality, integrity and availability of Lazard copyright and proprietary information, the following requirements should be followed: a) All mobile and computing devices that connect to the internal network should comply with the Access Control Policy2.
AI Justification
The text discusses the need for users to understand their rights and responsibilities regarding access to systems, which aligns with the need to configure data access control lists based on user roles and responsibilities.
Document Content
Matched Section
Section: 1.4 SECURITY & PROPRIETARY INFORMATION
Content: b) System level and user level passwords should be utilized and should comply with the Access Control Policy2 and its associated standards.
Content: b) System level and user level passwords should be utilized and should comply with the Access Control Policy2 and its associated standards.
AI Justification
The mention of compliance with the Access Control Policy indicates the implementation of access controls based on user roles and responsibilities.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The document explicitly mentions 'Confidential' as part of its classification, indicating that a data classification scheme is in place.
Document Content
Matched Section
Section: REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the use of removable storage devices and the associated risks, implying the need for data protection measures such as encryption.
Document Content
Matched Section
Section: 1.2 GENERAL USER RESPONSIBILITIES
Content: This policy applies to BOYD devices where applicable. It is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: This policy applies to BOYD devices where applicable. It is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The policy mentions the application of BOYD (Bring Your Own Device) devices, which aligns with the need for separate enterprise workspaces on mobile devices.
4.0_IS_Organization_of_Information_Security_Policy_1.pdf CIS
3 matches foundDocument Content
Matched Section
Section: Responsibilities for the protection of individual assets
Content: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
Content: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
AI Justification
The text discusses responsibilities for the protection of individual assets and mentions the Asset Management Policy, which aligns with maintaining an inventory of enterprise assets.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The chunk discusses various aspects of access control, which aligns with the need to configure data access control lists based on user needs.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The document explicitly mentions 'Confidential' as part of its classification scheme, aligning with the requirement to establish and maintain an overall data classification scheme.
7.0_IS_Asset_Management_Policy.pdf CIS
14 matches foundDocument Content
Matched Section
Section: Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
AI Justification
The text discusses maintaining an accurate and detailed inventory of assets, including their attributes and the need for regular reviews.
Document Content
Matched Section
Section: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
AI Justification
The section discusses maintaining an accurate asset inventory and reviewing it regularly, which aligns with the need for active discovery tools to identify assets.
Document Content
Matched Section
Section: Inventory of Assets
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
AI Justification
The section discusses maintaining an inventory of software and applications used within the organization, which aligns with the requirement to establish and maintain a detailed inventory of licensed software.
Document Content
Matched Section
Section: Software/Applications
Content: • Name of the application. • Description of the application′s function. • Description of the application′s technical architecture. • Name of the Asset Owner. • Current version/release of the software. • Licensing information. • Listing of security controls that have been applied to secure the Assets. • Listing of updates, patches and fixes that have been installed.
Content: • Name of the application. • Description of the application′s function. • Description of the application′s technical architecture. • Name of the Asset Owner. • Current version/release of the software. • Licensing information. • Listing of security controls that have been applied to secure the Assets. • Listing of updates, patches and fixes that have been installed.
AI Justification
The chunk discusses the listing of technologies, applications, and their versions, which aligns with the need to ensure only supported software is authorized.
Document Content
Matched Section
Section: Inventory of Assets
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
AI Justification
The section discusses maintaining an inventory of software and applications used within the organization, which aligns with the control's focus on utilizing software inventory tools for documentation.
Document Content
Matched Section
Section: 1.5 MAINTENANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses the need for a periodical review of standards and associated documents, which aligns with the requirement to review and update documentation annually as stated in control 3.1.
Document Content
Matched Section
Section: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
AI Justification
The text discusses maintaining an accurate asset inventory and reviewing it annually, which aligns with the requirement to establish and maintain a data inventory.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy.
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy.
AI Justification
The section discusses the secure disposal of assets and the need for formal procedures, which aligns with the control's requirement for securely disposing of data as per documented processes.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled.
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled.
AI Justification
The text discusses the need for classifying information to ensure appropriate protection levels, which aligns with establishing a data classification scheme.
Document Content
Matched Section
Section: Inventory of Assets
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction.
AI Justification
The section discusses maintaining an inventory of assets, which aligns with the need to identify sensitive data stored, processed, or transmitted through enterprise assets.
Document Content
Matched Section
Section: Asset Disposal & Re-Use
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
AI Justification
The section discusses the secure disposal of assets containing sensitive data and emphasizes the need for tracking and documenting the disposal practices.
Document Content
Matched Section
Section: IT management should establish, implement, and actively manage network devices
Content: IT management should establish, implement, and actively manage (track, report, correct) network devices in collaboration with the Information Security Team, in order to prevent attackers from exploiting vulnerable network services and access points.
Content: IT management should establish, implement, and actively manage (track, report, correct) network devices in collaboration with the Information Security Team, in order to prevent attackers from exploiting vulnerable network services and access points.
AI Justification
The text discusses the establishment and management of network devices, which aligns with maintaining a secure configuration process.
Document Content
Matched Section
Section: Assets ownership and responsibilities
Content: Ownership should be assigned for all assets maintained in the inventory. An Asset Owner should be assigned whenever Assets are acquired by or transferred by the organization.
Content: Ownership should be assigned for all assets maintained in the inventory. An Asset Owner should be assigned whenever Assets are acquired by or transferred by the organization.
AI Justification
The section discusses the need for an inventory of assets and responsibilities, which aligns with maintaining an inventory of accounts.
Document Content
Matched Section
Section: Section a) and b)
Content: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement. b) When an employee Lazard’s uses their own personal equipment, procedures should be followed to ensure that all relevant company information is transferred to Lazard and is securely erased from the device.
Content: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement. b) When an employee Lazard’s uses their own personal equipment, procedures should be followed to ensure that all relevant company information is transferred to Lazard and is securely erased from the device.
AI Justification
The chunk discusses the return of company assets and the secure erasure of company information from personal devices, which aligns with the need to wipe enterprise data from devices when necessary.
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf CIS
5 matches foundDocument Content
Matched Section
Section: Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal.
Content: Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager and the CISO or his/her designee.
Content: Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager and the CISO or his/her designee.
AI Justification
The text discusses the process for requesting exceptions to policy, which aligns with the control's requirement to manage unauthorized software through documented exceptions.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
AI Justification
The chunk discusses the segregation of access control roles and the implementation of information access controls, which aligns with the need to configure data access control lists based on user needs.
Document Content
Matched Section
Section: Network Segregation and Segmentation
Content: Lazard networks should be segregated AND segmented to ensure network integrity.
Content: Lazard networks should be segregated AND segmented to ensure network integrity.
AI Justification
The text discusses the segregation and segmentation of networks, which aligns with the implementation and management of firewalls to protect network integrity.
Document Content
Matched Section
Section: General User Account
Content: User accounts and privileged user account entitlements should be reviewed no less than biannually by the: User’s supervisor. Privileged accounts with enterprise or domain admin rights should also be reviewed by Information Security.
Content: User accounts and privileged user account entitlements should be reviewed no less than biannually by the: User’s supervisor. Privileged accounts with enterprise or domain admin rights should also be reviewed by Information Security.
AI Justification
The text discusses the management and review of user accounts, including privileged accounts, which aligns with the control's focus on managing default accounts and ensuring proper oversight.
Document Content
Matched Section
Section: 1.2.3 Account Management
Content: The purpose of this section is to outline requirements for managing user and service accounts within Lazard. The section addresses the creation of new accounts, the management of existing accounts and the removal of accounts that are no longer in use.
Content: The purpose of this section is to outline requirements for managing user and service accounts within Lazard. The section addresses the creation of new accounts, the management of existing accounts and the removal of accounts that are no longer in use.
AI Justification
The section outlines requirements for managing user and service accounts, including creation, management, and removal of accounts, which aligns with maintaining an inventory of accounts.
7.2_IS_End_User_Device_Standard.pdf CIS
12 matches foundDocument Content
Matched Section
Section: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis.
Content: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis. Automated tools should be used if possible and if available.
Content: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis. Automated tools should be used if possible and if available.
AI Justification
The text discusses the inventory of end-user devices and the requirement for regular inventory checks, aligning with the control's focus on maintaining an accurate inventory of assets.
Document Content
Matched Section
Section: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis.
Content: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis. Automated tools should be used if possible and if available.
Content: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis. Automated tools should be used if possible and if available.
AI Justification
The text specifies that all Firm workstations and laptops should be inventoried for hardware and software on a regular basis, which aligns with the need to maintain a detailed inventory of licensed software.
Document Content
Matched Section
Section: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
AI Justification
The chunk discusses the retention of confidential information and the restriction of access to approved devices, which aligns with the need to configure data access control lists based on user permissions.
Document Content
Matched Section
Section: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The mention of only allowing approved end-user devices to connect to the network indicates a control mechanism based on user access needs.
Document Content
Matched Section
Section: In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
AI Justification
The policy against unauthorized devices reinforces the principle of restricting access based on user permissions.
Document Content
Matched Section
Section: Network Access Control (NAC) technology is used to monitor compliance with this policy.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy.
AI Justification
The use of Network Access Control (NAC) technology to monitor compliance aligns with the need to enforce access control lists.
Document Content
Matched Section
Section: Use of Removable Devices and Data Security
Content: Only USB sticks and other removable devices that have been approved by Lazard IT, and that support password-protection and encryption, should be used.
Content: Only USB sticks and other removable devices that have been approved by Lazard IT, and that support password-protection and encryption, should be used.
AI Justification
The text specifies that only approved removable devices that support encryption should be used, which aligns with the control's requirement for encryption of data on such media.
Document Content
Matched Section
Section: 6. Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
Content: 6. Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
Content: 6. Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall.
AI Justification
The section discusses the requirement for personal firewall software to be installed and managed according to a central policy, which aligns with the control's focus on implementing and managing firewalls.
Document Content
Matched Section
Section: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
AI Justification
The text discusses the management of devices and the use of approved end-user devices, which aligns with securely managing enterprise assets.
Document Content
Matched Section
Section: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The section emphasizes the importance of controlling access to the network and ensuring only approved devices can connect, which is a key aspect of access control.
Document Content
Matched Section
Section: Network Access Control (NAC) technology is used to monitor compliance with this policy.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy.
AI Justification
The mention of Network Access Control (NAC) technology to monitor compliance directly relates to the control of network access.
Document Content
Matched Section
Section: 1.1.4 Smartphones, Mobile, and Other Wireless Devices
Content: If a device offers a timeout function that enforces re-entry of the password after a period of inactivity, it should be applied and should not exceed 60 minutes.
Content: If a device offers a timeout function that enforces re-entry of the password after a period of inactivity, it should be applied and should not exceed 60 minutes.
AI Justification
The chunk discusses the importance of securing devices when not in use and mentions timeout functions for password re-entry, which aligns with the need for session locking.
7.1_IS_Asset_Management_Standard.pdf CIS
9 matches foundDocument Content
Matched Section
Section: Aspects of endpoint device solution that should be evaluated and IT Asset Retirement and Disposal
Content: Aspects of endpoint device solution that should be evaluated. 1. protection, 2. authentication, 3. application functionality, 4. solution management, 5. logging, and performance. NOTE: Lazard groups and their representatives should follow further details from the End User Device Standard. IT Asset (NEW) and other assets Retirement and Disposal a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting.
Content: Aspects of endpoint device solution that should be evaluated. 1. protection, 2. authentication, 3. application functionality, 4. solution management, 5. logging, and performance. NOTE: Lazard groups and their representatives should follow further details from the End User Device Standard. IT Asset (NEW) and other assets Retirement and Disposal a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting.
AI Justification
The chunk discusses aspects of endpoint device solutions and asset retirement and disposal, which relates to maintaining an accurate inventory of assets.
Document Content
Matched Section
Section: Section regarding emergency exceptions to software policy
Content: In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the approval process for exceptions to software policies, indicating a management approach for unauthorized software.
Document Content
Matched Section
Section: 1.4 MAINTAINANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses the need for a periodical review of standards and associated documents, which aligns with the requirement to maintain a documented data management process and review it annually.
Document Content
Matched Section
Section: IT Asset Retirement and Disposal
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: a) Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The chunk outlines procedures for asset disposal, including data security measures for sensitive data, which aligns with the requirement to securely dispose of data as per the documented data management process.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Internal VERSION 1.3 PUBLISHED DATE 12/8/2023 APPROVED DATE 12/07/2023 REVISION DATE 12/06/2023 DOCUMENT AUTHOR Information Security DOCUMENT OWNER CISO DISTRIBUTION TARGET GROUP ALL IS Global Policy Document Structure 7.1 IS Asset Management Standard The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: DOCUMENT CLASSIFICATION Internal VERSION 1.3 PUBLISHED DATE 12/8/2023 APPROVED DATE 12/07/2023 REVISION DATE 12/06/2023 DOCUMENT AUTHOR Information Security DOCUMENT OWNER CISO DISTRIBUTION TARGET GROUP ALL IS Global Policy Document Structure 7.1 IS Asset Management Standard The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The document mentions 'DOCUMENT CLASSIFICATION' and outlines the structure and ownership of the document, indicating a framework for data classification.
Document Content
Matched Section
Section: IT Asset (NEW) and other assets Retirement and Disposal
Content: b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: b) Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The chunk discusses the establishment of data security procedures to protect sensitive data during asset retirement and disposal, which aligns with logging sensitive data access and disposal.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
AI Justification
The section discusses maintaining security standards for endpoint devices, which aligns with establishing a documented secure configuration process.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: Endpoint device security should be regularly maintained.
Content: Endpoint device security should be regularly maintained.
AI Justification
The requirement for endpoint device security to be regularly maintained aligns with the need for a documented secure configuration process.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
AI Justification
The text discusses mobile device security standards and the need for separation of enterprise applications and data from personal applications, aligning with the control's focus on ensuring separate enterprise workspaces on mobile devices.
19.0_IS_Cloud_Computing_Security_Policy.pdf CIS
6 matches foundDocument Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The chunk discusses the process for requesting exceptions to policies, which aligns with the need to document exceptions for unsupported software as outlined in control 2.2.
Document Content
Matched Section
Section: Responsibilities of application owners and collaboration with data owners
Content: Each system owner should maintain a portfolio of cloud application profiles under their control and management purview. A designated Lazard resource responsible for managing cloud-based application services or business functions. The application owner may be a direct customer of a CSP for specific business functions and should track implementation and maintenance requirements for business applications hosted in the cloud. Application owners should maintain an information security categorization profile for all cloud application services and functions in their purview.
Content: Each system owner should maintain a portfolio of cloud application profiles under their control and management purview. A designated Lazard resource responsible for managing cloud-based application services or business functions. The application owner may be a direct customer of a CSP for specific business functions and should track implementation and maintenance requirements for business applications hosted in the cloud. Application owners should maintain an information security categorization profile for all cloud application services and functions in their purview.
AI Justification
The text discusses the responsibilities of application owners in managing cloud application services, including maintaining security categorization profiles and collaborating with data owners, which aligns with the need for a documented data management process.
Document Content
Matched Section
Section: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
AI Justification
The text discusses the need for an exit strategy for data recovery, transfer, or destruction, which aligns with the requirement to retain data according to documented processes.
Document Content
Matched Section
Section: Exit Strategy for Data Management
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
AI Justification
The text discusses the need for secure data disposal as part of the exit strategy, aligning with the requirement to securely dispose of data as per the documented data management process.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The chunk discusses document classification and mentions 'Confidential', which aligns with the establishment of a data classification scheme.
Document Content
Matched Section
Section: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
AI Justification
The text discusses the secure disposal of data and the responsibilities of the Cloud Service Provider in ensuring that Lazard data is removed and disposed of securely, which aligns with logging sensitive data access and disposal.
2.1_IS_Acceptable_Use_Standard.pdf CIS
3 matches foundDocument Content
Matched Section
Section: Data Wiping and Removal Procedures
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
AI Justification
The text discusses the remote wiping or removal of data from personal devices, which aligns with the need to securely dispose of data as per the documented data management process.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The chunk mentions 'DOCUMENT CLASSIFICATION' and the classification of the document as 'Confidential', which aligns with the establishment and maintenance of a data classification scheme.
Document Content
Matched Section
Section: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
AI Justification
The text specifies that designated staff can remotely wipe data from personal devices under certain circumstances, which aligns with the control's intent to protect enterprise data on portable devices.
6.1_IS_Data_Security_Standards.pdf CIS
11 matches foundDocument Content
Matched Section
Section: Use only Lazard managed equipment for business-related work; use of personal computers or personal email for business-related work is strictly prohibited.
Content: Use only Lazard managed equipment for business-related work; use of personal computers or personal email for business-related work is strictly prohibited.
Content: Use only Lazard managed equipment for business-related work; use of personal computers or personal email for business-related work is strictly prohibited.
AI Justification
The text emphasizes the use of Lazard managed equipment and the prohibition of personal computers for business-related work, which aligns with ensuring unauthorized software is not used.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements and classification of data, which aligns with establishing and maintaining a data inventory.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable.
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable.
AI Justification
The section discusses the disposal of information and the requirement to securely erase or destroy electronic media, which aligns with data retention practices.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse. Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse. Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
AI Justification
The section describes procedures for securely disposing of various types of data, including electronic media and paper documents, which aligns with the control's requirement for secure data disposal.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The text discusses the implementation of an information classification scheme, including labels such as 'Public', 'Internal', 'Confidential', and 'Restricted', which aligns with the requirement to establish and maintain a data classification scheme.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse.
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse.
AI Justification
The section discusses securely wiping and destroying electronic media to ensure that data cannot be retrieved, which aligns with the need to encrypt data on removable media before disposal or reuse.
Document Content
Matched Section
Section: Details on Encryption see section “Encryption requirements” below
Content: Store data on company-managed equipment (e.g., servers, encrypted laptops, etc.) or authorized business partner hosted systems.
Content: Store data on company-managed equipment (e.g., servers, encrypted laptops, etc.) or authorized business partner hosted systems.
AI Justification
The section discusses the importance of storing data securely, including the use of encryption for sensitive data on company-managed equipment and prohibits the use of unapproved public cloud storage.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
Content: Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
AI Justification
The text discusses the disposal of sensitive information, including placing unattended copies in a shredding bin and securely wiping electronic media, which aligns with logging access and disposal of sensitive data.
Document Content
Matched Section
Section: 1.4 MAINTAINANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses the need for a periodical review of standards and associated documents, which aligns with maintaining a documented secure configuration process.
Document Content
Matched Section
Section: Across High-Risk Technology Assets
Content: Across High-Risk Technology Assets Not required In absence of encryption, appropriate compensating controls approved by Information security should be implemented. High-Risk Technology Assets are (not exhaustive list) Mobile end user devices such as laptops, tablets and smartphones Portable (‘Removable’) media such as USB drives and CD/DVD Backup Media Internet Wireless LAN / Bluetooth / Cellular Data Public Cloud Services o Online, Multi-Tenant (i.e.: shared), elastic and scalable (i.e. pooled resource) technology services. o Infrastructure (i.e. IaaS), Platform (i.e. PaaS) and Application (i.e.: SaaS) o Includes Lazard direct use and third-party service providers. 1.4 MAINTAINANCE A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: Across High-Risk Technology Assets Not required In absence of encryption, appropriate compensating controls approved by Information security should be implemented. High-Risk Technology Assets are (not exhaustive list) Mobile end user devices such as laptops, tablets and smartphones Portable (‘Removable’) media such as USB drives and CD/DVD Backup Media Internet Wireless LAN / Bluetooth / Cellular Data Public Cloud Services o Online, Multi-Tenant (i.e.: shared), elastic and scalable (i.e. pooled resource) technology services. o Infrastructure (i.e. IaaS), Platform (i.e. PaaS) and Application (i.e.: SaaS) o Includes Lazard direct use and third-party service providers. 1.4 MAINTAINANCE A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses the need for a documented process for high-risk technology assets, which aligns with maintaining secure configurations.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse.
Content: Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse.
AI Justification
The section discusses securely wiping laptops and external media prior to reuse, which aligns with the control's focus on wiping enterprise data from devices.
5.0_IS_Human_Resource_Security_Policy_1.pdf CIS
3 matches foundDocument Content
Matched Section
Section: Section 1.12 - EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to policies, which aligns with ensuring unauthorized software is either removed or documented with exceptions.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The document explicitly mentions 'Confidential' in the context of document classification, indicating an established data classification scheme.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The section discusses the creation and management of login IDs and permissions for new hires, which aligns with maintaining an inventory of accounts and ensuring they are authorized.
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf CIS
3 matches foundDocument Content
Matched Section
Section: Access rights to the Lazard networks and network services
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses revoking access rights and documenting the revocation, which aligns with ensuring unauthorized access is managed and documented.
Document Content
Matched Section
Section: 1.2.1 Access Control
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
AI Justification
The section discusses the need for access rights and the approval process for granting access, which aligns with configuring data access control lists based on user needs.
Document Content
Matched Section
Section: 1.2.2 Information Resources
Content: Personnel participating in a BC/DR event may require access rights to certain information resources needed in the recovery effort. Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
Content: Personnel participating in a BC/DR event may require access rights to certain information resources needed in the recovery effort. Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
AI Justification
The requirement for documented and approved access rights for personnel aligns with the principle of applying access permissions based on need.
6.0_IS_Data_Security_Policy_1.pdf CIS
19 matches foundDocument Content
Matched Section
Section: Data Protection
Content: Secure Configuration of Enterprise Assets & Software Continuous Vulnerability Management Network Infrastructure Management Application Software Security
Content: Secure Configuration of Enterprise Assets & Software Continuous Vulnerability Management Network Infrastructure Management Application Software Security
AI Justification
The text chunk discusses the establishment and maintenance of an accurate inventory of enterprise assets, which aligns directly with control 1.1.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets & Software
Content: Data Protection Secure Configuration of Enterprise Assets & Software Continuous Vulnerability Management Network Infrastructure Management Application Software Security
Content: Data Protection Secure Configuration of Enterprise Assets & Software Continuous Vulnerability Management Network Infrastructure Management Application Software Security
AI Justification
The control requires maintaining a detailed inventory of all licensed software, which aligns with the concept of inventory and control of enterprise assets.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets & Software
Content: Data Protection Secure Configuration of Enterprise Assets & Software Continuous Vulnerability Management Network Infrastructure Management Application Software Security
Content: Data Protection Secure Configuration of Enterprise Assets & Software Continuous Vulnerability Management Network Infrastructure Management Application Software Security
AI Justification
The control specifically addresses the need for a software inventory, which is directly mentioned in the provided control.
Document Content
Matched Section
Section: b) Classifying and securing data according to the criteria stipulated within this Policy.
Content: b) Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible.
Content: b) Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible.
AI Justification
The section discusses classifying data, establishing access groupings based on data classification, and reviewing access privileges, which aligns with maintaining a documented data management process.
Document Content
Matched Section
Section: Data retention policies are driven by legal and regulatory requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
AI Justification
The text discusses data retention policies driven by legal and regulatory requirements, which aligns with the need to retain data according to documented processes.
Document Content
Matched Section
Section: Classifying and securing data according to the criteria stipulated within this Policy.
Content: Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible.
Content: Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible.
AI Justification
The section discusses establishing access groupings based on data classification, which aligns with configuring data access control lists based on user needs.
Document Content
Matched Section
Section: Access privileges of all users, especially those with the abilities to modify and delete data, should be reviewed, and approved by Data/Business Owners on a regular basis.
Content: Access privileges of all users, especially those with the abilities to modify and delete data, should be reviewed, and approved by Data/Business Owners on a regular basis, depending on data sensitivity.
Content: Access privileges of all users, especially those with the abilities to modify and delete data, should be reviewed, and approved by Data/Business Owners on a regular basis, depending on data sensitivity.
AI Justification
The mention of reviewing and approving access privileges aligns with the need to configure access controls based on user roles and data sensitivity.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied. For instance, it is as important not to surround trivial information with excessive security, as it is to pay keen attention to the most sensitive matters. Classification of data is also necessary to facilitate compliance with governmental regulations.
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied. For instance, it is as important not to surround trivial information with excessive security, as it is to pay keen attention to the most sensitive matters. Classification of data is also necessary to facilitate compliance with governmental regulations.
AI Justification
The section discusses the importance of classifying information and outlines a data classification methodology, which aligns with the requirement to establish and maintain a data classification scheme.
Document Content
Matched Section
Section: Restricted Data
Content: Restricted Data is characterized as sensitive data that is intended for a very limited group of individuals. This level contains data, which if disclosed would provide access to business secrets and could jeopardize material interests or actions of Lazard or its clients and could lead to material personal or financial detriment if revealed to unauthorized persons.
Content: Restricted Data is characterized as sensitive data that is intended for a very limited group of individuals. This level contains data, which if disclosed would provide access to business secrets and could jeopardize material interests or actions of Lazard or its clients and could lead to material personal or financial detriment if revealed to unauthorized persons.
AI Justification
The text discusses various types of sensitive data and emphasizes the importance of restricting access to such data, which aligns with the need to segment data processing and storage based on sensitivity.
Document Content
Matched Section
Section: Data Loss Prevention Mechanism
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
AI Justification
The text discusses the implementation of a DLP mechanism to prevent sensitive information from being leaked, which aligns with the control's focus on identifying and managing sensitive data.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the need to maintain the confidentiality and integrity of log information, which aligns with logging sensitive data access.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets & Software
Content: Secure Configuration of Enterprise Assets & Software
Content: Secure Configuration of Enterprise Assets & Software
AI Justification
The chunk discusses secure configuration of enterprise assets and software, aligning with the need for a documented secure configuration process.
Document Content
Matched Section
Section: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
AI Justification
The mention of inventory and control of enterprise assets indicates a need for secure configuration as part of asset management.
Document Content
Matched Section
Section: Inventory & Control of Software Assets
Content: Inventory & Control of Software Assets
Content: Inventory & Control of Software Assets
AI Justification
The mention of inventory and control of software assets aligns with the need for secure configuration of software.
Document Content
Matched Section
Section: Network Infrastructure Management and Network Monitoring & Defense
Content: Network Infrastructure Management Network Monitoring & Defense
Content: Network Infrastructure Management Network Monitoring & Defense
AI Justification
The control requires the implementation and management of firewalls, which aligns with the mention of Network Monitoring & Defense and Security of Network Services.
Document Content
Matched Section
Section: Network Infrastructure Management and Network Monitoring & Defense
Content: Network Infrastructure Management Network Monitoring & Defense
Content: Network Infrastructure Management Network Monitoring & Defense
AI Justification
This control is relevant as it pertains to protecting the network boundaries, which is a key aspect of firewall management.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets & Software
Content: Secure Configuration of Enterprise Assets & Software
Content: Secure Configuration of Enterprise Assets & Software
AI Justification
The chunk discusses secure configuration and management of enterprise assets and software, aligning with the control's focus on secure management practices.
Document Content
Matched Section
Section: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
AI Justification
The mention of managing enterprise assets aligns with the need for inventory and control as outlined in the CIS controls.
Document Content
Matched Section
Section: Inventory & Control of Software Assets
Content: Inventory & Control of Software Assets
Content: Inventory & Control of Software Assets
AI Justification
The control emphasizes the importance of managing software assets, which is relevant to the secure management of software mentioned in the chunk.
3.0_IS_Information_Security_Policy_2.pdf CIS
4 matches foundDocument Content
Matched Section
Section: Asset Management
Content: Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The section discusses establishing controls for asset identification and inventory, which aligns with maintaining an accurate inventory of enterprise assets.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures, Configuration Management | Baseline Configuration, Configuration Management | Configuration Change Control, Configuration Management | Impact Analyses, Configuration Management | Access restrictions for Change, Configuration Management | Configuration Settings, Configuration Management | Least Functionality, Configuration Management | Configuration Management Plan
Content: Configuration Management | Policies & Procedures Configuration Management | Baseline Configuration Configuration Management | Configuration Change Control Configuration Management | Impact Analyses Configuration Management | Access restrictions for Change Configuration Management | Configuration Settings Configuration Management | Least Functionality Configuration Management | Configuration Management Plan
Content: Configuration Management | Policies & Procedures Configuration Management | Baseline Configuration Configuration Management | Configuration Change Control Configuration Management | Impact Analyses Configuration Management | Access restrictions for Change Configuration Management | Configuration Settings Configuration Management | Least Functionality Configuration Management | Configuration Management Plan
AI Justification
The chunk discusses various aspects of configuration management, which aligns with the need for a documented secure configuration process for network devices.
Document Content
Matched Section
Section: Network and Firewall Security Policy
Content: Network and Firewall Security Policy - Establishes the security-related controls and
Content: Network and Firewall Security Policy - Establishes the security-related controls and
AI Justification
The text discusses the establishment of security-related controls, which includes managing firewalls to protect sensitive information.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The section discusses the establishment of controls for end-user devices, which aligns with the implementation of host-based firewalls to protect sensitive information.
26.0_IS_Vulnerability_Management_Policy.pdf CIS
14 matches foundDocument Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The section discusses the need to establish and maintain inventories of all hardware and software on the corporate network, which aligns with the requirement to maintain an accurate inventory of enterprise assets.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The chunk discusses the need for maintaining inventories of hardware and software, which aligns with the use of an active discovery tool to identify assets on the network.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The section discusses the need to maintain an inventory of all hardware and software, including unauthorized assets, which aligns with the control's focus on addressing unauthorized assets.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The section discusses the establishment and maintenance of inventories for hardware and software, which aligns with the need for DHCP logging to update the asset inventory.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The section discusses the establishment and maintenance of inventories of all hardware and software, which aligns with the need to identify assets and update the inventory regularly.
Document Content
Matched Section
Section: Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
AI Justification
The use of automated vulnerability scans to check inventory assets for weaknesses aligns with the control's focus on using tools to identify and manage assets.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
AI Justification
The chunk discusses the establishment and maintenance of inventories of all software installed on the corporate network, which aligns with the requirement to maintain a detailed inventory of licensed software.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The section discusses the need to maintain an up-to-date inventory of all software, which aligns with ensuring only supported software is authorized.
Document Content
Matched Section
Section: Policy exceptions process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to security policies, which aligns with the need to manage unauthorized software through documented exceptions.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The section discusses the establishment and maintenance of inventories of all hardware and software, which aligns with the control's focus on utilizing software inventory tools for documentation.
Document Content
Matched Section
Section: Log file retention requirements
Content: All log files should be maintained for at least 6 months.
Content: All log files should be maintained for at least 6 months.
AI Justification
The section specifies that all log files should be maintained for at least 6 months, which aligns with the requirement to retain data according to documented processes.
Document Content
Matched Section
Section: Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution.
AI Justification
The section discusses the production of event logs, periodic reviews, documentation of anomalies, and protection of log files, which aligns with logging sensitive data access.
Document Content
Matched Section
Section: Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
Content: e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
Content: e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
AI Justification
The mention of using file integrity monitoring or change detection software on logs to alert personnel to unauthorized modification aligns with the control's focus on logging access and modifications.
Document Content
Matched Section
Section: Log files should be protected from tampering or unauthorized access.
Content: f. Log files should be protected from tampering or unauthorized access.
Content: f. Log files should be protected from tampering or unauthorized access.
AI Justification
The requirement to protect log files from tampering or unauthorized access is directly related to logging sensitive data access.
23.0_IS_Network_and_Firewall_Security_Policy.pdf CIS
8 matches foundDocument Content
Matched Section
Section: 1.2.1 General Network Security
Content: a) Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
Content: a) Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
AI Justification
The section discusses the inventory and management of devices utilized to support networks, which aligns with the requirement to maintain an accurate inventory of enterprise assets.
Document Content
Matched Section
Section: The principle of least privilege should be employed by:
Content: Limiting account rights and privileges to only that access that is required by a user’s job functions. Assigning rights to file systems will be on an as-needed basis. Only the minimum rights necessary to accomplish a task will be issued.
Content: Limiting account rights and privileges to only that access that is required by a user’s job functions. Assigning rights to file systems will be on an as-needed basis. Only the minimum rights necessary to accomplish a task will be issued.
AI Justification
The section discusses limiting account rights and privileges based on job functions, which aligns with configuring data access control lists based on a user’s need to know.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
AI Justification
The section explicitly mentions that organizational data flows should be mapped and monitored, which aligns with the requirement to document data flows.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: a) Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
Content: a) Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
AI Justification
The section discusses the management and configuration of network devices, which aligns with the need for a documented secure configuration process.
Document Content
Matched Section
Section: Network Controls
Content: ii. All network services should only pass through Lazard’s approved firewalls which should only allow the defined protocols and services required to provide required functionality (e.g., principle of least privilege).
Content: ii. All network services should only pass through Lazard’s approved firewalls which should only allow the defined protocols and services required to provide required functionality (e.g., principle of least privilege).
AI Justification
The section discusses the requirement for network services to pass through approved firewalls and the analysis of protocols and ports, which aligns with the control's focus on implementing and managing firewalls.
Document Content
Matched Section
Section: Devices that are Internet-facing and outside the Lazard firewall are subject to the policies below.
Content: Devices that are Internet-facing and outside the Lazard firewall are subject to the policies below. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.
Content: Devices that are Internet-facing and outside the Lazard firewall are subject to the policies below. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.
AI Justification
The text discusses the management of connections for devices that are Internet-facing, which aligns with the implementation of host-based firewalls to protect these devices.
Document Content
Matched Section
Section: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS)
Content: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS).
Content: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS).
AI Justification
The mention of Domain Name Server (DNS) in the context of infrastructure configuration standards indicates a focus on DNS management and security.
Document Content
Matched Section
Section: i. Routers and other network devices will be accessed by means of passwords that are difficult to guess...
Content: i. Routers and other network devices will be accessed by means of passwords that are difficult to guess or to decipher by means of automated or other password detection tools; ii. Passwords remain confidential and are not shared by technical staff responsible for the maintenance of networks. iii. Passwords should be changed at a minimum of every 90 days or when employees or contractors who are responsible for the maintenance of networks, and who may have knowledge of passwords, leave the Firm’s employment; Note/Exception: In Paris, passwords are changed at a minimum of every 180 days. iv. Operating systems should be maintained at a release level that (1) is supported by the vendor and (2) is not associated with an identified, major security vulnerability; Access control lists (ACLs), if utilized for a specific device, should be properly authorized.
Content: i. Routers and other network devices will be accessed by means of passwords that are difficult to guess or to decipher by means of automated or other password detection tools; ii. Passwords remain confidential and are not shared by technical staff responsible for the maintenance of networks. iii. Passwords should be changed at a minimum of every 90 days or when employees or contractors who are responsible for the maintenance of networks, and who may have knowledge of passwords, leave the Firm’s employment; Note/Exception: In Paris, passwords are changed at a minimum of every 180 days. iv. Operating systems should be maintained at a release level that (1) is supported by the vendor and (2) is not associated with an identified, major security vulnerability; Access control lists (ACLs), if utilized for a specific device, should be properly authorized.
AI Justification
The section discusses the maintenance of network devices, including password management and operating system updates, which aligns with establishing a secure configuration process.
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf CIS
2 matches foundDocument Content
Matched Section
Section: Detailed explanation of why the exception is necessary and Detailed mitigation information, if available.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The section discusses the approval process for exceptions to the policy regarding unauthorized software, which aligns with the requirement to manage unauthorized software and maintain records of approved requests.
Document Content
Matched Section
Section: Incident Categorization
Content: The follow provides guidelines for CSIRT Incident Managers (IM) to classify the event category, criticality level, and sensitivity level for each incident. This information will be entered into the appropriate incident tracking system when an incident ticket is created. Consistent incident classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper incident handling procedures and will form the basis of the interaction between the CSIRT and other departments such as IT and physical security.
Content: The follow provides guidelines for CSIRT Incident Managers (IM) to classify the event category, criticality level, and sensitivity level for each incident. This information will be entered into the appropriate incident tracking system when an incident ticket is created. Consistent incident classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper incident handling procedures and will form the basis of the interaction between the CSIRT and other departments such as IT and physical security.
AI Justification
The chunk discusses guidelines for classifying incidents, which aligns with the establishment and maintenance of a data classification scheme.
19.1_IS_Cloud_Computing_Security_Standard.pdf CIS
16 matches foundDocument Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The text discusses maintaining a complete inventory of business-critical assets and their usage, which aligns with the requirement to establish and maintain an accurate inventory of enterprise assets.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The mention of encryption protocols for the protection of sensitive data aligns with the need to ensure data protection measures are in place.
Document Content
Matched Section
Section: Inventory and Control of Software Assets
Content: Inventory and Control of Software Assets
Content: Inventory and Control of Software Assets
AI Justification
The control requires maintaining a detailed inventory of licensed software, which aligns with the mention of software inventory in the chunk.
Document Content
Matched Section
Section: NIST SP 800-53 Rev 5
Content: NIST SP 800-53 Rev 5
Content: NIST SP 800-53 Rev 5
AI Justification
This control aligns with the need for an inventory of software and assets, as it emphasizes the importance of maintaining an inventory.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented...
Content: Data and objects containing data should be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
Content: Data and objects containing data should be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
AI Justification
The section discusses the need for classification of data based on sensitivity and criticality, which aligns with the establishment and maintenance of a data inventory.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented...
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. Data and objects containing data should be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization’s business leadership or other accountable business role or function. Data and objects containing data should be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
AI Justification
The section discusses the establishment of policies and procedures for data management, including classification based on sensitivity and criticality, which aligns with the requirements of control 3.1.
Document Content
Matched Section
Section: User access policies and procedures should be established
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses establishing user access policies and procedures, which aligns with configuring data access control lists based on user needs.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the implementation of encryption protocols for the protection of sensitive data in storage, which aligns with the control's focus on encrypting data on end-user devices.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the use of encryption protocols for the protection of sensitive data in various states, which aligns with the control's focus on encryption.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the need for encryption protocols for the protection of sensitive data in storage, which aligns with the control's focus on encrypting sensitive data at rest.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented...
Content: Data and objects containing data should be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
Content: Data and objects containing data should be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.
AI Justification
The text discusses the classification of data based on sensitivity and criticality, which aligns with segmenting data processing and storage based on sensitivity.
Document Content
Matched Section
Section: The section discusses DLP and its role in safeguarding personal or confidential information.
Content: DLP Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint protection), in motion (data-in-transit/network traffic), and at rest (data-at-rest/storage)
Content: DLP Data loss prevention (DLP) software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint protection), in motion (data-in-transit/network traffic), and at rest (data-at-rest/storage)
AI Justification
The text discusses the implementation of DLP software that detects potential data breaches and prevents them by monitoring and blocking sensitive data.
Document Content
Matched Section
Section: Access Control and User Access Policies
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses access restrictions and user access policies, which relate to logging sensitive data access and ensuring appropriate management of access.
Document Content
Matched Section
Section: Baseline security requirements for applications and infrastructure system and network components
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. Deviations from standard baseline configurations should be authorized following change management policies and procedures prior to deployment, provisioning, or use.
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations. Deviations from standard baseline configurations should be authorized following change management policies and procedures prior to deployment, provisioning, or use.
AI Justification
The chunk discusses establishing baseline security requirements and managing deviations from standard configurations, which aligns with maintaining a documented secure configuration process.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The text discusses maintaining a complete inventory of business-critical assets and implementing key management policies, which aligns with securely managing enterprise assets.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The mention of encryption protocols for the protection of sensitive data aligns with data protection controls.
20.0_IS_Risk_Management_Policy_2.pdf CIS
0 matches foundNo detailed analysis available for this document.
27.0_IS_Lazard_Reference_Timeout_Standard.pdf CIS
3 matches foundDocument Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the requirement to manage unauthorized software through documented exceptions.
Document Content
Matched Section
Section: MAINTAINANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses the need for a periodical review of standards and associated documents, which aligns with the requirement to review and update documentation annually as stated in control 3.1.
Document Content
Matched Section
Section: Working Sessions and INFORMATION SECURITY GOALS
Content: Information Security Risk from extending timeout is minimal because the screen lock of 15 minutes is still active for all workstations and enforced at the AD Level.
Content: Information Security Risk from extending timeout is minimal because the screen lock of 15 minutes is still active for all workstations and enforced at the AD Level.
AI Justification
The text discusses the enforcement of a 15-minute screen lock for workstations, which aligns with the requirement for configuring automatic session locking after a defined period of inactivity.
6.1_IS_Data_Security_Standards.pdf NIST
106 matches foundDocument Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance.
AI Justification
The text discusses the approval process for exceptions to the access control policy, which aligns with the need for documented policies and procedures regarding access control.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Label information with 'Internal', 'Confidential' or 'Restricted'.
Content: Label information with 'Internal', 'Confidential' or 'Restricted'.
AI Justification
The text discusses the importance of labeling and binding attributes to data, which aligns with the control's focus on managing access based on data structures and attributes.
Document Content
Matched Section
Section: Label information with 'Internal', 'Confidential' or 'Restricted'.
Content: Marking enables manual, procedural, or process-based enforcement of information security and privacy policies.
Content: Marking enables manual, procedural, or process-based enforcement of information security and privacy policies.
AI Justification
The mention of labeling and marking information aligns with the control's focus on the association of attributes with objects in a human-readable form.
Document Content
Matched Section
Section: High-Risk Technology Assets
Content: High-Risk Technology Assets are (not exhaustive list) Mobile end user devices such as laptops, tablets and smartphones
Content: High-Risk Technology Assets are (not exhaustive list) Mobile end user devices such as laptops, tablets and smartphones
AI Justification
The text discusses high-risk technology assets, including mobile devices, and emphasizes the need for appropriate controls and restrictions for their use.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements for information classification and emphasizes the importance of labeling and managing sensitive information, which aligns with the principles of information sharing and access restrictions.
Document Content
Matched Section
Section: Access Control Procedures
Content: Obtain appropriate approval when disclosing information externally, unless authorized or required by law, regulation, professional standard, contract, or agreement. Provide access only to those individuals with a business need.
Content: Obtain appropriate approval when disclosing information externally, unless authorized or required by law, regulation, professional standard, contract, or agreement. Provide access only to those individuals with a business need.
AI Justification
The chunk discusses the need for obtaining appropriate approvals and ensuring that access to information is restricted to individuals with a business need, which aligns with the principles of access control.
Document Content
Matched Section
Section: Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data. Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data. Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
AI Justification
The text discusses the protection of highly confidential business or personal information, which aligns with the need for information flow control to regulate where such information can travel and to enforce policies regarding its transfer.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard.
Content: Applications should notify users during login that they are handling Confidential or Restricted data.
Content: Applications should notify users during login that they are handling Confidential or Restricted data.
AI Justification
The chunk specifies that applications should notify users during login about handling Confidential or Restricted data, which aligns with the requirement for system use notifications.
Document Content
Matched Section
Section: Role-Based Training Requirements
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
AI Justification
The text discusses the necessity of role-based training tailored to the responsibilities and security requirements of individuals, which aligns with the control's focus on determining training content based on roles.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the requirements for audit and accountability.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements for information classification, which aligns with the control's focus on preventing unauthorized disclosure of sensitive information.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for assessment, authorization, and monitoring, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement, Access Control | Separation of Duties, Access Control | Least Privilege, Audit & Accountability | Monitoring for Information Disclosure, Physical & Environmental Protection | Information Leakage, Personnel Security | Monitoring Physical Access, System & Communications Protection | Boundary Protection, System & Information Integrity | System Monitoring
Content: Control: CA-7: Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
Content: Control: CA-7: Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
AI Justification
The text discusses the importance of continuous monitoring for maintaining security and privacy posture, which aligns with the CA-7 control's focus on ongoing awareness and risk management.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policy exceptions and outlines the process for requesting and approving these exceptions, which aligns with the requirements for configuration management policies and procedures.
Document Content
Matched Section
Section: Highly confidential business or personal information.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
AI Justification
The chunk discusses the need to protect highly confidential business or personal information, which aligns with understanding where information is processed and stored.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements for information classification and the collection of personally identifiable information, which aligns with the control's focus on data actions and processing of such information.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Control: CM-8: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems...
Content: Control: CM-8: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems...
AI Justification
The text discusses the importance of maintaining an inventory of system components, including details necessary for accountability, which aligns with the requirements of CM-8.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the requirements for contingency planning and policy development.
Document Content
Matched Section
Section: Highly confidential business or personal information.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
AI Justification
The chunk discusses the protection of highly confidential business or personal information, which aligns with the need for system-level information protection and backup requirements.
Document Content
Matched Section
Section: Any information that can be freely used and easily accessible by anyone with no existing local, national, regulatory or legal restrictions on access or usage.
Content: Any information that can be freely used and easily accessible by anyone with no existing local, national, regulatory or legal restrictions on access or usage.
Content: Any information that can be freely used and easily accessible by anyone with no existing local, national, regulatory or legal restrictions on access or usage.
AI Justification
The mention of regulatory or legal restrictions on access and usage of information aligns with the need for policies regarding information transfer.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding identification and authentication, including the approval process for exceptions, which aligns with the requirements of IA-1.
Document Content
Matched Section
Section: Authentication Mechanism
Content: Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
Content: Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
AI Justification
The chunk discusses various mechanisms for authentication, including credentials, passwords, and tokens, which align with the requirements for identification and authentication of users.
Document Content
Matched Section
Section: Authentication Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
Content: Authentication Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
Content: Authentication Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
AI Justification
The chunk discusses various authentication mechanisms and the importance of managing authenticators, which aligns with the requirements outlined in control IA-5.
Document Content
Matched Section
Section: Data at rest* Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements.
Content: Data at rest* Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
Content: Data at rest* Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
AI Justification
The chunk mentions the requirement to encrypt PII/NPI data elements when stored on high-risk technology assets, which aligns with the control SC-28.
Document Content
Matched Section
Section: Authentication Mechanism
Content: Authentication Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
Content: Authentication Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
AI Justification
The text discusses various authentication mechanisms such as credentials, access keys/tokens, passwords, and PINs, which aligns with the requirement for authentication mechanisms within a cryptographic module.
Document Content
Matched Section
Section: Authentication Mechanism
Content: Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
Content: Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
AI Justification
The chunk discusses the need for authentication mechanisms such as credentials, access keys, and tokens, which aligns with the identification and authentication of non-organizational users.
Document Content
Matched Section
Section: Authentication Mechanism
Content: Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
Content: Mechanism such as credentials, Access Keys/Tokens, Passwords, PIN, etc.
AI Justification
The chunk discusses various authentication mechanisms such as credentials, access keys, tokens, and passwords, which align with the identification and authentication methods described in control IA-9.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the approval process for exceptions to the policy, which relates to incident response procedures and the need for a structured approach to policy exceptions.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The text discusses handling requirements and procedures for different classifications of information, which aligns with the concept of information spillage and the need for corrective actions based on classification.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
Content: Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
AI Justification
The text discusses the need for policies and procedures related to maintenance and exceptions, emphasizing the importance of approval processes and adherence to security requirements.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the approval process for exceptions to the media protection policy, which directly relates to the establishment and implementation of media protection policies and procedures.
Document Content
Matched Section
Section: Handling of Assets | Management of Removable Media
Content: Handling of Assets Management of Removable Media
Content: Handling of Assets Management of Removable Media
AI Justification
The chunk discusses the handling and management of both digital and non-digital media, which aligns with the definition of system media in control MP-2.
Document Content
Matched Section
Section: Handling of Assets | Management of Removable Media
Content: Handling of Assets Management of Removable Media Physical Media Transfer Clear Desk & Clear Screen Policy
Content: Handling of Assets Management of Removable Media Physical Media Transfer Clear Desk & Clear Screen Policy
AI Justification
The chunk discusses the handling and management of removable media, which aligns with the requirements for security marking of digital and non-digital media as specified in control MP-3.
Document Content
Matched Section
Section: Handling of Assets | Management of Removable Media | Physical Media Transfer
Content: Control: MP-4: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media.
Content: Control: MP-4: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media.
AI Justification
The text discusses the management and protection of both digital and non-digital media, including secure storage and accountability, which aligns with the requirements of MP-4.
Document Content
Matched Section
Section: Handling of Assets | Management of Removable Media | Physical Media Transfer
Content: Control to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport.
Content: Control to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport.
AI Justification
The text discusses the protection of media during transport, including the use of cryptography and the need for accountability and documentation.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse. Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse. Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
AI Justification
The text discusses the disposal and sanitization of both digital and non-digital media, including specific methods such as shredding and securely wiping electronic media, which aligns with the requirements of MP-6.
Document Content
Matched Section
Section: Management of Removable Media
Content: Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives.
Content: Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives.
AI Justification
The text discusses the restrictions and protections related to the use of various types of media, including portable storage devices, which aligns directly with the requirements of MP-7.
Document Content
Matched Section
Section: Handling of Assets | Management of Removable Media
Content: Handling of Assets Management of Removable Media
Content: Handling of Assets Management of Removable Media
AI Justification
The chunk discusses the handling of assets, specifically focusing on the management of removable media and the processes involved in ensuring that information is not retrievable or reconstructable when media is released outside the organization.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the approval process for exceptions to the policy, which aligns with the need for established policies and procedures regarding physical and environmental protection.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements and information classification, which aligns with the control's focus on protecting against information leakage.
Document Content
Matched Section
Section: Physical & Environmental Protection | Information Leakage
Content: Control: PE-22: Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices.
Content: Control: PE-22: Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices.
AI Justification
The chunk discusses the marking of hardware components and the classification levels associated with them, which aligns with the control's focus on marking hardware for security purposes.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Permissions controlling output to the output devices are addressed in AC-3 or AC-4.
Content: Permissions controlling output to the output devices are addressed in AC-3 or AC-4.
AI Justification
The mention of permissions controlling output to output devices relates to access enforcement mechanisms.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Permissions controlling output to the output devices are addressed in AC-3 or AC-4.
Content: Permissions controlling output to the output devices are addressed in AC-3 or AC-4.
AI Justification
Similar to AC-3, this control relates to the enforcement of permissions regarding information flow to output devices.
Document Content
Matched Section
Section: Equipment Siting & Protection
Content: Equipment Siting & Protection
Content: Equipment Siting & Protection
AI Justification
The chunk discusses various controls related to physical protection and security measures that align with the requirements of PE-4.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Control: PE-3: Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
Content: Control: PE-3: Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
AI Justification
The text discusses physical access controls, including the types of guards, physical access devices, and compliance with laws and regulations.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Access Control | Information Flow Enforcement
Content: Access Control | Information Flow Enforcement
AI Justification
The chunk discusses access control measures that align with the physical access control to output devices, including securing areas and monitoring access.
Document Content
Matched Section
Section: Personnel Security | Monitoring Physical Access
Content: Personnel Security | Monitoring Physical Access
Content: Personnel Security | Monitoring Physical Access
AI Justification
The mention of monitoring physical access aligns with the control's emphasis on securing output devices and allowing access to authorized individuals only.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Access Control | Information Flow Enforcement
Content: Access Control | Information Flow Enforcement
AI Justification
The chunk discusses various aspects of physical access monitoring, including the identification of suspicious activities and the importance of monitoring access logs.
Document Content
Matched Section
Section: Data Protection
Content: Data Protection
Content: Data Protection
AI Justification
The mention of monitoring physical access aligns with the broader context of data protection and incident response capabilities.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the planning and procedural aspects of control PL-1.
Document Content
Matched Section
Section: Control References
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
AI Justification
The text discusses the need for protection of highly confidential business or personal information, which aligns with the concept of control baselines that address the protection needs of an organization.
Document Content
Matched Section
Section: Control Name
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 Working in Secure Areas A.11.2.1 A.13.1.1 Network Controls A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 Segregation in Networks Information Transfer Policies & Procedures Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions NIST SP 800-53 Rev 5 AC-4 AC-5 AC-6 AU-13 PE-19 PS-6 SC-7 SI-4 CIS CSC 3
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 Working in Secure Areas A.11.2.1 A.13.1.1 Network Controls A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 Segregation in Networks Information Transfer Policies & Procedures Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions NIST SP 800-53 Rev 5 AC-4 AC-5 AC-6 AU-13 PE-19 PS-6 SC-7 SI-4 CIS CSC 3
AI Justification
The text discusses the establishment of rules of behavior for organizational users, which aligns directly with the control's focus on access agreements and user responsibilities.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements and information classification, which aligns with the need to protect information and assess risks associated with its handling.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements and classification schemes for different types of information, which aligns with the control's focus on safeguarding and dissemination requirements for controlled unclassified information.
Document Content
Matched Section
Section: 1.11 DOCUMENT INFORMATION
Content: APPROVERS(S): Peter Keenan POSITION Chief Information Security Officer (CISO)
Content: APPROVERS(S): Peter Keenan POSITION Chief Information Security Officer (CISO)
AI Justification
The document mentions the Chief Information Security Officer (CISO), which aligns with the definition of the senior agency information security officer as outlined in control PM-2.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Collect only the information necessary to meet business objectives or fulfill Customer obligations. Verify and validate, with the information source, that the information being collected is reliable and relevant.
Content: Collect only the information necessary to meet business objectives or fulfill Customer obligations. Verify and validate, with the information source, that the information being collected is reliable and relevant.
AI Justification
The chunk discusses the importance of collecting only necessary information and verifying its reliability and relevance, which aligns with the quality management of personally identifiable information.
Document Content
Matched Section
Section: Data Governance Body responsibilities and data protection requirements
Content: Control: PM-23: A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance.
Content: Control: PM-23: A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance.
AI Justification
The text discusses the importance of managing and protecting personally identifiable information (PII) and the need for coherent policies, which aligns with the establishment of a Data Governance Body.
Document Content
Matched Section
Section: Confidential data protection and information transfer
Content: Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
Content: Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
AI Justification
The mention of protecting confidential data and PII aligns with the need for policies regarding the transfer of such information.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
AI Justification
The chunk discusses handling requirements for information collection and emphasizes the importance of only collecting necessary information, which aligns with the control's focus on managing personally identifiable information (PII) to prevent unauthorized disclosure.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities.
Content: An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities.
AI Justification
The text discusses the organization-wide supply chain risk management strategy, including risk appetite, mitigation strategies, and roles and responsibilities, which aligns with the control's requirements.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans.
Content: The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans.
AI Justification
The text mentions that the supply chain risk management strategy can guide and inform supply chain policies and system-level supply chain risk management plans, which aligns with the control's focus.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement, Access Control | Separation of Duties, Access Control | Least Privilege, Audit & Accountability | Monitoring for Information Disclosure, Physical & Environmental Protection | Information Leakage, Personnel Security | Monitoring Physical Access, System & Communications Protection | Boundary Protection, System & Information Integrity | System Monitoring
Content: Control: PM-31: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions...
Content: Control: PM-31: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions...
AI Justification
The text discusses the importance of continuous monitoring for maintaining security and privacy posture, which aligns with the control's focus on ongoing awareness and risk management.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement, Access Control | Separation of Duties, Access Control | Least Privilege, Audit & Accountability | Monitoring for Information Disclosure, Physical & Environmental Protection | Information Leakage, Personnel Security | Monitoring Physical Access, System & Communications Protection | Boundary Protection, System & Information Integrity | System Monitoring
Content: Control: PM-31: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions...
Content: Control: PM-31: Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions...
AI Justification
The mention of continuous monitoring programs and the need for ongoing assessment aligns with the CA-7 control which emphasizes continuous monitoring of security controls.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the approval process for exceptions to the security policy, which aligns with the need for established personnel security policies and procedures.
Document Content
Matched Section
Section: Disciplinary Actions for Policy Violations
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the control's focus on organizational sanctions reflecting laws and policies.
Document Content
Matched Section
Section: Control References
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data. Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data. Confidential data is personal identifiable information (PII) that an organization does not want anyone to obtain without its permission.
AI Justification
The text discusses the importance of policies and procedures for handling personally identifiable information (PII) and the need for collaboration between security and privacy programs, which aligns with the PT-1 control.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
Content: Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
AI Justification
The chunk discusses handling requirements for various classifications of information, including the collection and validation of information, which aligns with the processing operations described in PT-2.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source.
Content: Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source.
AI Justification
The chunk discusses the importance of providing a description of the reason for collecting information, which aligns with the control's focus on identifying and documenting the purpose for processing personally identifiable information.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements for various categories of information, including the necessity to collect only what is needed and to label information according to its sensitivity, which aligns with the need for protections for personally identifiable information.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the approval process for exceptions to the policy, which relates to the risk assessment policy and procedures that govern how exceptions are handled in relation to security requirements.
Document Content
Matched Section
Section: Security categorization processes facilitate the development of inventories of information assets.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
Content: Highly confidential business or personal information. There are often general statutory, regulatory, or contractual requirements that require protection of the data.
AI Justification
The text discusses the importance of protecting highly confidential business or personal information, which aligns with the need for security categorization to understand potential adverse impacts.
Document Content
Matched Section
Section: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the processes involved in identifying and addressing vulnerabilities.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements and the importance of collecting only necessary information, which aligns with the principles of conducting a privacy impact assessment.
Document Content
Matched Section
Section: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
AI Justification
The text discusses the importance of criticality analysis in identifying and prioritizing protection activities for system components, which aligns with the principles of risk assessment.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the control's focus on acquisition policies and procedures.
Document Content
Matched Section
Section: High-Risk Technology Assets
Content: High-Risk Technology Assets are (not exhaustive list) Mobile end user devices such as laptops, tablets and smartphones Portable (‘Removable’) media such as USB drives and CD/DVD Backup Media Internet Wireless LAN / Bluetooth / Cellular Data Public Cloud Services o Online, Multi-Tenant (i.e.: shared), elastic and scalable (i.e. pooled resource) technology services. o Infrastructure (i.e. IaaS), Platform (i.e. PaaS) and Application (i.e.: SaaS) o Includes Lazard direct use and third-party service providers.
Content: High-Risk Technology Assets are (not exhaustive list) Mobile end user devices such as laptops, tablets and smartphones Portable (‘Removable’) media such as USB drives and CD/DVD Backup Media Internet Wireless LAN / Bluetooth / Cellular Data Public Cloud Services o Online, Multi-Tenant (i.e.: shared), elastic and scalable (i.e. pooled resource) technology services. o Infrastructure (i.e. IaaS), Platform (i.e. PaaS) and Application (i.e.: SaaS) o Includes Lazard direct use and third-party service providers.
AI Justification
The chunk discusses high-risk technology assets, including public cloud services and third-party service providers, which aligns with the management of external system services as described in control SA-9.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the requirements of SC-1 for establishing a system and communications protection policy.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with 'Internal', 'Confidential' or 'Restricted'. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The chunk discusses handling requirements and labeling of information based on its classification, which aligns with the concept of security and privacy attributes as described in SC-16.
Document Content
Matched Section
Section: Equipment Siting & Protection
Content: Equipment Siting & Protection
Content: Equipment Siting & Protection
AI Justification
The control aligns with the need to separate user functions from system management functions to enforce information flow policies.
Document Content
Matched Section
Section: Use of Privileged Utility Programs
Content: Use of Privileged Utility Programs
Content: Use of Privileged Utility Programs
AI Justification
This control is relevant as it emphasizes the separation of user and system management functions.
Document Content
Matched Section
Section: Access Control to Program Source Code
Content: Access Control to Program Source Code
Content: Access Control to Program Source Code
AI Justification
The principle of least privilege is inherent in the separation of user and system management functions.
Document Content
Matched Section
Section: Network Controls
Content: Network Controls
Content: Network Controls
AI Justification
The control relates to the separation of system management functions from user functions, which can involve boundary protection measures.
Document Content
Matched Section
Section: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
AI Justification
The chunk discusses secure name and address resolution services, which aligns with the need for authoritative source information for network address resolution.
Document Content
Matched Section
Section: System & Communications Protection| Session Authenticity
Content: System & Communications Protection| Session Authenticity
Content: System & Communications Protection| Session Authenticity
AI Justification
The mention of session authenticity relates to ensuring the integrity and authenticity of communications, which is relevant to the control's focus.
Document Content
Matched Section
Section: System & Communications Protection| Out-of-Band Channels
Content: System & Communications Protection| Out-of-Band Channels
Content: System & Communications Protection| Out-of-Band Channels
AI Justification
The control relates to ensuring secure communication channels, which is relevant to the integrity verification mentioned in the chunk.
Document Content
Matched Section
Section: Data at rest* Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements
Content: Data at rest* Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
Content: Data at rest* Required - Encrypt PII/NPI data element under regulatory, legal or contractual requirements (e.g., PCI PAN, SSN, Account Numbers) when stored on High-risk Technology assets and where technology permits.
AI Justification
The chunk discusses the protection of data at rest, specifically mentioning the need for encryption of sensitive information stored on technology assets.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement, Access Control | Separation of Duties, Access Control | Least Privilege
Content: Access Control | Information Flow Enforcement Access Control | Separation of Duties Access Control | Least Privilege
Content: Access Control | Information Flow Enforcement Access Control | Separation of Duties Access Control | Least Privilege
AI Justification
The chunk discusses access control mechanisms and the isolation of security functions from nonsecurity functions, which aligns with the description of SC-3.
Document Content
Matched Section
Section: Data Protection
Content: Data Protection
Content: Data Protection
AI Justification
The mention of handling assets and management of removable media relates to the protection of information processes, aligning with PR.IP-6.
Document Content
Matched Section
Section: System & Communications Protection| Alternate Communications Path
Content: An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident.
Content: An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident.
AI Justification
The text discusses the importance of establishing alternate communications paths to ensure operational continuity during incidents, which aligns directly with the intent of control SC-47.
Document Content
Matched Section
Section: Control Name
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 Working in Secure Areas A.11.2.1 A.13.1.1 Network Controls A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 Segregation in Networks Information Transfer Policies & Procedures Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions NIST SP 800-53 Rev 5 AC-4 AC-5 AC-6 AU-13 PE-19 PS-6 SC-7 SI-4 CIS CSC 3
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats A.9.4.4 A.9.4.5 A.10.1.1 A.11.1.4 A.11.1.5 Working in Secure Areas A.11.2.1 A.13.1.1 Network Controls A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 Segregation in Networks Information Transfer Policies & Procedures Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions NIST SP 800-53 Rev 5 AC-4 AC-5 AC-6 AU-13 PE-19 PS-6 SC-7 SI-4 CIS CSC 3
AI Justification
The text discusses managed interfaces, boundary protection, and the importance of restricting traffic to enhance security, which aligns with the SC-7 control.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance.
AI Justification
The text discusses the approval process for exceptions to the policy, which aligns with the need for established policies and procedures regarding system and information integrity.
Document Content
Matched Section
Section: Control Name
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats
AI Justification
The text discusses the importance of protecting the confidentiality and integrity of transmitted information, which aligns directly with control SC-8.
Document Content
Matched Section
Section: Control Name
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats
AI Justification
The mention of employing encryption techniques for logical protection aligns with the need for a policy on cryptographic controls.
Document Content
Matched Section
Section: Control Name
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats
Content: Control Name Equipment Siting & Protection Use of Privileged Utility Programs Access Control to Program Source Code Policy on the Utilization of Cryptographic Controls Protecting Against External & Environmental Threats
AI Justification
The text discusses protecting transmitted information over networks, which aligns with the need for network controls.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable.
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable.
AI Justification
The text discusses the disposal and retention of information, including the management of electronic media and paper documents, which aligns with information management and retention requirements.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Verify and validate, with the information source, that the information being collected is reliable and relevant.
Content: Verify and validate, with the information source, that the information being collected is reliable and relevant.
AI Justification
The chunk discusses the verification and validation of information collected, ensuring its reliability and relevance, which aligns with the operations outlined in SI-18.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
Content: Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs.
AI Justification
The text discusses the handling and collection of information, emphasizing the importance of collecting only necessary information and managing data sensitivity, which aligns with the principles of de-identification.
Document Content
Matched Section
Section: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with "Internal", "Confidential" or “Restricted”. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
Content: Handling requirements for the following shall be developed and implemented in accordance with the information classification scheme adopted by Lazard: Activity Medium Procedure Public Internal Confidential Restricted Collection All Labelling All Collect only the information necessary to meet business objectives or fulfill Customer obligations. Return, discard, mask, or sanitize information that is not required to satisfy business needs. Verify and validate, with the information source, that the information being collected is reliable and relevant. Provide a description of the reason for collecting the information to the information source. If this changes, details of the change should be communicated to the information source. Label information with "Internal", "Confidential" or “Restricted”. Applications should notify users during login that they are handling Confidential or Restricted data. File name should not indicate classification or sensitivity of the data.
AI Justification
The text discusses handling requirements for information classification and the importance of managing sensitive information to prevent exfiltration, aligning with the control's focus on protecting valuable information from advanced persistent threats.
Document Content
Matched Section
Section: System & Information Integrity | System Monitoring
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.
AI Justification
The text discusses the importance of system monitoring, including both internal and external monitoring, and the tools and techniques used for monitoring, which aligns directly with the SI-4 control.
Document Content
Matched Section
Section: System & Information Integrity | System Monitoring
Content: System & Information Integrity | System Monitoring
Content: System & Information Integrity | System Monitoring
AI Justification
The chunk discusses various aspects of access control and system monitoring, which are relevant to the integrity of systems and information.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for a supply chain risk management policy that addresses controls and procedures.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement, Access Control | Separation of Duties, Access Control | Least Privilege
Content: Access Control | Information Flow Enforcement Access Control | Separation of Duties Access Control | Least Privilege
Content: Access Control | Information Flow Enforcement Access Control | Separation of Duties Access Control | Least Privilege
AI Justification
The chunk discusses various controls related to access and protection of systems, which aligns with the need for inspection of systems for tamper resistance.
Document Content
Matched Section
Section: Disposal (in accordance with Retention Policy)
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse. Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
Content: Erase, degauss, or destroy (using a CD shredder) all electronic media in a manner that will render the information irretrievable. Laptops and external media (e.g., CDs, USB, hard drives, etc.) should be securely wiped prior to reuse. Delete files from all devices (e.g., laptops, mobile devices, USB drives, etc.) after no longer required to be retained, and place unnecessary paper documents in a shredding bin.
AI Justification
The text discusses the disposal of information and media, aligning with the control's focus on proper disposal methods during the system development life cycle.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans.
Content: Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans.
AI Justification
The text discusses the importance of managing supply chain risks and outlines the activities involved in supply chain risk management, which aligns with the control SR-12.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Control: SR-5: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution.
Content: Control: SR-5: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution.
AI Justification
The text discusses various strategies and tools to protect the supply chain, which aligns with the objectives of SR-5.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Control: SR-7: Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain.
Content: Control: SR-7: Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain.
AI Justification
The text discusses the importance of supply chain OPSEC, which aligns with the control's focus on protecting critical information related to suppliers and potential suppliers.
2.1_IS_Acceptable_Use_Standard.pdf NIST
72 matches foundDocument Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of access control policies and procedures, including the process for exceptions, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses the identification of authorized system users, access privileges, and the management of various types of accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: Lost Devices
Content: If the device is lost or stolen, the user should IMMEDIATELY report this to the Information Security Department and IT Department so they can remotely wipe or remove all data from the device.
Content: If the device is lost or stolen, the user should IMMEDIATELY report this to the Information Security Department and IT Department so they can remotely wipe or remove all data from the device.
AI Justification
The section discusses the requirements for password protection and reporting lost or stolen devices, which aligns with the control's focus on the protection and management of mobile devices.
Document Content
Matched Section
Section: Lost Devices
Content: Also, if the user decides to replace or upgrade the device, the user should report this as well. The IT Department will make arrangements to wipe the old device.
Content: Also, if the user decides to replace or upgrade the device, the user should report this as well. The IT Department will make arrangements to wipe the old device.
AI Justification
The section mentions the need for reporting device replacements and the wiping of old devices, which aligns with the control's focus on managing mobile devices that may not be organization-controlled.
Document Content
Matched Section
Section: Disseminating information about employees or lists of Lazard employees and Disseminating internal or confidential organization documents
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
AI Justification
The chunk discusses the dissemination of information about employees and confidential documents, which aligns with the control's focus on restricted information sharing.
Document Content
Matched Section
Section: Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
Content: 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
Content: 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
AI Justification
The chunk discusses the dissemination of internal or confidential information and the unauthorized access to such information, aligning with the control's focus on restricting access to nonpublic information.
Document Content
Matched Section
Section: Making unprofessional comments about Lazard in public forums, electronic or otherwise unless required for a valid business purpose or required by regulatory authorities (e.g., AML, etc.)
Content: 8. Making unprofessional comments about Lazard in public forums, electronic or otherwise unless required for a valid business purpose or required by regulatory authorities (e.g., AML, etc.)
Content: 8. Making unprofessional comments about Lazard in public forums, electronic or otherwise unless required for a valid business purpose or required by regulatory authorities (e.g., AML, etc.)
AI Justification
The mention of making unprofessional comments in public forums relates to the control's emphasis on managing publicly accessible content and protecting proprietary information.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses enforcement of policies related to user access and the consequences of violations, aligning with the principles of access control policies.
Document Content
Matched Section
Section: Section 6-10 regarding dissemination of information and unauthorized actions.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
AI Justification
The chunk discusses the dissemination of information about employees and internal documents, which relates to controlling the flow of information to external entities.
Document Content
Matched Section
Section: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
AI Justification
The text discusses the requirement for Multi-Factor Authentication (MFA) and the management of access to sensitive systems, which aligns with the need to limit unsuccessful logon attempts and take action when limits are exceeded.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login.
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login.
AI Justification
The text explicitly mentions that users should be presented with a system use notification message upon login, which aligns directly with the requirements of AC-8.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
AI Justification
The text discusses the importance of audit and accountability policies and procedures, which aligns with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The mention of monitoring system activity to maintain security and ensure legitimate usage aligns with the need for audit events as part of accountability measures.
Document Content
Matched Section
Section: 6. Disseminating information about employees or lists of Lazard employees and 7. Disseminating internal or confidential organization documents or information.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
AI Justification
The chunk discusses the dissemination of internal or confidential information, which aligns with the control's focus on unauthorized disclosure and data leakage.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The text discusses monitoring user activity and ensuring appropriate usage of systems, which aligns with session auditing practices.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The chunk discusses monitoring system activity to maintain security and ensure appropriate usage, which aligns with the control's focus on audit record review and analysis.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
AI Justification
The text discusses the importance of policies and procedures related to assessment, authorization, and monitoring, which aligns with the CA-1 control.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The mention of monitoring system activity to maintain security and ensure legitimate usage aligns with the need for audit and accountability.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The text discusses the importance of monitoring system security and user activity to maintain security and ensure appropriate usage, which aligns with the continuous monitoring concept.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having a configuration management policy and procedures, including the approval process for exceptions, which aligns with the requirements of CM-1.
Document Content
Matched Section
Section: User Data Management and Monitoring
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
AI Justification
The text discusses the remote wiping and monitoring of personal data stored or processed by a managed application, which relates to the processing of personally identifiable information and the associated risks.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the necessity of having policies and procedures for contingency planning, including the handling of exceptions and emergency situations, which aligns with CP-1.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, including the need for approval for exceptions, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Multi-Factor Authentication (MFA) is required to access the Lazard network
Content: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
AI Justification
The text discusses the requirement of Multi-Factor Authentication (MFA) and mentions the use of common IDs and passwords, which relates to the need for adaptive authentication mechanisms to enhance security.
Document Content
Matched Section
Section: V. Bring Your Own Device
Content: Mandatory security controls and safeguards have been identified by Lazard for managing security for personally owned devices registered, provisioned, and authorized to connect to Lazard’s network.
Content: Mandatory security controls and safeguards have been identified by Lazard for managing security for personally owned devices registered, provisioned, and authorized to connect to Lazard’s network.
AI Justification
The chunk discusses Multi-Factor Authentication (MFA) and the management of personally owned devices, which aligns with the need for unique device identification and authentication.
Document Content
Matched Section
Section: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
AI Justification
The text discusses the requirement for Multi-Factor Authentication (MFA) and the use of passwords, which aligns with the identification and authentication requirements outlined in IA-2.
Document Content
Matched Section
Section: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
AI Justification
The mention of identification and authentication requirements for non-organizational users aligns with IA-8.
Document Content
Matched Section
Section: Password Management and Multi-Factor Authentication
Content: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: • Something you know – the employee’s username and password. • Something you have – a device or access token. • Something you are – verified by a biometric device. m. Passwords should be between 8 and 64 characters with the ability to expand to 64 characters. Systems that enforce the 14-character minimum are not required to enforce complexity and password expiration. If systems do not enforce 14-character minimum password length, password complexity and 60-day expiration should be enforced. Password may not be less than 8 characters without approval of the CISO. Effective password complexity guidelines include the following:
Content: If available, Multi-Factor Authentication (MFA) should be used to augment credential security. MFA requires two forms of identification for successful login: • Something you know – the employee’s username and password. • Something you have – a device or access token. • Something you are – verified by a biometric device. m. Passwords should be between 8 and 64 characters with the ability to expand to 64 characters. Systems that enforce the 14-character minimum are not required to enforce complexity and password expiration. If systems do not enforce 14-character minimum password length, password complexity and 60-day expiration should be enforced. Password may not be less than 8 characters without approval of the CISO. Effective password complexity guidelines include the following:
AI Justification
The chunk discusses the use of Multi-Factor Authentication (MFA) and specific password requirements, which align with the control's focus on authenticators and their management.
Document Content
Matched Section
Section: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
AI Justification
The requirement for Multi-Factor Authentication (MFA) aligns with the need for authentication mechanisms to verify the identity of operators accessing systems.
Document Content
Matched Section
Section: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
AI Justification
The requirement for Multi-Factor Authentication (MFA) and the identification of users aligns with the need to authenticate non-organizational users accessing the network.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: Policy statement requiring the exception. Exception duration. Provide detailed information. Detailed explanation of why the exception is necessary. Detailed mitigation information, if available.
Content: Policy statement requiring the exception. Exception duration. Provide detailed information. Detailed explanation of why the exception is necessary. Detailed mitigation information, if available.
AI Justification
The text discusses the necessity of having policies and procedures for incident response, including the management of exceptions and the roles involved in approving them.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: Policy statement requiring the exception. Exception duration. Provide detailed information. Detailed explanation of why the exception is necessary. Detailed mitigation information, if available.
Content: Policy statement requiring the exception. Exception duration. Provide detailed information. Detailed explanation of why the exception is necessary. Detailed mitigation information, if available.
AI Justification
The text discusses the importance of maintenance policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the requirements of control MA-1.
Document Content
Matched Section
Section: Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
Content: o. Multi-Factor Authentication (MFA) is required to access the Lazard network, any internet facing applications and certain sensitive and business critical Lazard systems.
AI Justification
The requirement for Multi-Factor Authentication (MFA) aligns with the need for strong authentication techniques as specified in IA-2.
Document Content
Matched Section
Section: With Lazard IT Department Personnel only, there may be select instances where a common ID and Password is used by several IT professionals who are performing the same function.
Content: p. With Lazard IT Department Personnel only, there may be select instances where a common ID and Password is used by several IT professionals who are performing the same function.
Content: p. With Lazard IT Department Personnel only, there may be select instances where a common ID and Password is used by several IT professionals who are performing the same function.
AI Justification
The mention of MFA and the use of common ID and Password for IT personnel relates to the control's focus on authentication techniques for nonlocal maintenance.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of media protection policies and procedures, including the need for approval for exceptions and the process for implementing stronger or lower security requirements.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The chunk discusses document classification and the handling of confidential information, which aligns with the concept of security marking as it pertains to the classification and safeguarding of information.
Document Content
Matched Section
Section: Data processing using Lazard-authorized encrypted removable media
Content: Data processing using Lazard-authorized encrypted removable media (USB drives, external hard drives).
Content: Data processing using Lazard-authorized encrypted removable media (USB drives, external hard drives).
AI Justification
The text discusses the use of authorized encrypted removable media and the prohibition of personally owned removable media, which aligns with the control's focus on managing and protecting system media.
Document Content
Matched Section
Section: Data processing using Lazard-authorized encrypted removable media (USB drives, external hard drives).
Content: Data processing using Lazard-authorized encrypted removable media (USB drives, external hard drives).
Content: Data processing using Lazard-authorized encrypted removable media (USB drives, external hard drives).
AI Justification
The text discusses the use of authorized encrypted removable media and the prohibition of personally owned removable media, which aligns with the restrictions on media use outlined in MP-7.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for physical and environmental protection, including the need for approval for exceptions to these policies.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for security and privacy, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses the enforcement of policies and the consequences of violations, which aligns with the establishment of rules of behavior for users.
Document Content
Matched Section
Section: 1.11 DOCUMENT INFORMATION
Content: CONTACT(S): CONTACT DETAILS APPROVERS(S): Peter Keenan POSITION Chief Information Security Officer (CISO) DPO
Content: CONTACT(S): CONTACT DETAILS APPROVERS(S): Peter Keenan POSITION Chief Information Security Officer (CISO) DPO
AI Justification
The mention of the Chief Information Security Officer (CISO) aligns with the definition of the senior agency information security officer as outlined in control PM-2.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The text discusses the importance of ongoing monitoring of controls and risks to support risk management decisions, which aligns with the continuous monitoring concept outlined in PM-31.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The mention of monitoring user activity to ensure appropriate usage aligns with the account management control which includes monitoring user actions.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: As part of its business mission, Lazard procures, configures, and maintains computers, information systems, and networks. These technology resources are intended for business-related purposes, including direct and indirect support of the business units, partners, and subsidiaries.
Content: As part of its business mission, Lazard procures, configures, and maintains computers, information systems, and networks. These technology resources are intended for business-related purposes, including direct and indirect support of the business units, partners, and subsidiaries.
AI Justification
The text discusses the intended use of technology resources for business-related purposes and the importance of adhering to acceptable use restrictions, which aligns with the control's focus on supporting specific business functions.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of personnel security policies and procedures, including the process for exceptions to these policies, which aligns with the requirements of PS-1.
Document Content
Matched Section
Section: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program.
AI Justification
The text discusses the importance of position risk designations and their impact on personnel security, aligning with the control's focus on proper position designation as a foundation for security programs.
Document Content
Matched Section
Section: 1.6 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the concept of organizational sanctions as described in PS-8.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to personally identifiable information and how they should be developed and approved, aligning with the requirements of PT-1.
Document Content
Matched Section
Section: User Agreement on Data Management and Monitoring
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
AI Justification
The chunk discusses the conditions under which personal data can be wiped or removed, which relates to the processing of personally identifiable information and the authority governing such actions.
Document Content
Matched Section
Section: Classification of Information
Content: Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability.
Content: Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability.
AI Justification
The text discusses the process of security categorization, which aligns directly with the RA-2 control regarding the identification of potential adverse impacts on organizational operations and assets.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, which aligns with the control's focus on establishing such policies and procedures.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The mention of monitoring system activity to maintain security and ensure legitimate usage aligns with the need for audit and accountability measures.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the derivation of security requirements and the need for documentation and approval processes for exceptions, which aligns with the control's focus on functional requirements and implementation details.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
Content: Lazard’s Acceptable Use Policy outlines appropriate actions when using company-owned and managed information systems, IT assets, and business applications. Attached appendices provide specific Rules of Behavior (ROB) to be acknowledged by all Lazard network users, and activities deemed inappropriate and strictly prohibited when using Lazard computing resources.
AI Justification
The text discusses the importance of policies and procedures related to system and communications protection, which aligns with the control SC-1.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: When accessing Lazard systems, all users should be presented a system use notification message upon login. Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The mention of system use notification and monitoring aligns with the need for procedures that describe how policies are implemented.
Document Content
Matched Section
Section: Disseminating information about employees or lists of Lazard employees and Disseminating internal or confidential organization documents.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose.
AI Justification
The chunk discusses the dissemination of information about employees and internal documents, which relates to the management of personally identifiable information and the implementation of access control policies.
Document Content
Matched Section
Section: Section 3 and Section 5
Content: 3. Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law. 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system.
Content: 3. Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law. 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system.
AI Justification
The chunk discusses activities that could lead to the discovery and potential execution of malicious code, aligning with the need for external malicious code identification techniques and the isolation measures required to protect organizational systems.
Document Content
Matched Section
Section: Section 3 and Section 5
Content: 3. Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law. 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system.
Content: 3. Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law. 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system.
AI Justification
The mention of probing networks and the need for isolation measures relates to the use of decoys and honeypots to identify malicious activities.
Document Content
Matched Section
Section: Section 6-10 regarding dissemination and unauthorized actions
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose. 8. Making unprofessional comments about Lazard in public forums, electronic or otherwise unless required for a valid business purpose or required by regulatory authorities (e.g., AML, etc.) 9. Unauthorized copying of any copyrighted material or information entrusted to the user by Lazard or subsidiaries. This does not include removable media used in the context of routine backups. 10. Attempting to breach, bypass, or disrupt Lazard systems and network communications and security protections (ports, protocols, and services).
Content: 6. Disseminating information about employees or lists of Lazard employees (including employees of Lazard subsidiaries), contractors, and customers to any third party unless required for a valid business purpose. 7. Disseminating internal or confidential organization documents or information to external entities, outside of Lazard unless required for a valid business purpose. 8. Making unprofessional comments about Lazard in public forums, electronic or otherwise unless required for a valid business purpose or required by regulatory authorities (e.g., AML, etc.) 9. Unauthorized copying of any copyrighted material or information entrusted to the user by Lazard or subsidiaries. This does not include removable media used in the context of routine backups. 10. Attempting to breach, bypass, or disrupt Lazard systems and network communications and security protections (ports, protocols, and services).
AI Justification
The chunk discusses unauthorized dissemination of information and the protection of internal and confidential documents, which aligns with preventing unauthorized information transfer.
Document Content
Matched Section
Section: User agrees that designated staff can monitor his/her device and review any data as long as the data is stored or processed by a Lazard managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
AI Justification
The control aligns with the monitoring and data removal capabilities described in the chunk, particularly regarding the management of personal devices and the potential risks associated with data collection and monitoring.
Document Content
Matched Section
Section: Section 2 and VI. BYOD
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices. User may be asked and required to hand over his/her Lazard managed device as part of an internal investigation.
Content: Monitoring can be conducted live or through automated programs that detect and flag unsafe practices. User may be asked and required to hand over his/her Lazard managed device as part of an internal investigation.
AI Justification
The chunk discusses monitoring and restrictions on user devices, which aligns with the control's focus on usage restrictions for system components.
Document Content
Matched Section
Section: 1.5 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: Classification of Information
Content: Control: SI-12: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
Content: Control: SI-12: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
AI Justification
The text discusses the importance of managing and retaining information throughout its lifecycle, which aligns with the requirements of SI-12.
Document Content
Matched Section
Section: Risk Assessment | Security Categorization
Content: Risk Assessment | Security Categorization
Content: Risk Assessment | Security Categorization
AI Justification
The mention of risk assessment and security categorization aligns with the RA-2 control.
Document Content
Matched Section
Section: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
AI Justification
The text references criticality analysis, which is part of the RA-9 control.
Document Content
Matched Section
Section: Section 3: Activities that could introduce malicious code
Content: Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law. Posting Lazard information on public Internet sites such as system configurations, details of products or vendors utilized by Lazard, personally identifiable information (PII). Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system. Unauthorized downloading of software and/or files from Internet. The installation and use of peer-to-peer file sharing applications such as BitTorrent on Lazard systems. Using Lazard’s Internet to deliberately propagate any virus, worm, or any other code with malicious intent such as spyware, hacking tools, and Trojans.
Content: Visiting sites by “hacking” or other means, where access is restricted by the site owner or prohibited by applicable law. Posting Lazard information on public Internet sites such as system configurations, details of products or vendors utilized by Lazard, personally identifiable information (PII). Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system. Unauthorized downloading of software and/or files from Internet. The installation and use of peer-to-peer file sharing applications such as BitTorrent on Lazard systems. Using Lazard’s Internet to deliberately propagate any virus, worm, or any other code with malicious intent such as spyware, hacking tools, and Trojans.
AI Justification
The chunk discusses various activities that could lead to the introduction of malicious code, such as unauthorized downloading and the use of peer-to-peer applications, which aligns with the need for malicious code protection mechanisms.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: Where such messages are not able to be presented to the user, Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The text discusses the importance of monitoring system activities to maintain security and ensure appropriate usage, which aligns with the objectives of SI-4.
Document Content
Matched Section
Section: 1.2 SYSTEM USE NOTIFICATION
Content: Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
Content: Lazard should actively monitor the system and activity to maintain system security and availability and to ensure appropriate and legitimate usage.
AI Justification
The mention of monitoring user activities to ensure appropriate usage aligns with the need for monitoring account activities.
Document Content
Matched Section
Section: Installation of Software on User’s device.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Lazard managed application.
Content: User agrees to install required software on his/her device, including but not limited to, antivirus/antimalware, operating system upgrades, and software that accesses and collects data stored in a Lazard managed application.
AI Justification
The chunk discusses the installation and management of software on user devices, which relates to monitoring and preventing unauthorized changes.
Document Content
Matched Section
Section: Section 3 and Section 5 regarding unauthorized access and email attachments.
Content: 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system.
Content: 5. Opening commercial email attachments on any email systems (e.g., Yahoo, Hotmail, Gmail, etc.) other than Lazard’s email system.
AI Justification
The chunk discusses the risks associated with unauthorized access and the use of email systems, which aligns with the need for spam protection mechanisms.
Document Content
Matched Section
Section: User Data Management and Monitoring
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
Content: User agrees that designated staff can, under certain circumstances, remotely copy, wipe, or otherwise remove all data from his or her personal device. This includes all personal data such as contact information, photos, and personal emails if the personal data is stored or processed by a Lazard managed application.
AI Justification
The text discusses the ability to wipe or remove data from personal devices at any time, which aligns with the concept of data disposal during the system development life cycle.
2.0_IS_Acceptable_Use_Policy.pdf NIST
102 matches foundDocument Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to information resources, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to and use of information resources, which aligns with the control's focus on managing access through attributes and data structures.
Document Content
Matched Section
Section: Rules and Standards for managing security for BYOD
Content: When using a personal device for work, the user should adhere to and be in compliance with all rules and controls outlined in this policy and its associated standard, Acceptable Use Standard.
Content: When using a personal device for work, the user should adhere to and be in compliance with all rules and controls outlined in this policy and its associated standard, Acceptable Use Standard.
AI Justification
The text discusses the rules and controls for using personal devices for work, which aligns with the requirements for managing mobile devices as outlined in AC-19.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
AI Justification
The text discusses the management of user accounts, including the prohibition of using another employee's account and the responsibilities associated with individual user accounts.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text outlines the conditions under which users consent to monitoring and access of their use of systems, which aligns with the control's focus on external systems and the organization's authority over system access.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard. Lazard reserves the right to decide the methods of use, access and disclosure of all information stored, sent and received through Lazard systems.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard. Lazard reserves the right to decide the methods of use, access and disclosure of all information stored, sent and received through Lazard systems.
AI Justification
The text discusses the need for policies to control access to and use of information resources, which aligns with the principles of information sharing and access restrictions.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the need for policies to control access to and use of information resources, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text outlines the conditions under which users consent to access and monitoring of their use of Lazard's systems, which relates to access control decisions.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text outlines the conditions under which users can access Lazard's systems, emphasizing monitoring and consent, which aligns with access control policies.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the need for policies to control access to and use of information resources, which aligns with the principles of information flow control.
Document Content
Matched Section
Section: USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
AI Justification
The chunk discusses the prohibition of accessing another employee's account and emphasizes the importance of individual responsibility for transactions, which aligns with the principle of separation of duties.
Document Content
Matched Section
Section: USER ID & PASSWORD SECURITY
Content: Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s).
Content: Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s).
AI Justification
The requirements outlined in the chunk emphasize the management of user accounts and their responsibilities, which aligns with account management practices.
Document Content
Matched Section
Section: Upon use of Lazard’s Systems
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy.
AI Justification
The text chunk outlines user consent and monitoring policies, which align with the requirements for system use notifications that inform users about the non-private nature of their system usage.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: These rules are in place to protect the employee and Lazard. Inappropriate use exposes Lazard and the employee to risks including virus attacks, compromise of network systems and services, and legal issues. It is the responsibility of every employee to know these guidelines, and to conduct their activities accordingly.
Content: These rules are in place to protect the employee and Lazard. Inappropriate use exposes Lazard and the employee to risks including virus attacks, compromise of network systems and services, and legal issues. It is the responsibility of every employee to know these guidelines, and to conduct their activities accordingly.
AI Justification
The text emphasizes the importance of employees being aware of guidelines to protect the organization and themselves, which aligns with the need for awareness and training policies.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of policies and procedures for audit and accountability, aligning with the AU-1 control.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: b. All use of Systems is non-private and is subject to monitoring
Content: b. All use of Systems is non-private and is subject to monitoring
AI Justification
The text explicitly states that all use of systems is non-private and subject to monitoring, which aligns with the session auditing control that includes monitoring user activities.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Content: f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
AI Justification
The text mentions that Lazard reserves the right to audit networks and systems, which is a key aspect of session auditing.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The chunk discusses monitoring and auditing of user activities on Lazard's systems, which aligns with the need for coordinated audit logging capabilities.
Document Content
Matched Section
Section: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following:
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text discusses the monitoring and auditing of system usage, including user consent to monitoring and the non-private nature of system use, which aligns with the requirements for logging significant events.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: b. All use of Systems is non-private and is subject to monitoring; f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: b. All use of Systems is non-private and is subject to monitoring; f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
AI Justification
The text explicitly mentions that all use of systems is subject to monitoring and that Lazard reserves the right to audit networks and systems periodically, which aligns with the requirements for audit record review and analysis.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access and use of information resources, which aligns with the need for assessment and authorization policies.
Document Content
Matched Section
Section: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard...
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments including but not limited to data centers and business workplace facilities.
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments including but not limited to data centers and business workplace facilities.
AI Justification
The policy outlines the applicability to all systems and personnel accessing Lazard's data, which relates to internal system connections and the management of those connections.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to and use of information resources, which aligns with the objectives of configuration management policies.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the need for policies to control access and use of information resources, which aligns with understanding where information is processed and stored.
Document Content
Matched Section
Section: 1.2 GENERAL USER RESPONSIBILITIES
Content: All Systems and information contained on those systems are the property of Lazard and constitute valuable business assets of Lazard. Lazard provides users with access to these Systems for appropriate business-related use.
Content: All Systems and information contained on those systems are the property of Lazard and constitute valuable business assets of Lazard. Lazard provides users with access to these Systems for appropriate business-related use.
AI Justification
The policy outlines the applicability to all personnel and systems within Lazard, emphasizing the importance of accountability and compliance with the management of information systems and assets.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to information resources, which aligns with the need for contingency planning policies.
Document Content
Matched Section
Section: 8.0 Access Control Policy
Content: Control: CP-13: Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms.
Content: Control: CP-13: Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms.
AI Justification
The text discusses the importance of alternative or supplemental security mechanisms for ensuring mission and business continuity, which aligns directly with CP-13.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
AI Justification
The chunk discusses the importance of protecting information resources and outlines the responsibilities of employees regarding the use and access of information, which aligns with the need for system-level information protection and backup requirements.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to and use of information resources, which aligns with the identification and authentication policy and procedures.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The chunk discusses the importance of user ID and password security, which relates to the need for adaptive authentication mechanisms to assess suspicious behavior and protect against unauthorized access.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The chunk discusses user ID and password security, emphasizing the importance of using assigned IDs and protecting passwords, which aligns with the need for re-authentication in certain situations.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The text outlines the requirements for user identification and authentication, emphasizing the responsibility of users for their assigned IDs and the protection of passwords.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
AI Justification
The section discusses user IDs and the responsibilities associated with them, which aligns with the management of individual identifiers as described in IA-4.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s).
Content: Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s).
AI Justification
The requirements outlined for user IDs and the responsibilities of users align with the account management activities described in AC-2.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
AI Justification
The chunk discusses the importance of user IDs and passwords, emphasizing the responsibility of users to protect their passwords and the prohibition of sharing accounts, which aligns with the requirements for authenticators.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems.
Content: A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems.
AI Justification
The section outlines user responsibilities regarding the protection of passwords and the consequences of disclosing them, which aligns with the control's focus on establishing rules for acceptable behavior.
Document Content
Matched Section
Section: USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The section discusses the importance of using assigned user IDs and protecting passwords, which aligns with the need for authentication mechanisms to verify user identity and authorization.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts. The following requirements should be followed: a) All Users should use only those IDs that have been assigned for their use. b) Each User should be aware that they are responsible for all transactions made under the authorization of his/her system account(s). c) A User should protect his/her password as outlined in the Acceptable Use Standards in order to further enhance security of Lazard’s Systems. Disclosing passwords is a serious security violation. d) Approved privileged access accounts that access other employee user’s accounts for auditing, configuration or monitoring purposes should be created in accordance with all other IT and IS policies.
AI Justification
The section outlines the requirement for users to use only assigned IDs and emphasizes the responsibility of users for transactions made under their accounts, which aligns with the need for unique identification and authentication of users.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the importance of incident response policies and procedures, including the need for documentation and approval processes for exceptions, which aligns with the requirements of control IR-1.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the importance of maintenance policies and procedures in relation to security and privacy assurance, which aligns with the control's focus on establishing such policies and procedures.
Document Content
Matched Section
Section: MAINTENANCE
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
Content: A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement. The minimal interval for this review is annually from the date of last approval.
AI Justification
The text discusses responsibilities related to system maintenance and the need for periodical reviews, which aligns with the control's focus on maintaining effective records and addressing security aspects of system maintenance.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to and use of information resources, which aligns with the requirements of MP-1.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The chunk discusses the use of removable storage devices and the associated risks, aligning with the definition of digital media and the need for access control.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the use of removable storage devices and the associated risks, aligning with the need to control and protect media.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the use of removable storage devices and the associated risks, which aligns with the control's focus on protecting system media during transport.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The text discusses the risks associated with removable storage devices and emphasizes the need for permission and governance, which aligns with the media sanitization control that ensures proper handling and disposal of media.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the use and restrictions of removable storage devices, aligning with the control's focus on protecting system media.
Document Content
Matched Section
Section: 1.12 REMOVEABLE STORAGE DEVICES
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
Content: The use of removable storage devices creates an inherent risk to Lazard and business partner’s intellectual data. However, the benefits to these devices are also widely known. All types of removable storage devices as described in the General User Responsibilities section above may be used only with the permission of the IT and Information Security departments.
AI Justification
The section discusses the risks associated with removable storage devices and implies the need for controls around their use, which aligns with the media downgrading process to protect sensitive information.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access and use of information resources, which aligns with the need for physical and environmental protection policies.
Document Content
Matched Section
Section: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following:
Content: b. All use of Systems is non-private and is subject to monitoring
Content: b. All use of Systems is non-private and is subject to monitoring
AI Justification
The text indicates that all use of systems is subject to monitoring, which aligns with the requirement for physical access monitoring, including the review of access logs and monitoring of user activities.
Document Content
Matched Section
Section: Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Content: f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Content: f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
AI Justification
The mention of the right to audit networks and systems periodically aligns with the need for audit logging controls to support monitoring activities.
Document Content
Matched Section
Section: 1.17 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
AI Justification
The text discusses the importance of having policies and procedures for security and privacy, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: Control Baselines
Content: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline.
Content: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline.
AI Justification
The text discusses the importance of control baselines and their role in addressing protection needs, which aligns directly with the definition and purpose of PL-10.
Document Content
Matched Section
Section: Control: PL-11
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
AI Justification
The text discusses the concept of tailoring controls to meet specific organizational needs, which aligns with the control's focus on customizing baseline controls.
Document Content
Matched Section
Section: Roles & Responsibilities
Content: When using a personal device for work, the user should adhere to and be in compliance with all rules and controls outlined in this policy and its associated standard, Acceptable Use Standard.
Content: When using a personal device for work, the user should adhere to and be in compliance with all rules and controls outlined in this policy and its associated standard, Acceptable Use Standard.
AI Justification
The text discusses adherence to rules and controls, which aligns with the concept of rules of behavior for organizational users.
Document Content
Matched Section
Section: Roles & Responsibilities
Content: Rules and Standards for managing security for BYOD, can be found in the Acceptable Use Standard.
Content: Rules and Standards for managing security for BYOD, can be found in the Acceptable Use Standard.
AI Justification
The mention of rules and standards for managing security for BYOD aligns with the need for clear communication of acceptable use policies.
Document Content
Matched Section
Section: Section 2.1 Acceptable Use Standard and Access Control Policy
Content: The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7, which are integral to and developed as part of the enterprise architecture.
Content: The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7, which are integral to and developed as part of the enterprise architecture.
AI Justification
The text discusses the importance of security and privacy architectures being consistent with organization-wide architectures, which aligns with control PL-8.
Document Content
Matched Section
Section: Section 2.1 Acceptable Use Standard and Access Control Policy
Content: In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators.
Content: In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators.
AI Justification
The text mentions the need for consistency with the organization’s enterprise architecture and security and privacy architectures when outsourcing development to external entities, which aligns with control SA-17.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the need for policies to control access and use of information resources, which aligns with the protection needs outlined in PM-11.
Document Content
Matched Section
Section: Insider threat programs include controls to detect and prevent malicious insider activity...
Content: Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems.
Content: Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems.
AI Justification
The text discusses the establishment and requirements of insider threat programs, which aligns directly with control PM-12.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard and 8.0 Access Control Policy
Content: A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated.
Content: A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated.
AI Justification
The text discusses the importance of a coordinated approach to security and privacy testing, training, and monitoring activities across the organization, which aligns with the intent of PM-14.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard and 8.0 Access Control Policy
Content: Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements.
Content: Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements.
AI Justification
The mention of security and privacy training activities indicates a focus on training, which aligns with SA-20.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of policies and procedures to protect employees and the organization, aligning with the need for personnel security policies.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard and 8.0 Access Control Policy
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.
AI Justification
The text discusses the importance of position risk designations and their alignment with OPM policy, which is directly related to the control PS-2.
Document Content
Matched Section
Section: User Consent and Acknowledgment
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text outlines user consent and acknowledgment of monitoring and privacy policies, which aligns with the requirements for access agreements.
Document Content
Matched Section
Section: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties.
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments including but not limited to data centers and business workplace facilities.
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data as well as all Lazard information systems and assets within Lazard’s computing environments including but not limited to data centers and business workplace facilities.
AI Justification
The policy explicitly includes contractors and third-party personnel who access, process, or store the organization's data, aligning with the definition of external providers.
Document Content
Matched Section
Section: 1.18 ENFORCEMENT/COMPLIANCE
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, may be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the control's focus on organizational sanctions reflecting applicable laws and policies.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of policies and procedures in controlling access to and use of information resources, which aligns with the requirements for managing personally identifiable information.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text discusses user consent regarding the use of Lazard's systems, including the acknowledgment of monitoring and lack of privacy, which aligns with the principles of consent outlined in control PT-4.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access and use of information resources, which aligns with the need for risk assessment policies and procedures.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard
Content: Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted.
Content: Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted.
AI Justification
The text discusses the security categorization process, its importance, and the involvement of various stakeholders, which aligns with the RA-2 control.
Document Content
Matched Section
Section: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets.
Content: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
Content: Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
AI Justification
The text discusses the importance of risk assessments, including considerations of threats, vulnerabilities, and impacts, which aligns with the RA-3 control.
Document Content
Matched Section
Section: Risk assessments can also be conducted at various steps in the Risk Management Framework.
Content: Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring.
Content: Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring.
AI Justification
The text mentions conducting risk assessments at various stages in the Risk Management Framework, which aligns with the RA-2 control.
Document Content
Matched Section
Section: Risk assessments can play an important role in control selection processes.
Content: Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
Content: Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
AI Justification
The text indicates that risk assessments can play an important role in control selection processes, which aligns with the RA-9 control.
Document Content
Matched Section
Section: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the processes involved in identifying and addressing vulnerabilities.
Document Content
Matched Section
Section: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring.
Content: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans).
Content: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans).
AI Justification
The text emphasizes the need for security categorization of information and systems to guide vulnerability monitoring efforts.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies that control access to and use of information resources, which aligns with the acquisition policies and procedures.
Document Content
Matched Section
Section: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
Content: Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design.
AI Justification
The text discusses the importance of criticality analysis in identifying and prioritizing system components and functions that require protection, which aligns with the intent of RA-9.
Document Content
Matched Section
Section: Such analysis is conducted as part of security categorization in RA-2.
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
AI Justification
The text mentions that criticality analysis of information is an important consideration and is conducted as part of security categorization, which aligns with RA-2.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard and 8.0 Access Control Policy
Content: Control: SA-10: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Content: Control: SA-10: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
AI Justification
The chunk discusses configuration management activities and the importance of maintaining the integrity of changes throughout the system development life cycle, which aligns with the control's focus on effective security controls and configuration management.
Document Content
Matched Section
Section: Developmental testing and evaluation confirms that the required controls are implemented correctly...
Content: Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components...
Content: Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components...
AI Justification
The text discusses the importance of developmental testing and evaluation to ensure that security and privacy controls are implemented correctly and function as intended, which aligns with the requirements of SA-11.
Document Content
Matched Section
Section: Access Control Policy
Content: Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed.
Content: Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed.
AI Justification
The text discusses the need for organizations to determine the trustworthiness of system components and the potential for reimplementation or custom development to mitigate risks, which aligns directly with control SA-20.
Document Content
Matched Section
Section: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack.
AI Justification
The text discusses the derivation of security and privacy functional requirements from high-level requirements, which aligns with SA-4.
Document Content
Matched Section
Section: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2.
AI Justification
The text references high-level security and privacy requirements, which are foundational to the allocation of resources as described in SA-2.
Document Content
Matched Section
Section: Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization.
Content: Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders.
Content: Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders.
AI Justification
The text discusses the selection and implementation of controls, which aligns with the customization of development processes for critical components.
Document Content
Matched Section
Section: Control: SA-8: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle
Content: Control: SA-8: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades.
Content: Control: SA-8: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades.
AI Justification
The text discusses the implementation of systems security and privacy engineering principles throughout the system development life cycle, which aligns directly with control SA-8.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to and use of information resources, aligning with the need for a system and communications protection policy.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining and implementing policies to control access and use of information resources, which aligns with the management of security and privacy attributes.
Document Content
Matched Section
Section: 1.11 USER ID & PASSWORD SECURITY
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
Content: Accessing Lazard’s computer systems, networks or applications using another employee’s user account is strictly prohibited with the exception of certain approved privileged access accounts.
AI Justification
The chunk discusses the prohibition of accessing another employee's account and emphasizes the importance of using assigned user IDs, which aligns with the need for separation of user functions from system management functions.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
AI Justification
The section discusses the protection of stored information and the responsibilities of employees regarding the use and access of information resources, which aligns with the control's focus on confidentiality and integrity of information at rest.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources. All electronic communications and stored information transmitted, received, or archived in Lazard’s information systems are the property of Lazard.
AI Justification
The text discusses the importance of controlling access to and use of information resources, which aligns with preventing unauthorized information transfer via shared system resources.
Document Content
Matched Section
Section: 1.14 BRING YOUR OWN DEVICE (BYOD)
Content: Personal devices used for work are permitted with prior approval and fall under the same safeguards and controls as Lazard-owned equipment to ensure that Lazard networks and data remain safe and protected.
Content: Personal devices used for work are permitted with prior approval and fall under the same safeguards and controls as Lazard-owned equipment to ensure that Lazard networks and data remain safe and protected.
AI Justification
The chunk discusses the use of personal devices for work, which aligns with the control's focus on mobile devices and their capabilities, including security concerns.
Document Content
Matched Section
Section: 1.3 ACCEPTABLE USE
Content: The private use of Lazard’s Systems is prohibited. General Rules of Behavior and related standards and best practices for Lazard Acceptable Use can be found in Acceptable Use Standards1 document.
Content: The private use of Lazard’s Systems is prohibited. General Rules of Behavior and related standards and best practices for Lazard Acceptable Use can be found in Acceptable Use Standards1 document.
AI Justification
The text outlines the restrictions on the private use of systems and emphasizes compliance with access control policies, which aligns with the usage restrictions for system components.
Document Content
Matched Section
Section: 1.4 SECURITY & PROPRIETARY INFORMATION
Content: All mobile and computing devices that connect to the internal network should comply with the Access Control Policy2.
Content: All mobile and computing devices that connect to the internal network should comply with the Access Control Policy2.
AI Justification
The text mentions that all mobile and computing devices must comply with the Access Control Policy, indicating a structured approach to access control.
Document Content
Matched Section
Section: Development of Lazard Internet sites and Internet activities through access to Lazard Systems.
Content: Development of Lazard Internet sites, should provide for data confidentiality, availability, and integrity of data during transmissions and at rest. All systems on the Lazard network that are connected to the Internet (or other external parties) should be operated in a secure manner. Internet activities through access to Lazard Systems is subject to controlling or monitoring measures.
Content: Development of Lazard Internet sites, should provide for data confidentiality, availability, and integrity of data during transmissions and at rest. All systems on the Lazard network that are connected to the Internet (or other external parties) should be operated in a secure manner. Internet activities through access to Lazard Systems is subject to controlling or monitoring measures.
AI Justification
The text discusses the secure operation of systems connected to the Internet and the monitoring of Internet activities, which aligns with the control's focus on managing interfaces and restricting external traffic.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios.
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios.
AI Justification
The text discusses the importance of protecting the confidentiality and integrity of transmitted information, which aligns directly with control SC-8.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
Content: Lazard should define, document, implement, and maintain policies to control the access to and use of their information resources.
AI Justification
The text discusses the importance of defining, documenting, implementing, and maintaining policies to control access to information resources, which aligns with the requirements of SI-1.
Document Content
Matched Section
Section: Section 1.5 ORGANIZATIONALY OWNED & MANAGED INFO SYSTEMS & ASSETS
Content: Employees should NOT reveal any Lazard restricted, confidential, internal only, proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy.
Content: Employees should NOT reveal any Lazard restricted, confidential, internal only, proprietary information, trade secrets or any other sensitive material covered by Data Security classification policy.
AI Justification
The text discusses the importance of protecting sensitive information and preventing unauthorized access or exfiltration, which aligns with the objectives of SI-20.
Document Content
Matched Section
Section: 2.1 Acceptable Use Standard
Content: Control: SI-4: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
Content: Control: SI-4: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
AI Justification
The chunk discusses various aspects of system monitoring, including internal and external monitoring, the tools used, and the importance of monitoring in incident response programs.
Document Content
Matched Section
Section: User Consent and Monitoring Policy
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
Content: Upon use of Lazard’s Systems, be it directly or indirectly, the user consents the following: a. Their use relates to Lazard and its business, or the employment relationship between Lazard and its personnel. b. All use of Systems is non-private and is subject to monitoring c. Users accept they have no right to privacy. d. Subject to any local laws that may apply, any User of the Systems will be deemed to have consented to Lazard accessing, reviewing, monitoring, and/or restricting all such use. e. Lazard reserves the right to access and/or view a user’s voice and electronic mailboxes and computer files at will. f. Lazard reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. g. User agrees that they understand that it is mandatory for all Lazard users to comply with this policy while serving Lazard’s business.
AI Justification
The text discusses user consent and monitoring of systems, which relates to the transitional states and notifications of system usage.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
AI Justification
The text discusses the complexities and requirements of managing supply chain risks, which aligns directly with the control's focus on external providers and the associated risks.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes.
Content: Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes.
AI Justification
The text mentions the need for tailored SCRM plans and the development of trustworthy, secure, and resilient system components, which aligns with the control's focus on acquisition and development.
19.0_IS_Cloud_Computing_Security_Policy.pdf NIST
87 matches foundDocument Content
Matched Section
Section: 1.7 CLOUD SYSTEMS
Content: Access to Cloud Systems and Services should be authorized and require business justification.
Content: Access to Cloud Systems and Services should be authorized and require business justification.
AI Justification
The chunk discusses the need for authorization and security measures related to access to cloud systems, which aligns with the principles of remote access control.
Document Content
Matched Section
Section: 1.7 CLOUD SYSTEMS
Content: Connectivity to cloud systems should require appropriate ingress/egress network rules to only permit authorized traffic.
Content: Connectivity to cloud systems should require appropriate ingress/egress network rules to only permit authorized traffic.
AI Justification
The mention of requiring appropriate ingress/egress network rules to permit authorized traffic aligns with access enforcement controls.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The document discusses confidentiality and restrictions on information sharing, which aligns with the control's focus on restricted information and sharing protocols.
Document Content
Matched Section
Section: External entities using Lazard cloud services
Content: External entities using Lazard cloud services are subject to Lazard’s IT4 & IS policies, controls, and contractual requirements (e.g., SOW, MSA) as specified in service agreements.
Content: External entities using Lazard cloud services are subject to Lazard’s IT4 & IS policies, controls, and contractual requirements (e.g., SOW, MSA) as specified in service agreements.
AI Justification
The text discusses the policies and controls that external entities must adhere to when using Lazard's cloud services, aligning with the control's focus on external systems and their management.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
AI Justification
The chunk discusses governance and compliance roles which align with the concept of separation of duties by defining distinct roles and responsibilities within the cloud security program.
Document Content
Matched Section
Section: Roles and Responsibilities for Cloud Security Program Governance
Content: The following roles are primary stakeholders for the governance of Lazard’s Cloud Security Program and Cloud services architecture. These functions work collaboratively with business units, functional leads, and the Program Management Office to manage the needs of the program.
Content: The following roles are primary stakeholders for the governance of Lazard’s Cloud Security Program and Cloud services architecture. These functions work collaboratively with business units, functional leads, and the Program Management Office to manage the needs of the program.
AI Justification
The text discusses roles and responsibilities related to governance and management of cloud security, which aligns with the principle of least privilege by ensuring that designated roles have appropriate access levels necessary for their functions.
Document Content
Matched Section
Section: CLOUD SECURITY TRAINING & AWARENESS
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the need for training and awareness regarding security incidents, which aligns with the requirements for literacy training and awareness as outlined in control AT-2.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
AI Justification
The text discusses the importance of role-based training for individuals based on their roles and responsibilities, which aligns with the requirements of AT-3.
Document Content
Matched Section
Section: The Information Security Team should oversee the Cloud Security Program
Content: The Information Security Team should oversee the Cloud Security Program, with support from other departments and business units. Lazard’s Cloud Security Program should ensure the security of cloud-based systems and data, monitor, and analyze cloud security risk and violations, and ensure they are addressed and mitigated, accordingly.
Content: The Information Security Team should oversee the Cloud Security Program, with support from other departments and business units. Lazard’s Cloud Security Program should ensure the security of cloud-based systems and data, monitor, and analyze cloud security risk and violations, and ensure they are addressed and mitigated, accordingly.
AI Justification
The text discusses the importance of audit and accountability policies and procedures in the context of security and privacy assurance, which aligns with the AU-1 control.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The chunk discusses the confidentiality of the document and the restrictions on its use and disclosure, which aligns with the control regarding unauthorized disclosure of information.
Document Content
Matched Section
Section: 1.7 CLOUD SYSTEMS
Content: Access to Cloud Systems and Services should be authorized and require business justification.
Content: Access to Cloud Systems and Services should be authorized and require business justification.
AI Justification
The chunk discusses the requirements for access and authorization related to cloud systems and services, which aligns with the control's focus on information exchanges between systems.
Document Content
Matched Section
Section: 1.7 CLOUD SYSTEMS
Content: Access to Cloud Systems and Services should be authorized and require business justification.
Content: Access to Cloud Systems and Services should be authorized and require business justification.
AI Justification
The mention of authorizing access to cloud systems and the need for business justification aligns with the control's emphasis on joint authorization for systems exchanging information.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: The purpose of this policy is to ensure that Lazard data is appropriately handled, stored, and processed when using cloud computing and/or file sharing services. This policy defines the framework and structured activities associated with security protections and safeguards for cloud-supported activities that protect Lazard's cloud-based information systems, networks, data, databases, and other information assets.
Content: The purpose of this policy is to ensure that Lazard data is appropriately handled, stored, and processed when using cloud computing and/or file sharing services. This policy defines the framework and structured activities associated with security protections and safeguards for cloud-supported activities that protect Lazard's cloud-based information systems, networks, data, databases, and other information assets.
AI Justification
The text discusses the importance of having a policy that ensures the appropriate handling, storage, and processing of data, which aligns with the need for configuration management policies and procedures.
Document Content
Matched Section
Section: Data destruction procedures and handling of data throughout the service lifecycle.
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
AI Justification
The text discusses data destruction procedures and the handling of data throughout its lifecycle, which aligns with the control's focus on processing personally identifiable information and the importance of understanding data actions.
Document Content
Matched Section
Section: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The text discusses the establishment and reassessment of baseline security control requirements for cloud applications and systems, which aligns with the definition of baseline configurations.
Document Content
Matched Section
Section: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The text discusses the need for pre-authorization of changes to cloud services and compliance with baseline security control requirements, which aligns with the systematic proposal and justification of configuration changes.
Document Content
Matched Section
Section: Changes to cloud security systems and procedures
Content: Changes to cloud security systems and procedures should be formally requested, evaluated, approved, documented, and communicated for audit and compliance purposes in accordance with all Lazard IT policies.
Content: Changes to cloud security systems and procedures should be formally requested, evaluated, approved, documented, and communicated for audit and compliance purposes in accordance with all Lazard IT policies.
AI Justification
The chunk discusses the formal request, evaluation, approval, documentation, and communication of changes to cloud security systems, which aligns with the need for controlled changes as outlined in CM-5.
Document Content
Matched Section
Section: Baseline security control requirements
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The text discusses the establishment of baseline security control requirements for cloud applications and systems, which aligns with the definition of configuration settings that affect security posture.
Document Content
Matched Section
Section: deviations from standard security baseline configurations
Content: In addition, deviations from standard security baseline configurations should be authorized by Lazard Information Security Team prior to deployment, provisioning, or integration in accordance with the Lazard IT policy.
Content: In addition, deviations from standard security baseline configurations should be authorized by Lazard Information Security Team prior to deployment, provisioning, or integration in accordance with the Lazard IT policy.
AI Justification
The mention of authorization by the Lazard Information Security Team prior to deployment aligns with access control measures.
Document Content
Matched Section
Section: Section 7: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
Content: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
Content: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
AI Justification
The text discusses the importance of ensuring availability, redundancy, and disaster recovery requirements, which aligns with the recovery and reconstitution activities outlined in CP-10.
Document Content
Matched Section
Section: Section 7: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
Content: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
Content: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
AI Justification
The text discusses the need for availability, redundancy, and disaster recovery requirements from Cloud Service Providers, which aligns with the concept of alternate storage sites ensuring continuity in case of a primary site failure.
Document Content
Matched Section
Section: Section 7: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
Content: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
Content: All applications and systems utilizing a Cloud Service Provider should make sure availability, redundancy, and disaster recovery requirements are met by the Cloud Service Provider in accordance with Lazard's Business Continuity Policy.
AI Justification
The text discusses the need for cloud service providers to ensure availability, redundancy, and disaster recovery, which aligns with the requirements for alternate processing sites to maintain essential functions during disruptions.
Document Content
Matched Section
Section: Exit Strategy for Data Management
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
AI Justification
The exit strategy for recovering, transferring, or destroying data aligns with the need to protect system-level information and ensure secure data disposal.
Document Content
Matched Section
Section: The Information Security Team should enforce compliance with the Lazard IS 8.0 Access Control & Identity Management policy for accessing Lazard systems, networks, applications, and files implemented in cloud services.
Content: The Information Security Team should enforce compliance with the Lazard IS 8.0 Access Control & Identity Management policy for accessing Lazard systems, networks, applications, and files implemented in cloud services, both locally and remotely, including passwords and other cloud security access controls, to include authentication of Lazard and non-Lazard users.
Content: The Information Security Team should enforce compliance with the Lazard IS 8.0 Access Control & Identity Management policy for accessing Lazard systems, networks, applications, and files implemented in cloud services, both locally and remotely, including passwords and other cloud security access controls, to include authentication of Lazard and non-Lazard users.
AI Justification
The text discusses the enforcement of access control and identity management policies, which aligns with the identification and authentication requirements outlined in IA-2.
Document Content
Matched Section
Section: CLOUD SECURITY TRAINING & AWARENESS
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the need for formal processes and training related to incident response, which aligns with the requirements of IR-2 for training personnel on their roles in incident response.
Document Content
Matched Section
Section: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the formal process for identifying and responding to potential breaches, which aligns with the need for testing incident response capabilities.
Document Content
Matched Section
Section: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters
Content: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the enforcement and documentation of a formal process for identifying and responding to potential breaches, which aligns with the incident response capabilities outlined in control IR-4.
Document Content
Matched Section
Section: b. Steps taken when managing a cloud security incident should be documented
Content: b. Steps taken when managing a cloud security incident should be documented and should apply to all cloud environments, internal, hybrid and/or public clouds in accordance with the Lazard’s IS Incident Management Policy.
Content: b. Steps taken when managing a cloud security incident should be documented and should apply to all cloud environments, internal, hybrid and/or public clouds in accordance with the Lazard’s IS Incident Management Policy.
AI Justification
The requirement to document steps taken when managing a cloud security incident aligns with the need for coordination and documentation in incident response as specified in control IR-4.
Document Content
Matched Section
Section: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach...
Content: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the need to document incidents and the processes for identifying and responding to breaches, which aligns with the requirements of IR-5.
Document Content
Matched Section
Section: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the formal process for identifying and responding to potential breaches, which aligns with the requirements for incident reporting and the content of reports.
Document Content
Matched Section
Section: Incident Response Procedures
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the formal process for identifying and responding to potential breaches, which aligns with the need for incident response support resources.
Document Content
Matched Section
Section: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters.
Content: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
Content: a. The Information Security Team should enforce, comply, and document a formal process for identifying and responding to a potential breach in cloud-based network perimeters (e.g., DDoS attack, phishing, identity spoofing). Cloud security incident response procedures should follow the Incident Response management policy.
AI Justification
The text discusses the formal process for identifying and responding to potential breaches, which aligns with the need for a coordinated approach to incident response as outlined in control IR-8.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The chunk discusses document classification and the handling of confidential information, which aligns with the concept of security marking as defined in control MP-3.
Document Content
Matched Section
Section: Data destruction procedures for cloud service providers
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
AI Justification
The text discusses the need for data destruction procedures and the importance of destroying data that is no longer needed, which aligns with the media sanitization control.
Document Content
Matched Section
Section: Data Destruction Procedures
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
AI Justification
The text discusses data destruction procedures and the need to destroy data in accordance with its classification, which aligns with the concept of downgrading media to ensure that sensitive information is not retrievable.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
AI Justification
The text discusses the governance of a Cloud Security Program based on NIST recommended security practices and defined security controls, which aligns with the concept of control baselines as a starting point for protection.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Cloud security artifacts and system documentation are to be maintained with each business unit by the assigned system and Application Owners.
Content: Cloud security artifacts and system documentation are to be maintained with each business unit by the assigned system and Application Owners.
AI Justification
The mention of tailoring actions to manage risk in accordance with mission and business requirements aligns with the concept of control tailoring.
Document Content
Matched Section
Section: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The text discusses the establishment of baseline security control requirements for cloud applications and systems, which aligns with the concept of tailoring controls to meet specific organizational needs.
Document Content
Matched Section
Section: 1.5 CLOUD SECURITY MANAGEMENT
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
AI Justification
The text discusses the establishment of baseline security control requirements for cloud applications and systems, which aligns with the need for security and privacy plans that outline requirements and controls.
Document Content
Matched Section
Section: Cloud Security Program Management
Content: The Information Security Team should oversee the Cloud Security Program, with support from other departments and business units. Lazard’s Cloud Security Program should ensure the security of cloud-based systems and data, monitor, and analyze cloud security risk and violations, and ensure they are addressed and mitigated, accordingly.
Content: The Information Security Team should oversee the Cloud Security Program, with support from other departments and business units. Lazard’s Cloud Security Program should ensure the security of cloud-based systems and data, monitor, and analyze cloud security risk and violations, and ensure they are addressed and mitigated, accordingly.
AI Justification
The text discusses the oversight and management of the Cloud Security Program, which aligns with the requirements for an information security program plan as described in PM-1.
Document Content
Matched Section
Section: Access Control Compliance
Content: The Information Security Team should enforce compliance with the Lazard IS 8.0 Access Control & Identity Management policy for accessing Lazard systems, networks, applications, and files implemented in cloud services, both locally and remotely, including passwords and other cloud security access controls, to include authentication of Lazard and non-Lazard users.
Content: The Information Security Team should enforce compliance with the Lazard IS 8.0 Access Control & Identity Management policy for accessing Lazard systems, networks, applications, and files implemented in cloud services, both locally and remotely, including passwords and other cloud security access controls, to include authentication of Lazard and non-Lazard users.
AI Justification
The text mentions enforcing compliance with access control policies for cloud services, which aligns with the access control requirements.
Document Content
Matched Section
Section: Authorization processes for organizational systems and environments of operation
Content: implemented, to ensure the development and/or acquisition of new managed cloud services /service models have been pre-authorized by the organization's business leadership or other accountable business role or function.
Content: implemented, to ensure the development and/or acquisition of new managed cloud services /service models have been pre-authorized by the organization's business leadership or other accountable business role or function.
AI Justification
The text discusses the need for pre-authorization by business leadership for new managed cloud services, which aligns with the requirement for authorization processes.
Document Content
Matched Section
Section: Processes, procedures, and controls to safeguard Lazard’s enterprise infrastructure.
Content: The Information Security Team should establish or amend a Lazard policy for accessing systems, applications, and data implemented in the cloud, including cloud authentication and credential management for Lazard and non-Lazard users.
Content: The Information Security Team should establish or amend a Lazard policy for accessing systems, applications, and data implemented in the cloud, including cloud authentication and credential management for Lazard and non-Lazard users.
AI Justification
The text discusses the need for processes and procedures for safeguarding infrastructure, which aligns with the need for organization-wide security and privacy testing and training.
Document Content
Matched Section
Section: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
AI Justification
The mention of conducting risk assessments and utilizing specialized software for reducing security risks aligns with the need for ongoing assessments and monitoring activities.
Document Content
Matched Section
Section: Roles and Responsibilities for Governance of Cloud Security Program
Content: The following roles are primary stakeholders for the governance of Lazard’s Cloud Security Program and Cloud services architecture. These functions work collaboratively with business units, functional leads, and the Program Management Office to manage the needs of the program.
Content: The following roles are primary stakeholders for the governance of Lazard’s Cloud Security Program and Cloud services architecture. These functions work collaboratively with business units, functional leads, and the Program Management Office to manage the needs of the program.
AI Justification
The text describes the roles and responsibilities related to governance and oversight of the Cloud Security Program, which aligns with the role of a senior information security officer.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
AI Justification
The text discusses the establishment of governance policies and procedures for managing data, which aligns with the role of a Data Governance Body as described in PM-23.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS.
AI Justification
The text discusses governance of the Cloud Security Program by the Information Security Team, which aligns with the establishment of champions for information security and privacy.
Document Content
Matched Section
Section: Lazard System and Application Owners should prepare and record system security architecture and design documents with a focus on cloud services.
Content: Lazard System and Application Owners should prepare and record system security architecture and design documents with a focus on cloud services and facilitate maintenance and review of those plans.
Content: Lazard System and Application Owners should prepare and record system security architecture and design documents with a focus on cloud services and facilitate maintenance and review of those plans.
AI Justification
The text discusses the need for policies and procedures to safeguard infrastructure and conduct risk assessments, which aligns with ensuring systems support their intended mission and identifying potential exposures.
Document Content
Matched Section
Section: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
AI Justification
The mention of conducting risk assessments and utilizing specialized software to reduce security breach risks aligns with the need for regular vulnerability assessments.
Document Content
Matched Section
Section: External entities using Lazard cloud services
Content: External entities using Lazard cloud services are subject to Lazard’s IT4 & IS policies, controls, and contractual requirements (e.g., SOW, MSA) as specified in service agreements.
Content: External entities using Lazard cloud services are subject to Lazard’s IT4 & IS policies, controls, and contractual requirements (e.g., SOW, MSA) as specified in service agreements.
AI Justification
The text discusses external entities using Lazard cloud services and their compliance with Lazard's policies and contractual requirements, which aligns with the control's focus on managing external providers.
Document Content
Matched Section
Section: Non-Compliance
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the concept of organizational sanctions as described in PS-8.
Document Content
Matched Section
Section: Table 3 - Cloud Security Roles
Content: Application Owner Cloud Service Provider
Content: Application Owner Cloud Service Provider
AI Justification
The chunk discusses the roles of Application Owners and Cloud Service Providers, which aligns with the specification of security and privacy roles in organizational position descriptions.
Document Content
Matched Section
Section: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring and the processes involved in identifying and addressing vulnerabilities, which aligns with the requirements of RA-5.
Document Content
Matched Section
Section: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
AI Justification
The mention of conducting risk assessments and utilizing specialized software to reduce security breach risk exposure aligns with the need for comprehensive vulnerability monitoring.
Document Content
Matched Section
Section: Detailed explanation of why the exception is necessary and Detailed mitigation information, if available.
Content: Detailed explanation of why the exception is necessary. Detailed mitigation information, if available. A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
Content: Detailed explanation of why the exception is necessary. Detailed mitigation information, if available. A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
AI Justification
The chunk discusses the necessity of documenting exceptions and mitigation information, which aligns with the need for organizations to respond to risks appropriately, including documenting risk acceptance or mitigation strategies.
Document Content
Matched Section
Section: 1.15 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, including the need for exceptions to be approved and documented.
Document Content
Matched Section
Section: 1.5 CLOUD SECURITY MANAGEMENT
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems. Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The text discusses the importance of establishing baseline security control requirements and the need for authorization of deviations from baseline configurations, which aligns with the principles of configuration management.
Document Content
Matched Section
Section: Processes, procedures, and controls to safeguard Lazard’s enterprise infrastructure.
Content: The Information Security Team should establish or amend a Lazard policy for accessing systems, applications, and data implemented in the cloud, including cloud authentication and credential management for Lazard and non-Lazard users.
Content: The Information Security Team should establish or amend a Lazard policy for accessing systems, applications, and data implemented in the cloud, including cloud authentication and credential management for Lazard and non-Lazard users.
AI Justification
The text discusses the importance of establishing policies, conducting risk assessments, and utilizing specialized software to safeguard cloud environments, which aligns with the need for developmental testing and evaluation to ensure security controls are effective.
Document Content
Matched Section
Section: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
AI Justification
The mention of conducting periodic risk assessments and utilizing specialized software aligns with the ongoing assessment and evaluation aspect of the control.
Document Content
Matched Section
Section: The Information Security Team should utilize specialized software and systems to reduce cloud security breach risk exposure, and regularly test company’s secure perimeters and the cloud service perimeters using penetration tests and other forensic methods.
Content: The Information Security Team should utilize specialized software and systems to reduce cloud security breach risk exposure, and regularly test company’s secure perimeters and the cloud service perimeters using penetration tests and other forensic methods.
Content: The Information Security Team should utilize specialized software and systems to reduce cloud security breach risk exposure, and regularly test company’s secure perimeters and the cloud service perimeters using penetration tests and other forensic methods.
AI Justification
Regular testing of secure perimeters and cloud service perimeters using penetration tests is a form of evaluation that supports the control's intent.
Document Content
Matched Section
Section: Cloud Security Management
Content: implemented, to ensure the development and/or acquisition of new managed cloud services /service models have been pre-authorized by the organization's business leadership or other accountable business role or function.
Content: implemented, to ensure the development and/or acquisition of new managed cloud services /service models have been pre-authorized by the organization's business leadership or other accountable business role or function.
AI Justification
The text discusses the need for pre-authorization and compliance with security baseline requirements for cloud services, which aligns with resource allocation for security throughout the system development life cycle.
Document Content
Matched Section
Section: CLOUD SECURITY MANAGEMENT
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
AI Justification
The text discusses the importance of establishing baseline security control requirements for developed or acquired cloud applications and systems, which aligns with the principles of integrating security into the system development life cycle.
Document Content
Matched Section
Section: CLOUD SECURITY MANAGEMENT
Content: Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The mention of compliance with cloud security baseline requirements and the need for authorization of deviations aligns with the principles of security engineering that ensure proper design and implementation.
Document Content
Matched Section
Section: CLOUD SECURITY MANAGEMENT
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
AI Justification
The text discusses the establishment of baseline security control requirements for cloud applications and systems, which aligns with the need for derived security and privacy requirements as described in SA-4.
Document Content
Matched Section
Section: CLOUD SECURITY MANAGEMENT
Content: Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The mention of compliance with cloud security baseline requirements and the need for reassessment aligns with the high-level security and privacy requirements described in SA-2.
Document Content
Matched Section
Section: 1.12 GOVERNANCE
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS. Cloud security artifacts and system documentation are to be maintained with each business unit by the assigned system and Application Owners.
Content: Lazard’s Cloud Security Program should be governed by the Information Security Team based on NIST recommended security practices and defined security controls, as established by the CSA and CIS. Cloud security artifacts and system documentation are to be maintained with each business unit by the assigned system and Application Owners.
AI Justification
The text discusses the importance of maintaining system documentation and the roles responsible for it, aligning with the control's focus on documentation quality and completeness.
Document Content
Matched Section
Section: CLOUD SECURITY MANAGEMENT
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
Content: Baseline security control requirements should be established for developed or acquired, Lazard-owned or managed cloud applications and systems.
AI Justification
The text discusses the implementation of baseline security control requirements for cloud services, which aligns with the principles of systems security engineering throughout the system development life cycle.
Document Content
Matched Section
Section: CLOUD SECURITY MANAGEMENT
Content: Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
Content: Compliance with cloud security baseline requirements should be reassessed at least annually or upon architectural changes.
AI Justification
The mention of pre-authorization by business leadership and compliance reassessment aligns with the principles of integrating security into the system development life cycle.
Document Content
Matched Section
Section: External entities using Lazard cloud services
Content: External entities using Lazard cloud services are subject to Lazard’s IT4 & IS policies, controls, and contractual requirements (e.g., SOW, MSA) as specified in service agreements.
Content: External entities using Lazard cloud services are subject to Lazard’s IT4 & IS policies, controls, and contractual requirements (e.g., SOW, MSA) as specified in service agreements.
AI Justification
The text discusses the relationship between external entities and Lazard's policies and contractual requirements, indicating a management of risks associated with external services.
Document Content
Matched Section
Section: Procedures for preventing malware execution on endpoint devices and cloud infrastructure
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
AI Justification
The procedures mentioned aim to prevent malware execution, which aligns with the need to manage mobile code risks and ensure security measures are in place to prevent malicious code execution.
Document Content
Matched Section
Section: Portability and Cloud Services
Content: Portability involves using multiple cloud services from different providers to serve different needs and requirements; enables control over where data, applications and workloads are hosted, and allows an enterprise to securely shift workloads between different cloud platforms and providers.
Content: Portability involves using multiple cloud services from different providers to serve different needs and requirements; enables control over where data, applications and workloads are hosted, and allows an enterprise to securely shift workloads between different cloud platforms and providers.
AI Justification
The text discusses the use of multiple cloud services and platforms, which aligns with the concept of platform independence and the ability to shift workloads securely between different platforms.
Document Content
Matched Section
Section: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
AI Justification
The procedures mentioned aim to prevent malware execution, which aligns with the need for identifying and isolating malicious code as described in SC-35.
Document Content
Matched Section
Section: Data Destruction Procedures
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
Content: Cloud Service providers should implement adequate data destruction procedures to ensure protection of data throughout the service lifecycle. When data is no longer needed or has exceeded the requirement retention period, the data should be destroyed from the cloud environment in accordance with its classification.
AI Justification
The text discusses the importance of data destruction procedures and the protection of data throughout its lifecycle, which aligns with the principles of preventing unauthorized information transfer and ensuring that residual information is properly managed.
Document Content
Matched Section
Section: 1.7 CLOUD SYSTEMS
Content: Access to Cloud Systems and Services should be authorized and require business justification. Connectivity to cloud systems should require appropriate ingress/egress network rules to only permit authorized traffic.
Content: Access to Cloud Systems and Services should be authorized and require business justification. Connectivity to cloud systems should require appropriate ingress/egress network rules to only permit authorized traffic.
AI Justification
The chunk discusses the need for authorized access and appropriate network rules for cloud systems, which aligns with the protection of transmitted information.
Document Content
Matched Section
Section: 1.15 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends.
AI Justification
The text discusses the need for an exit strategy for data management, including secure disposal and timelines for data removal, which aligns with information management and retention requirements.
Document Content
Matched Section
Section: Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
AI Justification
The requirement for secure data disposal and the ability to provide information about data removal timelines aligns with the need to manage audit records effectively.
Document Content
Matched Section
Section: Procedures to prevent malware execution
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
AI Justification
The chunk discusses procedures to prevent malware execution, which aligns with the intent of SI-16 to protect memory from unauthorized code execution.
Document Content
Matched Section
Section: Processes, procedures, and controls to safeguard Lazard’s enterprise infrastructure.
Content: The Information Security Team should establish or amend a Lazard policy for accessing systems, applications, and data implemented in the cloud, including cloud authentication and credential management for Lazard and non-Lazard users.
Content: The Information Security Team should establish or amend a Lazard policy for accessing systems, applications, and data implemented in the cloud, including cloud authentication and credential management for Lazard and non-Lazard users.
AI Justification
The text discusses safeguarding enterprise infrastructure and mentions the importance of policies and procedures to protect data, which aligns with the intent of SI-20 regarding the protection of organizational information from various threats.
Document Content
Matched Section
Section: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
Content: The Information Security Team should periodically conduct a risk assessment of the internal and external threats and vulnerabilities of the IT environment, as applicable to all cloud environments.
AI Justification
The mention of conducting periodic risk assessments and utilizing specialized software to reduce security breach risks aligns with the need to identify vulnerabilities and threats.
Document Content
Matched Section
Section: The Information Security Team should utilize specialized software and systems to reduce cloud security breach risk exposure.
Content: The Information Security Team should utilize specialized software and systems to reduce cloud security breach risk exposure, and regularly test company’s secure perimeters and the cloud service perimeters using penetration tests and other forensic methods.
Content: The Information Security Team should utilize specialized software and systems to reduce cloud security breach risk exposure, and regularly test company’s secure perimeters and the cloud service perimeters using penetration tests and other forensic methods.
AI Justification
The text indicates the need for testing secure perimeters and mentions the use of specialized software to reduce breach risks, which relates to protecting against malicious code.
Document Content
Matched Section
Section: Data Disposal and Exit Strategy
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
AI Justification
The text discusses the importance of having an exit strategy for data disposal and ensuring that data is removed securely, which aligns with the principle of retaining information only as long as necessary.
Document Content
Matched Section
Section: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices.
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
AI Justification
The text discusses the establishment of procedures and technical measures to prevent malware execution on endpoint devices and cloud infrastructure, which aligns with the control's focus on protecting against malicious code.
Document Content
Matched Section
Section: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
AI Justification
The procedures mentioned aim to prevent malware execution, which aligns with the need to protect against unauthorized changes and ensure the integrity of systems.
Document Content
Matched Section
Section: Changes to cloud security systems and procedures should be formally requested, evaluated, approved, documented, and communicated for audit and compliance purposes
Content: Changes to cloud security systems and procedures should be formally requested, evaluated, approved, documented, and communicated for audit and compliance purposes in accordance with all Lazard IT policies.
Content: Changes to cloud security systems and procedures should be formally requested, evaluated, approved, documented, and communicated for audit and compliance purposes in accordance with all Lazard IT policies.
AI Justification
The formal request and documentation of changes to cloud security systems align with the need for integrity-checking mechanisms to monitor changes.
Document Content
Matched Section
Section: Section 7: Procedures, supporting business processes, and technical measures
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
Content: Procedures, supporting business processes, and technical measures should be established and implemented to prevent malware execution on Lazard-owned or managed endpoint devices (i.e., workstations, laptops, and mobile devices) and cloud infrastructure system components (gateways, cloud service brokers, virtual machines)
AI Justification
The procedures and measures described aim to prevent malware execution on endpoint devices, which aligns with the control's focus on protecting system entry and exit points from threats like spam and malware.
Document Content
Matched Section
Section: Data Disposal Responsibilities
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
Content: An exit strategy for recovering, transferring, or destroying data should be defined in case the contract ends. Cloud Service Providers should be able to remove all Lazard data from the hosting locations at the conclusion of a service contract. Secure data disposal should follow the Data Security Policy and Data Security Standard documents.
AI Justification
The chunk discusses the need for secure data disposal and the responsibilities of Cloud Service Providers in ensuring data is removed and disposed of properly, which aligns with the control's focus on disposal throughout the system development life cycle.
19.1_IS_Cloud_Computing_Security_Standard.pdf NIST
205 matches foundDocument Content
Matched Section
Section: The section discusses attributes of an identity and their role in authorization and access control.
Content: attribute aspects of an identity. Attributes can be static (like an organizational unit) or highly dynamic (IP address, device being used, if the user authenticated with MFA, locations, etc. ).
Content: attribute aspects of an identity. Attributes can be static (like an organizational unit) or highly dynamic (IP address, device being used, if the user authenticated with MFA, locations, etc. ).
AI Justification
The text discusses attributes associated with identities and their management, which aligns with the concept of internal data structures and their role in access control.
Document Content
Matched Section
Section: Access Control | Remote Access
Content: Access Control | Remote Access
Content: Access Control | Remote Access
AI Justification
The chunk discusses various aspects of remote access, including its definition, types, and security measures such as VPNs, which aligns directly with the control AC-17.
Document Content
Matched Section
Section: Access Control | Wireless Access
Content: Access Control | Wireless Access
Content: Access Control | Wireless Access
AI Justification
The chunk includes a section specifically addressing wireless access, which aligns with the control's focus on wireless technologies and their security measures.
Document Content
Matched Section
Section: User access policies and procedures should be established, and supporting business processes and technical measures implemented.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses the establishment of user access policies and procedures, which aligns with the requirements for managing system accounts and ensuring appropriate access management.
Document Content
Matched Section
Section: Data Privacy and Data Governance
Content: data privacy governs how data is collected, shared, and used. In a practical sense, data privacy deals with aspects of the control processes around sharing data with third parties, how and where that data is stored, and the specific regulations that apply to those processes (i.e., legislation, contracts)
Content: data privacy governs how data is collected, shared, and used. In a practical sense, data privacy deals with aspects of the control processes around sharing data with third parties, how and where that data is stored, and the specific regulations that apply to those processes (i.e., legislation, contracts)
AI Justification
The chunk discusses data privacy and governance, which relates to the sharing of information and the controls around it, including how data is shared with third parties and the regulations that apply.
Document Content
Matched Section
Section: User access policies and procedures should be established
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses the establishment of user access policies and procedures, which aligns with the concept of access control decisions and the management of access to data.
Document Content
Matched Section
Section: Access Control Policies
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses the establishment of user access policies and procedures, which aligns with the control's focus on controlling access to prevent inappropriate disclosure and tampering.
Document Content
Matched Section
Section: User access policies and procedures should be established
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses the importance of segregating access to prevent inappropriate disclosure and tampering, which aligns with the principle of separation of duties.
Document Content
Matched Section
Section: User access policies and procedures should be established
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The mention of user access policies and procedures indicates a focus on account management activities.
Document Content
Matched Section
Section: segregated and access restricted to prevent inappropriate disclosure
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
AI Justification
The text implies the implementation of access control mechanisms to restrict access to log data.
Document Content
Matched Section
Section: Security Awareness and Skills Training
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
AI Justification
The text discusses the provision of literacy training and awareness programs for users, which aligns with the requirements of AT-2.
Document Content
Matched Section
Section: Security Awareness and Skills Training
Content: Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls.
Content: Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls.
AI Justification
The text discusses the importance of role-based training tailored to the responsibilities and security requirements of individuals, aligning directly with AT-3.
Document Content
Matched Section
Section: Security Awareness and Skills Training
Content: Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs.
Content: Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs.
AI Justification
The text emphasizes the need for training to fulfill responsibilities related to security and privacy, which aligns with AT-2.
Document Content
Matched Section
Section: Audit & Accountability | Audit Record Generation
Content: Audit & Accountability | Audit Record Generation
Content: Audit & Accountability | Audit Record Generation
AI Justification
The chunk discusses various aspects of audit and accountability, including audit record generation, which aligns with the control's focus on generating audit records from system components.
Document Content
Matched Section
Section: Audit & Accountability | Content of Audit Records
Content: Audit & Accountability | Content of Audit Records
Content: Audit & Accountability | Content of Audit Records
AI Justification
The chunk discusses various aspects of audit records, including their content and the importance of considering privacy risks associated with audit trails.
Document Content
Matched Section
Section: Audit & Accountability | Event Logging
Content: Audit & Accountability | Event Logging
Content: Audit & Accountability | Event Logging
AI Justification
The chunk discusses various aspects of audit and accountability, which aligns with the requirements for handling audit logging process failures as outlined in AU-5.
Document Content
Matched Section
Section: Audit & Accountability | Policy & Procedures
Content: Audit & Accountability | Policy & Procedures
Content: Audit & Accountability | Policy & Procedures
AI Justification
The chunk discusses various aspects of audit and accountability, which includes considerations for audit logging and the management of audit records, aligning with the need for sufficient audit log storage capacity.
Document Content
Matched Section
Section: Audit & Accountability | Audit Record Generation
Content: Audit & Accountability | Audit Record Generation
Content: Audit & Accountability | Audit Record Generation
AI Justification
The mention of audit record generation and monitoring indicates a focus on the processes related to audit logging, which is relevant to the control's emphasis on audit log processing requirements.
Document Content
Matched Section
Section: Audit & Accountability | Audit Record Reduction & Report Generation
Content: Audit & Accountability | Audit Record Reduction & Report Generation
Content: Audit & Accountability | Audit Record Reduction & Report Generation
AI Justification
The chunk discusses various aspects of audit and accountability, including audit record reduction and report generation, which aligns directly with the control's focus on manipulating and summarizing audit log information.
Document Content
Matched Section
Section: Audit & Accountability | Policy & Procedures, Event Logging, Content of Audit Records, Audit Record Review, Analysis & Reporting, Audit Record Reduction & Report Generation, Audit Record Generation, Monitoring for Information Disclosure, Session Audit, Cross-Organizational Audit Logging
Content: Audit & Accountability | Policy & Procedures Audit & Accountability | Event Logging Audit & Accountability | Content of Audit Records Audit & Accountability | Audit Record Review, Analysis & Reporting Audit & Accountability | Audit Record Reduction & Report Generation Audit & Accountability | Audit Record Generation Audit & Accountability | Monitoring for Information Disclosure Audit & Accountability | Session Audit Audit & Accountability | Cross-Organizational Audit Logging
Content: Audit & Accountability | Policy & Procedures Audit & Accountability | Event Logging Audit & Accountability | Content of Audit Records Audit & Accountability | Audit Record Review, Analysis & Reporting Audit & Accountability | Audit Record Reduction & Report Generation Audit & Accountability | Audit Record Generation Audit & Accountability | Monitoring for Information Disclosure Audit & Accountability | Session Audit Audit & Accountability | Cross-Organizational Audit Logging
AI Justification
The chunk discusses various aspects of audit and accountability, which aligns with the requirements of AU-9 regarding audit information and its protection.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Control Assessments
Content: Assessment, Authorization & Monitoring | Control Assessments
Content: Assessment, Authorization & Monitoring | Control Assessments
AI Justification
The text discusses the necessity for organizations to ensure that control assessors have the required skills and expertise to conduct assessments effectively, which aligns directly with the CA-2 control.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Continuous Monitoring
Content: Assessment, Authorization & Monitoring | Continuous Monitoring
Content: Assessment, Authorization & Monitoring | Continuous Monitoring
AI Justification
The text mentions continuous monitoring as part of the assessment process, which aligns with the CA-7 control.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Plan of Action & Milestones
Content: Assessment, Authorization & Monitoring | Plan of Action & Milestones
Content: Assessment, Authorization & Monitoring | Plan of Action & Milestones
AI Justification
The text refers to the development of assessment plans and the documentation of assessment results, which aligns with the CA-5 control.
Document Content
Matched Section
Section: Audit plans and business continuity planning
Content: A consistent unified framework for business continuity planning and plan development should be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.
Content: A consistent unified framework for business continuity planning and plan development should be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.
AI Justification
The chunk discusses the need for a consistent framework for business continuity planning, which aligns with the establishment of policies and procedures.
Document Content
Matched Section
Section: Audit plans and business continuity planning
Content: Audit plans should be developed and maintained to address business process disruptions.
Content: Audit plans should be developed and maintained to address business process disruptions.
AI Justification
The chunk emphasizes the importance of planning and maintaining audit plans, which is related to response planning for business continuity.
Document Content
Matched Section
Section: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the need for authorizations for deviations from baseline security requirements and emphasizes the importance of compliance with legal and regulatory obligations, which aligns with the control's focus on official management decisions and risk acceptance.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Penetration Testing
Content: Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries.
Content: Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries.
AI Justification
The text discusses the importance and methodology of penetration testing, which aligns directly with control CA-8.
Document Content
Matched Section
Section: Change management and Installation of software on operational systems
Content: Change management Installation of software on operational systems Restrictions on software installation System change control procedures Technical review of applications after operating platform changes System change control procedures
Content: Change management Installation of software on operational systems Restrictions on software installation System change control procedures Technical review of applications after operating platform changes System change control procedures
AI Justification
The chunk discusses restrictions and procedures related to software installation, which aligns with the need for change control in configuration management.
Document Content
Matched Section
Section: System change control procedures
Content: System change control procedures
Content: System change control procedures
AI Justification
The mention of system change control procedures indicates a structured approach to managing changes, which is a key aspect of CM-3.
Document Content
Matched Section
Section: Restrictions on software installation
Content: Restrictions on software installation
Content: Restrictions on software installation
AI Justification
The chunk implies the need for restrictions on software installation, which relates to maintaining secure configuration settings.
Document Content
Matched Section
Section: Data Governance and Data Privacy
Content: data governance managing the lifecycle of organizational data from creation and introduction to removal and/or disposal and destruction. data privacy governs how data is collected, shared, and used.
Content: data governance managing the lifecycle of organizational data from creation and introduction to removal and/or disposal and destruction. data privacy governs how data is collected, shared, and used.
AI Justification
The chunk discusses data governance and privacy, which aligns with the control's focus on processing personally identifiable information and managing its lifecycle.
Document Content
Matched Section
Section: Change management
Content: Change management Installation of software on operational systems Restrictions on software installation System change control procedures Technical review of applications after operating platform changes System change control procedures
Content: Change management Installation of software on operational systems Restrictions on software installation System change control procedures Technical review of applications after operating platform changes System change control procedures
AI Justification
The chunk discusses various aspects of change management and system change control procedures, which directly align with the requirements outlined in CM-3.
Document Content
Matched Section
Section: User access policies and procedures
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses user access policies and procedures, which align with the need for access enforcement to prevent inappropriate disclosure and tampering of log data.
Document Content
Matched Section
Section: segregated and access restricted to prevent inappropriate disclosure and tampering of log data
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
AI Justification
The text emphasizes the importance of access restrictions to prevent inappropriate disclosure and tampering, which aligns with the control's focus on qualified and authorized individuals accessing systems for changes.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The text discusses the importance of maintaining an inventory of business-critical assets and implementing policies for encryption protocols, which aligns with the need for configuration settings that affect security and privacy.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The mention of encryption protocols for the protection of sensitive data aligns with the need for data protection controls.
Document Content
Matched Section
Section: Inventory and Control of Enterprise Assets
Content: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems.
Content: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems.
AI Justification
The text discusses the need for a centralized inventory of system components, which aligns directly with the requirements of CM-8.
Document Content
Matched Section
Section: Inventory and Control of Enterprise Assets
Content: Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component.
Content: Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component.
AI Justification
The text emphasizes the importance of maintaining an inventory of system components for accountability, which aligns with the objectives of PM-5.
Document Content
Matched Section
Section: Contingency Planning | Policy & Procedures
Content: Contingency Planning | Policy & Procedures Contingency Planning | Contingency Plan Contingency Planning | Alternate Processing Site Contingency Planning | System Recovery & Reconstitution
Content: Contingency Planning | Policy & Procedures Contingency Planning | Contingency Plan Contingency Planning | Alternate Processing Site Contingency Planning | System Recovery & Reconstitution
AI Justification
The text discusses the importance of contingency planning policies and procedures, including their development, implementation, and the factors that necessitate updates.
Document Content
Matched Section
Section: Data Recovery
Content: Data Recovery Incident Response Management
Content: Data Recovery Incident Response Management
AI Justification
The text discusses recovery and reconstitution activities, which are essential components of contingency planning.
Document Content
Matched Section
Section: Data Recovery
Content: Data Recovery Incident Response Management
Content: Data Recovery Incident Response Management
AI Justification
The mention of recovery time and recovery point objectives aligns with the need for a contingency plan.
Document Content
Matched Section
Section: Data Recovery
Content: Data Recovery Incident Response Management
Content: Data Recovery Incident Response Management
AI Justification
The text implies the need for incident response activities during recovery and reconstitution.
Document Content
Matched Section
Section: Data Recovery
Content: Data Recovery Incident Response Management
Content: Data Recovery Incident Response Management
AI Justification
The text indicates the handling of incidents during recovery operations.
Document Content
Matched Section
Section: Contingency Planning | Policy & Procedures
Content: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
Content: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
AI Justification
The text discusses the importance of contingency training linked to roles and responsibilities, which aligns with CP-3.
Document Content
Matched Section
Section: Contingency Planning
Content: Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached.
Content: Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached.
AI Justification
The text discusses the importance of contingency planning for systems, including system restoration and alternative processes when systems are compromised, which aligns directly with CP-2.
Document Content
Matched Section
Section: Incident Response Management
Content: By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident.
Content: By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident.
AI Justification
The text mentions the coordination of contingency planning with incident handling activities, which is a key aspect of incident response planning.
Document Content
Matched Section
Section: Contingency Planning | Policy & Procedures
Content: Contingency Planning | Policy & Procedures
Content: Contingency Planning | Policy & Procedures
AI Justification
The text discusses contingency planning and the need for testing plans to determine their effectiveness, which aligns with the requirements outlined in CP-4.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The text discusses the importance of maintaining an inventory of business-critical assets and the need for operational continuity, which aligns with the requirements for alternate storage sites to ensure data availability and business functions.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations)
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations)
AI Justification
The mention of encryption protocols for the protection of sensitive data in storage aligns with the control's focus on safeguarding data.
Document Content
Matched Section
Section: Contingency Planning | Telecommunications Services
Content: Contingency Planning | Telecommunications Services
Content: Contingency Planning | Telecommunications Services
AI Justification
The chunk discusses telecommunications services in the context of contingency planning, aligning directly with CP-8's focus on maintaining essential functions despite telecommunications service loss.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The chunk discusses the need for encryption protocols for the protection of sensitive data in various states, which aligns with the data protection control.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The mention of maintaining a complete inventory of business-critical assets and their usage aligns with incident response and management controls.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Keys should have identifiable owners (binding keys to identities) and there should be key management policies.
Content: Keys should have identifiable owners (binding keys to identities) and there should be key management policies.
AI Justification
The need for key management policies and identifiable ownership of keys aligns with configuration management practices.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures, Password management system, Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
AI Justification
The text discusses the importance of having policies and procedures for identification and authentication, which aligns directly with IA-1.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures, Password management system, Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
AI Justification
The text emphasizes the need for procedures related to user identification and authentication, which is covered by IA-2.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures, Password management system, Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
AI Justification
The mention of management of secret authentication information and password management systems aligns with IA-5.
Document Content
Matched Section
Section: Identification and Authentication | Identification and Authentication (Organizational Users)
Content: Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.
Content: Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.
AI Justification
The text discusses the requirements for unique identification and authentication of organizational users, including the use of passwords, physical authenticators, and biometrics.
Document Content
Matched Section
Section: Identification and Authentication | Identification and Authentication (Non-Organizational Users)
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
AI Justification
The text mentions identification and authentication requirements for non-organizational users, indicating the need for unique identification in various contexts.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures, Password management system
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures Password management system Privacy and protection of personal information
AI Justification
The chunk discusses the management of secret authentication information and secure logon procedures, which aligns with the requirements for authenticator management.
Document Content
Matched Section
Section: Identification and Authentication | Identification and Authentication Policy and Procedures
Content: Identification and Authentication | Identification and Authentication Policy and Procedures
Content: Identification and Authentication | Identification and Authentication Policy and Procedures
AI Justification
The chunk mentions the need for policies and procedures regarding identification and authentication, which aligns with IA-1.
Document Content
Matched Section
Section: Identification and Authentication | Identification and Authentication (Organizational Users)
Content: Identification and Authentication | Identification and Authentication (Organizational Users)
Content: Identification and Authentication | Identification and Authentication (Organizational Users)
AI Justification
The chunk refers to the identification and authentication of users, which is covered under IA-2.
Document Content
Matched Section
Section: Identification and Authentication | Device Identification and Authentication
Content: Identification and Authentication | Device Identification and Authentication
Content: Identification and Authentication | Device Identification and Authentication
AI Justification
The mention of device authenticators aligns with the requirements for device identification and authentication.
Document Content
Matched Section
Section: Identification and Authentication | Authenticator Management
Content: Identification and Authentication | Authenticator Management
Content: Identification and Authentication | Authenticator Management
AI Justification
The chunk discusses actions to safeguard individual authenticators and manage them, which aligns with IA-8.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
AI Justification
The chunk discusses user registration, management of authentication information, and secure logon procedures, which are all relevant to the identification and authentication of users.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
AI Justification
The mention of user authentication aligns with the need for identification and authentication of organizational users.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
AI Justification
The overall context of managing user authentication aligns with the need for policies and procedures for identification and authentication.
Document Content
Matched Section
Section: Incident Response Policy and Procedures
Content: Control: IR-1: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures.
Content: Control: IR-1: Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures.
AI Justification
The text discusses the importance of incident response policies and procedures, their development, and the collaboration between security and privacy programs, which aligns with the intent of control IR-1.
Document Content
Matched Section
Section: Incident Handling Procedures
Content: Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure.
Content: Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure.
AI Justification
The text mentions procedures that describe how policies or controls are implemented, which is relevant to incident handling as outlined in control IR-4.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The chunk discusses incident response management and mentions incident response testing, which aligns directly with the control's focus on testing incident response capabilities.
Document Content
Matched Section
Section: Incident Response Training
Content: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training.
Content: Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training.
AI Justification
The chunk discusses the importance of incident response training tailored to the roles and responsibilities of personnel, which aligns directly with the requirements of control IR-2.
Document Content
Matched Section
Section: Incident Handling
Content: Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.
Content: Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.
AI Justification
The chunk mentions incident response training and handling incidents, which aligns with the requirements of control IR-4.
Document Content
Matched Section
Section: Learning from Information Security Incidents Improvement
Content: Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems.
Content: Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems.
AI Justification
The text discusses the importance of incident response capabilities and the need for coordination among various organizational entities, which aligns with the objectives of IR-4.
Document Content
Matched Section
Section: Incident Response Management
Content: An effective incident handling capability includes coordination among many organizational entities.
Content: An effective incident handling capability includes coordination among many organizational entities.
AI Justification
The text emphasizes the need for an effective incident handling capability and the importance of having a structured response plan, which aligns with IR-8.
Document Content
Matched Section
Section: Incident Response | Incident Handling
Content: Incident Response | Incident Handling
Content: Incident Response | Incident Handling
AI Justification
The chunk discusses documenting incidents and maintaining records about each incident, which aligns with the requirements of IR-5.
Document Content
Matched Section
Section: Incident Response | Incident Monitoring
Content: Incident Response | Incident Monitoring
Content: Incident Response | Incident Monitoring
AI Justification
The chunk references incident monitoring and handling, which aligns with the requirements of IR-4.
Document Content
Matched Section
Section: Assessment of & Decision on Information Security Events
Content: Assessment of & Decision on Information Security Events
Content: Assessment of & Decision on Information Security Events
AI Justification
The text discusses the assessment and decision-making processes regarding information security events, which aligns with incident handling procedures.
Document Content
Matched Section
Section: Learning from Information Security Incidents
Content: Learning from Information Security Incidents
Content: Learning from Information Security Incidents
AI Justification
The mention of learning from information security incidents indicates a focus on monitoring incidents, which is part of incident response.
Document Content
Matched Section
Section: Assessment of & Decision on Information Security Events
Content: Assessment of & Decision on Information Security Events
Content: Assessment of & Decision on Information Security Events
AI Justification
The control specifically addresses the types of incidents reported and their content, which is directly relevant to the assessment of information security events.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The chunk discusses incident response management, which aligns with the need for a coordinated approach to incident response as outlined in control IR-8.
Document Content
Matched Section
Section: Audit plans and business continuity planning
Content: Audit plans should be developed and maintained to address business process disruptions. Auditing plans should focus on reviewing the effectiveness of the implementation of security operations.
Content: Audit plans should be developed and maintained to address business process disruptions. Auditing plans should focus on reviewing the effectiveness of the implementation of security operations.
AI Justification
The chunk discusses the need for audit plans and business continuity planning, which relates to the implementation of procedures for incident response.
Document Content
Matched Section
Section: Audit plans and business continuity planning
Content: Auditing plans should focus on reviewing the effectiveness of the implementation of security operations.
Content: Auditing plans should focus on reviewing the effectiveness of the implementation of security operations.
AI Justification
The emphasis on reviewing the effectiveness of security operations aligns with continuous monitoring practices.
Document Content
Matched Section
Section: Business continuity planning requirements
Content: A consistent unified framework for business continuity planning and plan development should be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.
Content: A consistent unified framework for business continuity planning and plan development should be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements.
AI Justification
The section outlines the requirements for business continuity plans, which directly aligns with this control.
Document Content
Matched Section
Section: User registration and de-registration, Management of secret authentication information of users, Use of secret authentication information, Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
Content: User registration and de-registration Management of secret authentication information of users Use of secret authentication information Secure logon procedures
AI Justification
The chunk discusses user registration, management of secret authentication information, and secure logon procedures, which are all related to the identification and authentication of users.
Document Content
Matched Section
Section: Management of secret authentication information of users, Password management system
Content: Management of secret authentication information of users Password management system
Content: Management of secret authentication information of users Password management system
AI Justification
The mention of managing secret authentication information and password management systems aligns with the requirements for managing authenticators.
Document Content
Matched Section
Section: Identification and Authentication | Device Identification and Authentication
Content: Identification and Authentication | Device Identification and Authentication
Content: Identification and Authentication | Device Identification and Authentication
AI Justification
The control is relevant as it pertains to the identification and authentication processes that may involve devices.
Document Content
Matched Section
Section: Media Protection | Policy & Procedures, Media Access, Media Marking, Media Storage, Media Transport, Media Use, Media Downgrading
Content: Media Protection | Policy & Procedures Media Protection | Media Access Media Protection | Media Marking Media Protection | Media Storage Media Protection | Media Transport Media Protection | Media Use Media Protection | Media Downgrading
Content: Media Protection | Policy & Procedures Media Protection | Media Access Media Protection | Media Marking Media Protection | Media Storage Media Protection | Media Transport Media Protection | Media Use Media Protection | Media Downgrading
AI Justification
The chunk discusses various aspects of media protection, including access control to both digital and non-digital media.
Document Content
Matched Section
Section: Media Protection | Policy & Procedures
Content: Control: MP-4: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
Content: Control: MP-4: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection.
AI Justification
The text discusses various aspects of media protection, including physical controls, secure storage, and accountability for stored media.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the use of encryption protocols for the protection of sensitive data in various states (storage, use, transmission), which aligns with data protection measures.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The mention of maintaining an inventory of business-critical assets and their usage aligns with incident response planning and management.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text implies the need for policies and procedures, which is relevant to configuration management and change control processes.
Document Content
Matched Section
Section: Media Protection | Media Downgrading
Content: Media Protection | Media Downgrading
Content: Media Protection | Media Downgrading
AI Justification
The chunk explicitly mentions 'Media Downgrading' as a section, indicating that the procedures and policies related to downgrading media are covered.
Document Content
Matched Section
Section: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
AI Justification
The control aligns with the need for a contingency plan that includes provisions for emergency lighting and alternate processing sites.
Document Content
Matched Section
Section: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
AI Justification
This control is relevant as it addresses the consideration of alternate processing sites when emergency lighting fails.
Document Content
Matched Section
Section: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
AI Justification
This control is relevant as it pertains to planning for continuity, which includes emergency lighting provisions.
Document Content
Matched Section
Section: Access Restrictions and User Access Policies
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses restricting access to prevent inappropriate disclosure and tampering, which aligns with enforcing authorizations for entry and exit.
Document Content
Matched Section
Section: Contingency Planning | Alternate Processing Site
Content: Control: PE-17: Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
Content: Control: PE-17: Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.
AI Justification
The text discusses the importance of alternate work sites in contingency planning, which aligns with the control's focus on defining and implementing controls for such sites.
Document Content
Matched Section
Section: Physical & Environmental Protection | Physical Access Authorizations
Content: Physical & Environmental Protection | Physical Access Authorizations
Content: Physical & Environmental Protection | Physical Access Authorizations
AI Justification
The chunk discusses physical access authorizations and the criteria for determining who is considered a visitor and the types of authorization credentials.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
Content: A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time should be maintained and updated regularly and assigned ownership by defined roles and responsibilities.
AI Justification
The text discusses maintaining a complete inventory of business-critical assets and their management, which aligns with ensuring assets remain in authorized locations.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented
Content: for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The mention of encryption protocols for the protection of sensitive data aligns with data protection controls.
Document Content
Matched Section
Section: Access Control Policies and Procedures
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The chunk discusses access restrictions and the need for user access policies, which aligns with the physical access control measures outlined in PE-3.
Document Content
Matched Section
Section: Cabling security
Content: Cabling security
Content: Cabling security
AI Justification
The chunk discusses cabling security and equipment protection, which aligns with the need for security controls to prevent physical tampering and eavesdropping.
Document Content
Matched Section
Section: Physical & Environmental Protection | Power Equipment & Cabling
Content: Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Removal of assets Security of equipment and assets off-premises Secure disposal or reuse of equipment Unattended user equipment
Content: Equipment siting and protection Supporting utilities Cabling security Equipment maintenance Removal of assets Security of equipment and assets off-premises Secure disposal or reuse of equipment Unattended user equipment
AI Justification
The chunk discusses the protection and security of power equipment and cabling, which aligns with the requirements of PE-9.
Document Content
Matched Section
Section: Baseline security requirements
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the establishment of baseline security requirements for applications and infrastructure, which aligns with the definition of control baselines as predefined sets of controls to address protection needs.
Document Content
Matched Section
Section: Change management
Content: System change control procedures
Content: System change control procedures
AI Justification
The text discusses the need for system change control procedures and restrictions on software installation, which aligns with the control for managing changes to the system.
Document Content
Matched Section
Section: Technical review of applications after operating platform changes
Content: Technical review of applications after operating platform changes
Content: Technical review of applications after operating platform changes
AI Justification
The mention of technical reviews of applications after operating platform changes aligns with the need for formal change control processes.
Document Content
Matched Section
Section: Impact Analyses
Content: Impact Analyses
Content: Impact Analyses
AI Justification
The text implies the need for impact analyses as part of the change management process.
Document Content
Matched Section
Section: Restrictions on software installation
Content: Restrictions on software installation
Content: Restrictions on software installation
AI Justification
Restrictions on software installation indicate the need for access controls related to changes.
Document Content
Matched Section
Section: Security and privacy workforce development and improvement programs
Content: Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions.
Content: Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions.
AI Justification
The text discusses the importance of workforce development and training programs for security and privacy roles, which aligns directly with the control's focus on defining knowledge, skills, and abilities needed for these roles.
Document Content
Matched Section
Section: Security Awareness and Skills Training
Content: Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.
Content: Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.
AI Justification
The mention of security awareness and training programs in the text aligns with the control's focus on ensuring personnel are trained in security awareness.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Control Assessments
Content: Assessment, Authorization & Monitoring | Control Assessments
Content: Assessment, Authorization & Monitoring | Control Assessments
AI Justification
The text discusses the importance of a coordinated process for security and privacy testing, training, and monitoring, which aligns directly with control PM-14.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Continuous Monitoring
Content: Assessment, Authorization & Monitoring | Continuous Monitoring
Content: Assessment, Authorization & Monitoring | Continuous Monitoring
AI Justification
The mention of ongoing assessments and the need for coordination across organizational elements aligns with the objectives of PM-15.
Document Content
Matched Section
Section: Program Management | Risk Framing
Content: Program Management |Risk Framing
Content: Program Management |Risk Framing
AI Justification
The chunk discusses risk management strategies and the importance of risk framing at the organizational level, which aligns directly with control PM-28.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
AI Justification
The text discusses the need for an organization-wide supply chain risk management strategy, which aligns directly with the control's requirements for expressing risk appetite, mitigation strategies, and monitoring processes.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
AI Justification
The mention of the supply chain risk management plan indicates alignment with the control that focuses on implementing risk management strategies at the system level.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring | Plan of Action & Milestones
Content: Assessment, Authorization & Monitoring | Plan of Action & Milestones Program Management | Plan of Action and Milestones Process
Content: Assessment, Authorization & Monitoring | Plan of Action & Milestones Program Management | Plan of Action and Milestones Process
AI Justification
The text discusses the importance of plans of action and milestones in organizational risk management and their alignment with organizational goals.
Document Content
Matched Section
Section: Program Management | Risk Management Strategy
Content: Program Management | Risk Management Strategy Program Management |Risk Framing
Content: Program Management | Risk Management Strategy Program Management |Risk Framing
AI Justification
The text mentions the development of plans of action and milestones with an organization-wide perspective, which aligns with risk management strategies.
Document Content
Matched Section
Section: Program Management | Measures of Performance
Content: Program Management | Measures of Performance
Content: Program Management | Measures of Performance
AI Justification
The chunk mentions 'Program Management | Measures of Performance', which directly relates to the control's focus on outcome-based metrics for measuring effectiveness in security and privacy programs.
Document Content
Matched Section
Section: NIST SP 800-53 Rev 5
Content: PM-5: OMB A-130 provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.
Content: PM-5: OMB A-130 provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.
AI Justification
The chunk discusses the concept of system inventory as per OMB A-130 guidance, which aligns with the PM-5 control focused on developing systems inventories.
Document Content
Matched Section
Section: NIST SP 800-53 Rev 5
Content: System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.
Content: System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.
AI Justification
The mention of system components in relation to system inventory aligns with the CM-8 control, which focuses on the inventory of system components.
Document Content
Matched Section
Section: Program Management | Critical Infrastructure Plan
Content: Program Management | Critical Infrastructure Plan
Content: Program Management | Critical Infrastructure Plan
AI Justification
The chunk discusses contingency planning and critical infrastructure, aligning with the need to prioritize critical assets and resources.
Document Content
Matched Section
Section: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
Content: Contingency Planning | Contingency Plan
AI Justification
The mention of contingency planning indicates the establishment of a contingency plan, which is directly related to CP-2.
Document Content
Matched Section
Section: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
AI Justification
The reference to criticality analysis aligns with the assessment of critical assets and resources.
Document Content
Matched Section
Section: Program Management | Risk Management Strategy
Content: An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time.
Content: An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time.
AI Justification
The text discusses the organization-wide risk management strategy, including risk tolerance and mitigation strategies, which aligns directly with control PM-9.
Document Content
Matched Section
Section: Personnel Security | Position Risk Designation
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
AI Justification
The text discusses the importance of position risk designations and how they reflect OPM policy and guidance, which aligns directly with the control PS-2.
Document Content
Matched Section
Section: Personnel Security | Personnel Screening
Content: Screening
Content: Screening
AI Justification
The chunk discusses personnel screening and related activities, which aligns directly with the control's focus on screening and rescreening personnel based on risk designations.
Document Content
Matched Section
Section: Processes, structures, and internal control mechanisms for leadership and management.
Content: Defined defines the roles and responsibilities for organizational risk management between a cloud provider and a cloud customer.
Content: Defined defines the roles and responsibilities for organizational risk management between a cloud provider and a cloud customer.
AI Justification
The text discusses the roles and responsibilities between a cloud provider and a cloud customer, which aligns with the definition of external providers and their associated personnel security requirements.
Document Content
Matched Section
Section: Incident Response | Incident Handling
Content: Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems.
Content: Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems.
AI Justification
The text discusses the proactive nature of threat hunting as a means of cyber defense, which aligns with the RA-10 control focused on actively searching for advanced threats.
Document Content
Matched Section
Section: Incident Response | Incident Monitoring
Content: Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code.
Content: Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code.
AI Justification
The text mentions the importance of monitoring for indications of compromise, which aligns with the SI-4 control that focuses on system monitoring.
Document Content
Matched Section
Section: Risk Assessment | System Development Life Cycle
Content: Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts.
Content: Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts.
AI Justification
The text discusses the importance of risk assessments in evaluating threats, vulnerabilities, and impacts on organizational operations, which aligns with the RA-3 control.
Document Content
Matched Section
Section: Vulnerability Monitoring and Scanning
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the need for comprehensive vulnerability scanning and monitoring tools.
Document Content
Matched Section
Section: Management of technical vulnerabilities
Content: The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible.
Content: The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible.
AI Justification
The text emphasizes the need for organizations to address potential vulnerabilities quickly and effectively, which aligns with the control's focus on flaw remediation.
Document Content
Matched Section
Section: Risk Assessment | Risk Response
Content: Risk Assessment | Risk Response
Content: Risk Assessment | Risk Response
AI Justification
The text discusses various options for responding to risk, which aligns with the control's focus on risk response strategies.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets and Software
Content: The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation.
Content: The configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation.
AI Justification
The text discusses the importance of configuration management activities conducted by developers and the need for strict configuration control throughout the system development life cycle.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets and Software
Content: Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Content: Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
AI Justification
The text emphasizes the need for configuration control to track authorized changes and prevent unauthorized changes.
Document Content
Matched Section
Section: Secure Configuration of Enterprise Assets and Software
Content: Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.
Content: Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle.
AI Justification
The text implies that configuration management includes analyzing the impact of changes, which aligns with the control's focus.
Document Content
Matched Section
Section: Management of technical vulnerabilities
Content: Control: SA-11: Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements.
Content: Control: SA-11: Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements.
AI Justification
The text discusses the importance of testing and evaluating software and firmware components to ensure that security and privacy controls are implemented correctly and operate as intended, which aligns with SA-11.
Document Content
Matched Section
Section: Technical compliance review
Content: Technical review of applications after operating platform changes
Content: Technical review of applications after operating platform changes
AI Justification
The text mentions ongoing assessment and testing to identify and address potential flaws, which aligns with the objectives of RA-5.
Document Content
Matched Section
Section: Reporting information security weaknesses
Content: Reporting information security weaknesses
Content: Reporting information security weaknesses
AI Justification
The text emphasizes the need for flaw remediation processes and the importance of addressing security weaknesses, which aligns with SI-2.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Personnel Security | External Personnel Security
Content: Personnel Security | External Personnel Security
AI Justification
The text discusses the importance of training for personnel, which aligns with the need for developer-provided training to ensure the effectiveness of security controls.
Document Content
Matched Section
Section: Management of technical vulnerabilities
Content: Management of technical vulnerabilities
Content: Management of technical vulnerabilities
AI Justification
The chunk discusses the management of technical vulnerabilities and the need for compliance with security policies, which aligns with the need to assess and potentially reimplement system components that cannot be trusted.
Document Content
Matched Section
Section: Technical review of applications after operating platform changes
Content: Technical review of applications after operating platform changes
Content: Technical review of applications after operating platform changes
AI Justification
The mention of technical review of applications and reporting information security weaknesses aligns with the need for flaw remediation.
Document Content
Matched Section
Section: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components...
Content: Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties should be subject to background verification proportional to the data classification to be accessed.
Content: Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties should be subject to background verification proportional to the data classification to be accessed.
AI Justification
The chunk discusses the need for background verification for employment candidates, contractors, and third parties, which aligns with the developer screening requirements outlined in SA-21.
Document Content
Matched Section
Section: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components...
Content: Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties should be subject to background verification proportional to the data classification to be accessed.
Content: Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors, and third parties should be subject to background verification proportional to the data classification to be accessed.
AI Justification
The mention of background verification for employment candidates and contractors aligns with the personnel screening criteria outlined in PS-3.
Document Content
Matched Section
Section: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components.
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
Content: Baseline security requirements should be established for developed or acquired, organizationally owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the establishment of baseline security requirements for applications and infrastructure, which aligns with the principles of integrating security into the system development life cycle.
Document Content
Matched Section
Section: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
AI Justification
The mention of security and privacy considerations in the context of system development aligns with the need for proper design, coding, and testing of systems.
Document Content
Matched Section
Section: Management of technical vulnerabilities
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
AI Justification
The text discusses the derivation of security and privacy functional requirements, which aligns with the description of SA-4.
Document Content
Matched Section
Section: Technical review of applications after operating platform changes
Content: Technical review of applications after operating platform changes; Reporting information security weaknesses.
Content: Technical review of applications after operating platform changes; Reporting information security weaknesses.
AI Justification
The mention of technical review of applications and reporting information security weaknesses aligns with the objectives of RA-5.
Document Content
Matched Section
Section: Compliance with security policies and standards
Content: Compliance with security policies and standards; Technical compliance review.
Content: Compliance with security policies and standards; Technical compliance review.
AI Justification
The content discusses the need for assurance requirements and the remediation of vulnerabilities, which aligns with SI-2.
Document Content
Matched Section
Section: Processes, structures, and internal control mechanisms for leadership and management.
Content: Defined defines the roles and responsibilities for organizational risk management between a cloud provider and a cloud customer Laws, regulations, mandates, and legal implications of public cloud computing or third party-hosted private clouds.
Content: Defined defines the roles and responsibilities for organizational risk management between a cloud provider and a cloud customer Laws, regulations, mandates, and legal implications of public cloud computing or third party-hosted private clouds.
AI Justification
The text discusses the roles and responsibilities for organizational risk management between a cloud provider and a cloud customer, which aligns with the management of risks from external system services.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Keys should have identifiable owners (binding keys to identities) and there should be key management policies.
Content: Keys should have identifiable owners (binding keys to identities) and there should be key management policies.
AI Justification
The text discusses the need for key management policies and identifiable ownership of keys, which aligns with the requirements for cryptographic key management.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage.
AI Justification
The mention of encryption protocols for the protection of sensitive data aligns with the data protection requirements.
Document Content
Matched Section
Section: Attributes aspects of an identity.
Content: attribute aspects of an identity. Attributes can be static (like an organizational unit) or highly dynamic (IP address, device being used, if the user authenticated with MFA, locations, etc. ).
Content: attribute aspects of an identity. Attributes can be static (like an organizational unit) or highly dynamic (IP address, device being used, if the user authenticated with MFA, locations, etc. ).
AI Justification
The chunk discusses attributes of identity and their role in access control, which aligns with the definition of security and privacy attributes in SC-16.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Keys should have identifiable owners (binding keys to identities) and there should be key management policies. Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Keys should have identifiable owners (binding keys to identities) and there should be key management policies. Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The text discusses the need for key management policies and the use of encryption protocols to protect sensitive data, which aligns with the requirements for cryptographic solutions.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The mention of encryption protocols for protection of sensitive data directly aligns with the data protection control.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The need for established policies and procedures for encryption indicates a proactive approach to incident response and data protection.
Document Content
Matched Section
Section: User access policies and procedures should be established
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses the establishment of user access policies and procedures, which aligns with the need for an access control policy.
Document Content
Matched Section
Section: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
AI Justification
The mention of access restrictions and the need to prevent inappropriate disclosure aligns with the control's focus on managing system functions and access.
Document Content
Matched Section
Section: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
AI Justification
The chunk discusses the importance of authoritative source information for name and address resolution, which aligns with the control's focus on providing assurances for origin authentication and integrity verification.
Document Content
Matched Section
Section: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
AI Justification
The mention of DNS and the need for integrity verification also relates to recursive or caching resolvers, which are part of the name/address resolution process.
Document Content
Matched Section
Section: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
Content: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
Content: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
AI Justification
The chunk's focus on authoritative data and DNS architecture aligns with the control's emphasis on the architecture and provisioning aspects of name/address resolution services.
Document Content
Matched Section
Section: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
AI Justification
The control SC-21 focuses on the validation of name resolution services, which is directly addressed by the mention of secure name/address resolution services in the chunk.
Document Content
Matched Section
Section: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Content: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
AI Justification
The control SC-21 also applies to recursive or caching resolvers, which are mentioned in the chunk.
Document Content
Matched Section
Section: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
Content: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
Content: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
AI Justification
The control SC-21 is relevant to the architecture and provisioning aspects of name/address resolution services as indicated in the chunk.
Document Content
Matched Section
Section: System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source)
Content: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server.
Content: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server.
AI Justification
The text discusses the deployment of authoritative DNS servers to enhance redundancy and eliminate single points of failure, which aligns with the control's focus on secure name/address resolution services.
Document Content
Matched Section
Section: System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver)
Content: Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility).
Content: Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility).
AI Justification
The text also implies the need for secure DNS services, which can include recursive or caching resolvers, thus aligning with this control.
Document Content
Matched Section
Section: System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service
Content: Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).
Content: Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).
AI Justification
The mention of role separation and client access specifications indicates a structured approach to the architecture and provisioning of DNS services.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The chunk discusses the need for encryption protocols for the protection of sensitive data in storage, which aligns with the control's focus on safeguarding information at rest.
Document Content
Matched Section
Section: service-level expectations, and operational continuity requirements
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.
AI Justification
The mention of establishing policies and procedures for data protection aligns with the control's focus on implementing data protection processes.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
AI Justification
The chunk discusses the need for policies and procedures to prevent malware execution, which aligns with the control's focus on identifying and isolating malicious code.
Document Content
Matched Section
Section: System & Communications Protection | Out-of-Band Channels
Content: System & Communications Protection | Out-of-Band Channels
Content: System & Communications Protection | Out-of-Band Channels
AI Justification
The chunk explicitly mentions 'Out-of-Band Channels' which aligns directly with the control SC-37 that discusses the use and characteristics of out-of-band channels.
Document Content
Matched Section
Section: User access policies and procedures should be established
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses user access policies and procedures, which align with the need for an access control policy to prevent inappropriate disclosure and tampering.
Document Content
Matched Section
Section: segregated and access restricted to prevent inappropriate disclosure
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data.
AI Justification
The mention of access restrictions to prevent inappropriate disclosure aligns with the control's focus on usage restrictions for system components.
Document Content
Matched Section
Section: System & Communications Protection | Detonation Chambers
Content: Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox.
Content: Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox.
AI Justification
The text discusses the purpose and function of detonation chambers, which aligns directly with control SC-44.
Document Content
Matched Section
Section: System & Information Integrity | Malicious Code Protection
Content: Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.
Content: Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.
AI Justification
The text mentions the identification and prevention of malicious code propagation, which aligns with control SI-4.
Document Content
Matched Section
Section: Access Control and User Management
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
Content: segregated and access restricted to prevent inappropriate disclosure and tampering of log data. User access policies and procedures should be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data.
AI Justification
The text discusses the need for access restrictions and policies to prevent inappropriate disclosure and tampering, which aligns with the need for robust mechanisms for domain separation and policy enforcement.
Document Content
Matched Section
Section: System & Communications Protection | Denial of Service Protection
Content: System & Communications Protection | Denial of Service Protection
Content: System & Communications Protection | Denial of Service Protection
AI Justification
The chunk discusses various methods to protect against denial-of-service events, which aligns directly with the control's focus on mitigating such attacks.
Document Content
Matched Section
Section: System & Communications Protection | Boundary Protection
Content: System & Communications Protection | Boundary Protection
Content: System & Communications Protection | Boundary Protection
AI Justification
The chunk mentions the use of boundary protection devices to filter packets, which is a key aspect of boundary protection controls.
Document Content
Matched Section
Section: Control: SC-7
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
AI Justification
The text discusses managed interfaces and boundary protection mechanisms, which align with the SC-7 control.
Document Content
Matched Section
Section: AC-4
Content: Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.
Content: Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.
AI Justification
The text mentions restricting external web traffic and prohibiting spoofed addresses, which aligns with the AC-4 control.
Document Content
Matched Section
Section: System & Communications Protection
Content: System & Communications Protection | Denial of Service Protection System & Communications Protection | Boundary Protection System & Communications Protection | Network Disconnect System & Communications Protection | Trusted Path System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source) System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver) System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service System & Communications Protection | Session Authenticity System & Communications Protection | Covert Channel Analysis System & Communications Protection | Out-of-Band Channels System & Communications Protection | Operations Security System & Communications Protection | Alternate Communications Paths
Content: System & Communications Protection | Denial of Service Protection System & Communications Protection | Boundary Protection System & Communications Protection | Network Disconnect System & Communications Protection | Trusted Path System & Communications Protection | Secure Name/Address Resolution Service (Authoritative Source) System & Communications Protection | Secure Name/Address Resolution Service (Recursive or Caching Resolver) System & Communications Protection | Architecture and Provisioning for Name/Address Resolution Service System & Communications Protection | Session Authenticity System & Communications Protection | Covert Channel Analysis System & Communications Protection | Out-of-Band Channels System & Communications Protection | Operations Security System & Communications Protection | Alternate Communications Paths
AI Justification
The chunk discusses various aspects of access control and communications protection, which align with the need to protect the confidentiality and integrity of transmitted information.
Document Content
Matched Section
Section: Configuration Management | System Component Inventory
Content: While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities.
Content: While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities.
AI Justification
The text discusses the importance of addressing potential failures of system components that provide security capabilities, which aligns with the objectives of SI-13.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
AI Justification
The text discusses the prevention of malware execution on devices, which aligns with the intent of SI-16 to protect memory from unauthorized code execution.
Document Content
Matched Section
Section: Flaw Remediation and Software Updates
Content: The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling.
Content: The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling.
AI Justification
The text discusses the identification and remediation of system flaws, including the reporting of vulnerabilities and the processes involved in updating security-relevant software and firmware.
Document Content
Matched Section
Section: Configuration Management Processes
Content: By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
Content: By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.
AI Justification
The text mentions incorporating flaw remediation into configuration management processes, which aligns with the need for change control in configurations.
Document Content
Matched Section
Section: Testing Decisions for Flaw Remediation
Content: Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed.
Content: Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed.
AI Justification
The text refers to determining the type of testing needed for flaw remediation, which relates to analyzing the security impact of changes.
Document Content
Matched Section
Section: Data Governance
Content: data governance managing the lifecycle of organizational data from creation and introduction to removal and/or disposal and destruction.
Content: data governance managing the lifecycle of organizational data from creation and introduction to removal and/or disposal and destruction.
AI Justification
The text discusses the importance of managing the lifecycle of organizational data, which aligns with the need to retain information only for the minimum period necessary to reduce risk exposure.
Document Content
Matched Section
Section: Policies and procedures should be established, and supporting business processes and technical measures implemented
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
Content: Policies and procedures should be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.
AI Justification
The chunk discusses the establishment of policies and procedures to prevent malware execution, which aligns with the control's focus on protecting against malicious code.
Document Content
Matched Section
Section: System & Information Integrity | System Monitoring
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.
AI Justification
The text discusses the importance of system monitoring, including both internal and external monitoring, and the tools and techniques used for effective monitoring.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Control: SR-1: Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations.
Content: Control: SR-1: Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations.
AI Justification
The text discusses the importance of supply chain risk management policies and procedures, aligning directly with the requirements of SR-1.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Controls & Processes
Content: Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed.
Content: Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed.
AI Justification
The text emphasizes the need for procedures that describe how policies or controls are implemented, which aligns with SR-2.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supplier Assessments & Reviews
Content: Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Content: Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
AI Justification
The mention of events that may lead to updates in supply chain risk management policies and procedures aligns with the assessment focus of SR-3.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
AI Justification
The chunk discusses various aspects of supply chain management, including risk management strategies and processes, which aligns directly with the definition and scope of SR-3.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans.
Content: Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans.
AI Justification
The text discusses the complexities and requirements of managing supply chain risks, which aligns directly with the control's focus on the risks associated with external providers and the need for a coordinated risk management approach.
Document Content
Matched Section
Section: System & Services Acquisition | Development Process, Standards, & Tools
Content: Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly.
Content: Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly.
AI Justification
The text mentions the need for tailored SCRM plans and the evaluation of technology and services, which aligns with the control's focus on acquisition processes and ensuring that external providers meet security requirements.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supplier Assessments & Reviews
Content: Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.
Content: Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.
AI Justification
The text addresses the risks associated with external providers and the importance of managing these risks, which aligns with the control's focus on the security of external information system services.
Document Content
Matched Section
Section: Supply Chain Risk Management | Acquisition Strategies, Tools, & Methods
Content: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution.
Content: The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution.
AI Justification
The text discusses various strategies and tools for protecting the supply chain, which aligns with the objectives of SR-5.
Document Content
Matched Section
Section: System & Services Acquisition | Development Process, Standards, & Tools
Content: The use of the acquisition process provides an important vehicle to protect the supply chain.
Content: The use of the acquisition process provides an important vehicle to protect the supply chain.
AI Justification
The text mentions the acquisition process as a means to protect the supply chain, which aligns with the objectives of SA-4.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Controls & Processes
Content: Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle.
Content: Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle.
AI Justification
The text discusses the importance of protecting the supply chain and the various methods to do so, which aligns with SA-9.
Document Content
Matched Section
Section: Information security policy for supplier relationships
Content: Information security policy for supplier relationships Address security within supplier agreements Information and communication technology supply chain Monitoring and review of supplier services Managing changes to supplier services
Content: Information security policy for supplier relationships Address security within supplier agreements Information and communication technology supply chain Monitoring and review of supplier services Managing changes to supplier services
AI Justification
The chunk discusses the importance of assessing and reviewing supplier relationships, which aligns with the requirements of SR-6 regarding supplier risk management processes.
Document Content
Matched Section
Section: Monitoring and review of supplier services
Content: Monitoring and review of supplier services Managing changes to supplier services
Content: Monitoring and review of supplier services Managing changes to supplier services
AI Justification
The mention of monitoring and reviewing supplier services aligns with SR-2, which focuses on establishing policies and procedures for supply chain risk management.
Document Content
Matched Section
Section: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
Content: Supply Chain Risk Management | Supply Chain Risk Management Plan
AI Justification
The text discusses the importance of agreements and procedures for communication among supply chain entities, which aligns with the objectives of SR-8.
Document Content
Matched Section
Section: Information security policy for supplier relationships
Content: Information security policy for supplier relationships
Content: Information security policy for supplier relationships
AI Justification
The text discusses the importance of security within supplier relationships and the need for policies to manage supply chain risks.
Document Content
Matched Section
Section: Address security within supplier agreements
Content: Address security within supplier agreements
Content: Address security within supplier agreements
AI Justification
The mention of addressing security within supplier agreements aligns with the need for procedures to manage supply chain risks.
Document Content
Matched Section
Section: Monitoring and review of supplier services
Content: Monitoring and review of supplier services
Content: Monitoring and review of supplier services
AI Justification
The text highlights the need for monitoring and reviewing supplier services, which is part of a comprehensive risk management plan.
Document Content
Matched Section
Section: Managing changes to supplier services
Content: Managing changes to supplier services
Content: Managing changes to supplier services
AI Justification
Managing changes to supplier services is a critical aspect of supply chain risk management controls.
26.0_IS_Vulnerability_Management_Policy.pdf NIST
80 matches foundDocument Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The chunk discusses the classification of documents and the restrictions on their use and disclosure, which aligns with the control's focus on information sharing and access restrictions.
Document Content
Matched Section
Section: Audit and accountability policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The chunk discusses the implementation of security policies and procedures, including the process for requesting exceptions, which aligns with the need for audit and accountability policies.
Document Content
Matched Section
Section: Section b to h regarding log files and their management.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
AI Justification
The chunk discusses the production, review, and retention of log files, which aligns with the requirements for retaining audit records until they are no longer needed.
Document Content
Matched Section
Section: Event Logging and Log Management
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
AI Justification
The chunk discusses the production of event logs, periodic reviews, documentation of exceptions, protection of log files, and consistency in timestamps, which aligns with the need for a coordinated audit logging approach.
Document Content
Matched Section
Section: Event Logging and Review Procedures
Content: Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution. A review of log files should be conducted periodically. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. Log files should be protected from tampering or unauthorized access. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. All log files should be maintained for at least 6 months.
Content: Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution. A review of log files should be conducted periodically. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. Log files should be protected from tampering or unauthorized access. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. All log files should be maintained for at least 6 months.
AI Justification
The chunk discusses the production, review, and protection of event logs, which aligns with the requirements for logging significant events as outlined in AU-2.
Document Content
Matched Section
Section: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution.
AI Justification
The section discusses the production of event logs, periodic reviews, and the maintenance of log files, which relates to the allocation and management of audit log storage capacity.
Document Content
Matched Section
Section: h. All log files should be maintained for at least 6 months.
Content: h. All log files should be maintained for at least 6 months.
Content: h. All log files should be maintained for at least 6 months.
AI Justification
The requirement to maintain log files for at least 6 months indicates a consideration for audit log storage capacity.
Document Content
Matched Section
Section: Event logs and log file management procedures
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
AI Justification
The chunk discusses the production of event logs, periodic reviews of log files, documentation of exceptions, protection of log files, and maintenance of log files, which aligns with the requirements for audit logging processes and handling failures.
Document Content
Matched Section
Section: Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
AI Justification
The chunk discusses the production of event logs, periodic reviews, documentation of exceptions, and protection of log files, which aligns with the requirements for audit record content.
Document Content
Matched Section
Section: Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
Content: e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
Content: e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
AI Justification
The mention of using file integrity monitoring or change detection software on logs aligns with the need to ensure the integrity and security of audit records.
Document Content
Matched Section
Section: Log files should be protected from tampering or unauthorized access.
Content: f. Log files should be protected from tampering or unauthorized access.
Content: f. Log files should be protected from tampering or unauthorized access.
AI Justification
The requirement to protect log files from tampering or unauthorized access is directly related to the control's focus on audit record content security.
Document Content
Matched Section
Section: All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent.
Content: g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent.
Content: g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent.
AI Justification
The need for consistent timestamps in logs is relevant to the control's focus on audit record content, particularly regarding event descriptions and time stamps.
Document Content
Matched Section
Section: All log files should be maintained for at least 6 months.
Content: h. All log files should be maintained for at least 6 months.
Content: h. All log files should be maintained for at least 6 months.
AI Justification
Maintaining log files for at least 6 months aligns with the control's emphasis on the retention of audit records.
Document Content
Matched Section
Section: Event logs production and log file reviews
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
Content: b. Event logs should be produced based on the Lazard Logging Standard5 and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
AI Justification
The chunk discusses the production of event logs, periodic reviews of log files, documentation of anomalies, and the protection of log files, which aligns with the audit record reduction process and the need for meaningful analysis of audit logs.
Document Content
Matched Section
Section: 1.2.4 Logging & Alerting
Content: Documented baseline configurations for Information Resources should include log settings to record actions that may affect, or are relevant to, information security.
Content: Documented baseline configurations for Information Resources should include log settings to record actions that may affect, or are relevant to, information security.
AI Justification
The chunk discusses the importance of logging and alerting, which aligns with the need for audit information to successfully audit system activity.
Document Content
Matched Section
Section: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
Content: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
Content: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution. c. A review of log files should be conducted periodically. d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed. e. Lazard should use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification. f. Log files should be protected from tampering or unauthorized access. g. All servers and network equipment should retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent. h. All log files should be maintained for at least 6 months.
AI Justification
The chunk discusses the production, review, and protection of event logs, which aligns with the requirements for audit record review and analysis.
Document Content
Matched Section
Section: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The text discusses the importance of maintaining inventories of hardware and software, conducting automated vulnerability scans, and tracking vulnerabilities, which aligns with the assessment and monitoring aspects of control CA-2.
Document Content
Matched Section
Section: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
AI Justification
The mention of automated vulnerability scans aligns with the assessment of controls and the need for ongoing monitoring as described in CA-2.
Document Content
Matched Section
Section: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
Content: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
Content: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
AI Justification
Tracking vulnerabilities and their remediation progress is a critical aspect of continuous monitoring and assessment of controls, which is a key component of CA-2.
Document Content
Matched Section
Section: 1.2.6 Penetration Testing
Content: Penetration testing of the internal network, external network, and hosted applications should be conducted at least annually or after any significant changes to the environment. Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.
Content: Penetration testing of the internal network, external network, and hosted applications should be conducted at least annually or after any significant changes to the environment. Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.
AI Justification
The section discusses the requirements and procedures for conducting penetration testing, including the frequency and follow-up actions for vulnerabilities found.
Document Content
Matched Section
Section: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The text discusses the importance of maintaining up-to-date inventories of hardware and software, which aligns with continuous monitoring practices to support risk management decisions.
Document Content
Matched Section
Section: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
AI Justification
The mention of automated vulnerability scans aligns with the need for ongoing monitoring of systems to identify weaknesses.
Document Content
Matched Section
Section: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
Content: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
Content: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
AI Justification
Tracking vulnerabilities and their remediation progress is essential for incident response and aligns with the need for continuous monitoring.
Document Content
Matched Section
Section: Configuration Management Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for configuration management, including the ability to define and implement security requirements and mechanisms, which aligns with the intent of CM-1.
Document Content
Matched Section
Section: Section 1.2.5 (a)
Content: Is responsible for evaluating the current patching levels of all systems and assessing the current level of risk to the firm.
Content: Is responsible for evaluating the current patching levels of all systems and assessing the current level of risk to the firm.
AI Justification
The responsibilities outlined in the chunk relate to evaluating current patching levels and assessing risks, which aligns with conducting impact analyses as described in CM-4.
Document Content
Matched Section
Section: System administrators responsibilities regarding applications and processes.
Content: System administrators will be responsible for identifying all applications, programs and processes running on their systems, and the owners thereof, that may prevent vulnerability remediation.
Content: System administrators will be responsible for identifying all applications, programs and processes running on their systems, and the owners thereof, that may prevent vulnerability remediation.
AI Justification
The text discusses the responsibilities of system administrators in managing applications and processes, which relates to controlling changes in systems and ensuring that only authorized individuals can make changes.
Document Content
Matched Section
Section: Endpoint Protection (Anti-Virus & Malware)
Content: The endpoint protection software should not be altered, bypassed, or disabled.
Content: The endpoint protection software should not be altered, bypassed, or disabled.
AI Justification
The requirement for endpoint protection software to not be altered, bypassed, or disabled indicates a need for access enforcement to ensure security measures are maintained.
Document Content
Matched Section
Section: c. Inventories of all hardware and software installed on the corporate network
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The chunk discusses the importance of maintaining inventories of hardware and software, which aligns with limiting unnecessary services and functions to enhance security.
Document Content
Matched Section
Section: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
AI Justification
The mention of automated vulnerability scans aligns with the control's emphasis on identifying and preventing the use of prohibited functions and services.
Document Content
Matched Section
Section: Inventories of all hardware and software installed on the corporate network
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The text discusses the establishment and maintenance of inventories for hardware and software, which aligns with the requirements of CM-8 regarding the accountability and identification of system components.
Document Content
Matched Section
Section: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
Content: b. Event logs should be produced based on the Lazard Logging Standard and sent to the approved Information Security central logging solution.
AI Justification
The chunk discusses the documentation and review of log files, which is essential for incident monitoring and forensics.
Document Content
Matched Section
Section: d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed.
Content: d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed.
Content: d. All exceptions and anomalies identified during the log file reviews should be documented and reviewed.
AI Justification
The mention of log file reviews and documentation of anomalies aligns with the types of incidents that should be monitored.
Document Content
Matched Section
Section: The technical and organizational controls define minimum requirements for securing assets.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for maintenance, including the need for collaboration between security and privacy programs, which aligns with the control's focus on maintenance policy and procedures.
Document Content
Matched Section
Section: 1.2.7 Vulnerability Scanning
Content: a. Vulnerability scans of the internal and external network should be conducted at least quarterly or after any significant change to the network.
Content: a. Vulnerability scans of the internal and external network should be conducted at least quarterly or after any significant change to the network.
AI Justification
The chunk discusses vulnerability scanning and remediation, which are part of the organization's security and privacy testing and monitoring activities.
Document Content
Matched Section
Section: 1.3 ROLES & RESPONSIBILITIES
Content: Is responsible for tracking vulnerability remediation progress.
Content: Is responsible for tracking vulnerability remediation progress.
AI Justification
The roles and responsibilities outlined in the chunk emphasize the importance of tracking and reporting on vulnerability remediation, aligning with the need for coordinated testing and monitoring activities.
Document Content
Matched Section
Section: 1.2.1 General Requirements
Content: b. Public and private industry sources should be monitored for relevant and applicable new threat and vulnerability information.
Content: b. Public and private industry sources should be monitored for relevant and applicable new threat and vulnerability information.
AI Justification
The policy emphasizes the importance of monitoring public and private industry sources for new threat and vulnerability information, which aligns with the need for organizations to share threat information to mitigate risks.
Document Content
Matched Section
Section: POSITION
Content: Chief Information Security Officer (CISO)
Content: Chief Information Security Officer (CISO)
AI Justification
The mention of the Chief Information Security Officer (CISO) aligns with the requirement for a senior agency information security officer as outlined in control PM-2.
Document Content
Matched Section
Section: Continuous Vulnerability Management
Content: Continuous Vulnerability Management
Content: Continuous Vulnerability Management
AI Justification
The text discusses the importance of continuous monitoring for security and privacy posture, which aligns directly with the intent of PM-31.
Document Content
Matched Section
Section: Risk Assessment | Vulnerability Monitoring & Scanning
Content: Risk Assessment | Vulnerability Monitoring & Scanning
Content: Risk Assessment | Vulnerability Monitoring & Scanning
AI Justification
The mention of vulnerability management and monitoring aligns with the objectives of RA-5, which focuses on the assessment and management of vulnerabilities.
Document Content
Matched Section
Section: System & Information Integrity | Flaw Remediation
Content: System & Information Integrity | Flaw Remediation
Content: System & Information Integrity | Flaw Remediation
AI Justification
The text implies the need for ongoing assessment and remediation of vulnerabilities, which is the focus of SI-2.
Document Content
Matched Section
Section: Program Management | Plan of Action & Milestones Process
Content: PM-4: The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5.
Content: PM-4: The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5.
AI Justification
The chunk explicitly mentions the control PM-4 and discusses the importance of plans of action and milestones in organizational risk management.
Document Content
Matched Section
Section: Inventories of all hardware and software
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
AI Justification
The chunk discusses the establishment and maintenance of inventories of hardware and software, which aligns with the guidance provided in PM-5 regarding system inventories.
Document Content
Matched Section
Section: 1.2 POLICY
Content: a. A vulnerability management plan should be developed and implemented to continuously assess and track vulnerabilities on all Lazard assets within the Lazard infrastructure, in order to remediate, and minimize the window of opportunity for attackers.
Content: a. A vulnerability management plan should be developed and implemented to continuously assess and track vulnerabilities on all Lazard assets within the Lazard infrastructure, in order to remediate, and minimize the window of opportunity for attackers.
AI Justification
The policy outlines the importance of assessing and managing vulnerabilities on critical assets, which aligns with the prioritization of critical assets and resources.
Document Content
Matched Section
Section: 1.2 POLICY
Content: This policy applies to all Lazard owned system and software assets that have business value or create potential risk (e.g. financial loss, data loss, reputational loss, contractual default etc.). This policy applies to all equipment that is owned, leased, or managed by Lazard.
Content: This policy applies to all Lazard owned system and software assets that have business value or create potential risk (e.g. financial loss, data loss, reputational loss, contractual default etc.). This policy applies to all equipment that is owned, leased, or managed by Lazard.
AI Justification
The policy outlines a comprehensive approach to managing risks associated with Lazard's assets, aligning with the requirements of a risk management strategy.
Document Content
Matched Section
Section: Policy and Procedures for Security Controls
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the establishment of security policies and procedures, including the ability to request exceptions, which aligns with the requirements for personnel security policies.
Document Content
Matched Section
Section: Security Categorization Process
Content: Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards.
Content: Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards.
AI Justification
The text discusses the importance of security categorization in understanding potential adverse impacts on organizational operations and assets, aligning with the RA-2 control.
Document Content
Matched Section
Section: Vulnerability Ownership & Remediation Responsibility
Content: Vulnerability owners are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle. These reports shall be submitted to Information Security for review and will be used to evaluate the current patching levels of all systems and to assess the current level of risk to the firm.
Content: Vulnerability owners are required to compile and maintain reporting metrics that summarize the outcome of each patching cycle. These reports shall be submitted to Information Security for review and will be used to evaluate the current patching levels of all systems and to assess the current level of risk to the firm.
AI Justification
The text discusses the requirement for vulnerability owners to compile metrics that summarize patching outcomes, which relates to assessing risk levels and the effectiveness of remediation efforts.
Document Content
Matched Section
Section: Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
AI Justification
The text discusses the importance of vulnerability monitoring, including automated scans for weaknesses in the inventory of hardware and software, which aligns with the requirements of RA-5.
Document Content
Matched Section
Section: Detailed mitigation information, if available.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
AI Justification
The text discusses the need for a structured response to risk, including maintaining records of approved requests and handling emergency exceptions, which aligns with the principles of risk response outlined in RA-7.
Document Content
Matched Section
Section: System and services acquisition policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for security and privacy, which aligns with the requirements of SA-1 regarding system and services acquisition.
Document Content
Matched Section
Section: h. A regular schedule will be developed for patching of all Lazard systems and devices.
Content: h. A regular schedule will be developed for patching of all Lazard systems and devices.
Content: h. A regular schedule will be developed for patching of all Lazard systems and devices.
AI Justification
The text discusses the importance of regularly patching systems and devices, which aligns with the control's focus on support for system components, including software patches.
Document Content
Matched Section
Section: i. System components and devices attached to the Lazard network SHOULD be regularly maintained by applying critical security patches within the specified timeframes listed in the IS Vulnerability Management Standard.
Content: i. System components and devices attached to the Lazard network SHOULD be regularly maintained by applying critical security patches within the specified timeframes listed in the IS Vulnerability Management Standard.
Content: i. System components and devices attached to the Lazard network SHOULD be regularly maintained by applying critical security patches within the specified timeframes listed in the IS Vulnerability Management Standard.
AI Justification
The mention of applying critical security patches within specified timeframes directly relates to the control's emphasis on maintaining system components through updates.
Document Content
Matched Section
Section: j. Patching should include updates to all operating systems as well as office productivity software, database software, third party applications, firmware, and mobile devices under the direct management of Information Technology (IT).
Content: j. Patching should include updates to all operating systems as well as office productivity software, database software, third party applications, firmware, and mobile devices under the direct management of Information Technology (IT).
Content: j. Patching should include updates to all operating systems as well as office productivity software, database software, third party applications, firmware, and mobile devices under the direct management of Information Technology (IT).
AI Justification
The requirement to patch operating systems and third-party applications aligns with the control's focus on ensuring that system components receive necessary updates.
Document Content
Matched Section
Section: k. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenance and support operating procedures.
Content: k. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenance and support operating procedures.
Content: k. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenance and support operating procedures.
AI Justification
The mention of applying non-critical patches on a normal maintenance schedule reflects the control's intent to maintain system components effectively.
Document Content
Matched Section
Section: Technical and Organizational Controls
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The chunk discusses the implementation of security requirements and mechanisms, which aligns with the derived requirements and control parameters outlined in SA-4.
Document Content
Matched Section
Section: Technical and Organizational Controls
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The mention of divisions and functions having the freedom to implement stronger security requirements reflects the allocation of resources to meet security objectives.
Document Content
Matched Section
Section: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
AI Justification
The chunk discusses scanning files for malware and protecting information, which aligns with the need to ensure the confidentiality and integrity of information at rest.
Document Content
Matched Section
Section: f. All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
AI Justification
The mention of scanning files received over networks or from external storage devices for malware directly relates to protecting information at rest.
Document Content
Matched Section
Section: Section d, e, and f regarding email gateway virus protection and scanning files for malware.
Content: Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails. Controls to prevent or detect the use of known or suspected malicious websites should be implemented. All files received over networks or from any external storage device should be scanned for malware before use.
Content: Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails. Controls to prevent or detect the use of known or suspected malicious websites should be implemented. All files received over networks or from any external storage device should be scanned for malware before use.
AI Justification
The chunk discusses the use of email virus protection software and controls to prevent or detect malicious websites, which aligns with the need for identifying and isolating malicious code.
Document Content
Matched Section
Section: Technical and Organizational Controls
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement stronger security requirements, which aligns with the need for additional strength of mechanism for specific threats and environments.
Document Content
Matched Section
Section: Controls to prevent or detect the use of known or suspected malicious websites should be implemented.
Content: e. Controls to prevent or detect the use of known or suspected malicious websites should be implemented.
Content: e. Controls to prevent or detect the use of known or suspected malicious websites should be implemented.
AI Justification
The chunk discusses the use of email gateways and controls to prevent malicious activities, which aligns with the concept of managing interfaces and protecting boundaries as described in SC-7.
Document Content
Matched Section
Section: All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
AI Justification
The requirement for scanning files received over networks for malware aligns with the need to manage interfaces and protect against malicious code as outlined in SC-7.
Document Content
Matched Section
Section: System and Information Integrity Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the establishment of policies and procedures for system and information integrity, including the process for requesting exceptions to security policies, which aligns with the intent of SI-1.
Document Content
Matched Section
Section: h. A regular schedule will be developed for patching of all Lazard systems and devices.
Content: A regular schedule will be developed for patching of all Lazard systems and devices.
Content: A regular schedule will be developed for patching of all Lazard systems and devices.
AI Justification
The text discusses the importance of regularly patching systems and devices, which aligns with the concept of maintaining a trusted state and mitigating risks from advanced persistent threats by ensuring that vulnerabilities are addressed in a timely manner.
Document Content
Matched Section
Section: b. All Information Resources should be scanned on a regular basis to identify missing updates.
Content: b. All Information Resources should be scanned on a regular basis to identify missing updates.
Content: b. All Information Resources should be scanned on a regular basis to identify missing updates.
AI Justification
The chunk discusses the need to regularly scan for missing updates, evaluate risks, and implement updates based on risk, which aligns with the requirements for flaw remediation outlined in SI-2.
Document Content
Matched Section
Section: e. Global software updates and configuration changes applied to Information Resources should be tested prior to widespread implementation and should be implemented in accordance with the Lazard Change Control Policy.
Content: e. Global software updates and configuration changes applied to Information Resources should be tested prior to widespread implementation and should be implemented in accordance with the Lazard Change Control Policy.
Content: e. Global software updates and configuration changes applied to Information Resources should be tested prior to widespread implementation and should be implemented in accordance with the Lazard Change Control Policy.
AI Justification
The chunk emphasizes the importance of testing updates prior to implementation, which is a key aspect of flaw remediation.
Document Content
Matched Section
Section: f. Verification of successful software update deployment will be conducted within a reasonable time period as defined in the IS Vulnerability Management Standard.
Content: f. Verification of successful software update deployment will be conducted within a reasonable time period as defined in the IS Vulnerability Management Standard.
Content: f. Verification of successful software update deployment will be conducted within a reasonable time period as defined in the IS Vulnerability Management Standard.
AI Justification
The chunk mentions the verification of successful software update deployment, which is part of the flaw remediation process.
Document Content
Matched Section
Section: g. All system components and software should be protected from known vulnerabilities by installing applicable vendor supplied security patches.
Content: g. All system components and software should be protected from known vulnerabilities by installing applicable vendor supplied security patches.
Content: g. All system components and software should be protected from known vulnerabilities by installing applicable vendor supplied security patches.
AI Justification
The requirement to protect system components from known vulnerabilities by installing vendor-supplied security patches aligns with the flaw remediation process.
Document Content
Matched Section
Section: Controls to prevent or detect the use of known or suspected malicious websites should be implemented.
Content: e. Controls to prevent or detect the use of known or suspected malicious websites should be implemented.
Content: e. Controls to prevent or detect the use of known or suspected malicious websites should be implemented.
AI Justification
The text discusses the importance of monitoring and controlling email gateways and scanning files for malware, which aligns with the need to monitor for unauthorized access and data exfiltration.
Document Content
Matched Section
Section: Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
AI Justification
The mention of scanning all inbound and outbound emails for viruses directly relates to monitoring for potential data exfiltration and unauthorized access.
Document Content
Matched Section
Section: All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
AI Justification
The requirement to scan all files received over networks or from external storage devices for malware is a proactive measure to prevent data exfiltration and unauthorized access.
Document Content
Matched Section
Section: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
AI Justification
The text discusses the use of email virus protection software, scanning for malware, and controls to prevent malicious code, aligning with the need for malicious code protection mechanisms.
Document Content
Matched Section
Section: f. All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
Content: f. All files received over networks or from any external storage device should be scanned for malware before use.
AI Justification
The mention of scanning files received over networks or from external storage devices for malware directly relates to the control's focus on protecting against malicious code.
Document Content
Matched Section
Section: g. Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and should be reported to Lazard IT Support.
Content: g. Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and should be reported to Lazard IT Support.
Content: g. Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and should be reported to Lazard IT Support.
AI Justification
Reporting uncleaned viruses as security incidents aligns with the control's emphasis on managing and responding to malicious code threats.
Document Content
Matched Section
Section: d. Each email gateway should utilize Lazard Information Security approved email virus protection software
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Content: d. Each email gateway should utilize Lazard Information Security approved email virus protection software and should adhere to the Lazard rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
AI Justification
The chunk discusses the use of email virus protection software and scanning of emails, which aligns with the control's focus on protecting against spam and malicious content.
Document Content
Matched Section
Section: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
Content: c. Inventories of all hardware and software installed on the corporate network should be established and maintained up to date. This includes devices and software that are both authorized or unauthorized.
AI Justification
The chunk discusses the importance of maintaining inventories of hardware and software, which aligns with monitoring the integrity of systems and applications as described in SI-7.
Document Content
Matched Section
Section: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
Content: d. Automated vulnerability scans should be used to scan all identified inventory assets for weaknesses or flaws.
AI Justification
Automated vulnerability scans mentioned in the chunk are a method to monitor and ensure the integrity of software and systems, which is a key aspect of SI-7.
Document Content
Matched Section
Section: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
Content: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
Content: f. All vulnerabilities and their remediation progress should be tracked by the Vulnerability Owners and reported to Information Security no less than once per patching cycle or at a minimum monthly.
AI Justification
Tracking vulnerabilities and their remediation aligns with the need to monitor and maintain the integrity of systems as outlined in SI-7.
Document Content
Matched Section
Section: 1.2 POLICY
Content: This policy applies to all Lazard owned system and software assets that have business value or create potential risk (e.g. financial loss, data loss, reputational loss, contractual default etc.). This policy applies to all equipment that is owned, leased, or managed by Lazard.
Content: This policy applies to all Lazard owned system and software assets that have business value or create potential risk (e.g. financial loss, data loss, reputational loss, contractual default etc.). This policy applies to all equipment that is owned, leased, or managed by Lazard.
AI Justification
The text discusses the importance of a policy that addresses risks associated with systems and software assets, which aligns with the supply chain risk management policy.
Document Content
Matched Section
Section: 1.2.1 General Requirements
Content: A vulnerability management plan should be developed and implemented to continuously assess and track vulnerabilities on all Lazard assets within the Lazard infrastructure, in order to remediate, and minimize the window of opportunity for attackers.
Content: A vulnerability management plan should be developed and implemented to continuously assess and track vulnerabilities on all Lazard assets within the Lazard infrastructure, in order to remediate, and minimize the window of opportunity for attackers.
AI Justification
The mention of a vulnerability management plan aligns with the need for procedures that describe how policies or controls are implemented.
6.0_IS_Data_Security_Policy_1.pdf NIST
150 matches foundDocument Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the necessity of having an access control policy and procedures, including the management of exceptions and the roles involved in approving such exceptions.
Document Content
Matched Section
Section: g) It is essential for Lazard to use VPN (Virtual Private Network).
Content: A VPN encrypts employees' internet traffic and makes it harder for third parties to snoop on their online activities.
Content: A VPN encrypts employees' internet traffic and makes it harder for third parties to snoop on their online activities.
AI Justification
The chunk discusses the use of VPNs for encrypting internet traffic, which aligns with the definition of remote access and its security measures.
Document Content
Matched Section
Section: Wireless technologies and their security aspects
Content: SSID is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture.
Content: SSID is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture.
AI Justification
The chunk discusses wireless technologies and their security aspects, including SSID and encryption methods, which align with the requirements of AC-18.
Document Content
Matched Section
Section: Responsibilities of Data Custodians
Content: Data Custodians have overall responsibility for technical controls over Information Assets including the following responsibilities: a) Assign and remove access to user or service accounts based upon the direction of the Data Owner.
Content: Data Custodians have overall responsibility for technical controls over Information Assets including the following responsibilities: a) Assign and remove access to user or service accounts based upon the direction of the Data Owner.
AI Justification
The responsibilities of Data Custodians include assigning and removing access to user or service accounts, which aligns with the requirements for managing system accounts and access privileges.
Document Content
Matched Section
Section: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
AI Justification
The text discusses the representation of personal information and the binding of attributes to both active and passive entities, which aligns with the control's focus on data structures and the management of information.
Document Content
Matched Section
Section: All data classified as production, including all customer information when used in system testing or development environments.
Content: All data classified as production, including all customer information when used in system testing or development environments.
Content: All data classified as production, including all customer information when used in system testing or development environments.
AI Justification
The mention of data classified as production, including customer information, relates to the control's emphasis on the management and classification of sensitive information.
Document Content
Matched Section
Section: Internal and external audit reports.
Content: Internal and external audit reports.
Content: Internal and external audit reports.
AI Justification
The reference to internal and external audit reports indicates the management of sensitive information, which is relevant to the control's focus on data attributes and their binding.
Document Content
Matched Section
Section: Regulatory agency reports, unless specified by the regulatory agency as public data.
Content: Regulatory agency reports, unless specified by the regulatory agency as public data.
Content: Regulatory agency reports, unless specified by the regulatory agency as public data.
AI Justification
Regulatory agency reports are mentioned, which often require specific handling and classification, aligning with the control's focus on information management.
Document Content
Matched Section
Section: Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
Content: Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
Content: Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
AI Justification
The mention of reports produced by Information Security Data indicates the handling of sensitive information that could provide competitive advantage, aligning with the control's focus on data attributes.
Document Content
Matched Section
Section: Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports.
Content: Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports.
Content: Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports.
AI Justification
The reference to financial data and confidential reports relates to the management and classification of sensitive information, which is relevant to the control.
Document Content
Matched Section
Section: All personal data that is not required solely for identification. This includes information regarding an individual′s:
Content: All personal data that is not required solely for identification. This includes information regarding an individual′s:
Content: All personal data that is not required solely for identification. This includes information regarding an individual′s:
AI Justification
The mention of personal data that is not required solely for identification aligns with the control's focus on the management of personally identifiable information and its attributes.
Document Content
Matched Section
Section: Confidential Data
Content: Confidential Data is data that in the event of unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Lazard, its customers or employees. Confidential data may be shared with parties who have a relationship with Lazard, if they have signed a nondisclosure agreement, have a need to know or there is an agreed upon formal exception from the Chief Information Security Officer (CISO).
Content: Confidential Data is data that in the event of unauthorized disclosure, compromise or destruction would directly or indirectly have an adverse impact on Lazard, its customers or employees. Confidential data may be shared with parties who have a relationship with Lazard, if they have signed a nondisclosure agreement, have a need to know or there is an agreed upon formal exception from the Chief Information Security Officer (CISO).
AI Justification
The text discusses the sharing of confidential data and the conditions under which it may be shared, aligning with the principles of information sharing as outlined in AC-21.
Document Content
Matched Section
Section: Public Data and Internal Use Only Data
Content: Public Data is any information that is available or required to be shared with the general public, with no legal restrictions on its access or use. Examples include: i. Published annual reports ii. Interviews with news media iii. Business cards iv. Press releases v. Data available on a public website Internal Use Only Data is typically required to perform normal day-to-day work and may be accessed by Lazard personnel as appropriate.
Content: Public Data is any information that is available or required to be shared with the general public, with no legal restrictions on its access or use. Examples include: i. Published annual reports ii. Interviews with news media iii. Business cards iv. Press releases v. Data available on a public website Internal Use Only Data is typically required to perform normal day-to-day work and may be accessed by Lazard personnel as appropriate.
AI Justification
The chunk discusses the classification of data into Public Data and Internal Use Only Data, which aligns with the control's focus on managing access to nonpublic information and the policies surrounding publicly accessible content.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The text discusses access control policies and their role in managing access between users and systems, aligning with the control's focus on enforcing authorized access.
Document Content
Matched Section
Section: 6.0 Data Security Policy and 8.0 Access Control Policy
Content: 6.0 Data Security Policy 8.0 Access Control Policy
Content: 6.0 Data Security Policy 8.0 Access Control Policy
AI Justification
The chunk discusses policies related to data security and access control, which aligns with the principles of information flow control as described in AC-4.
Document Content
Matched Section
Section: 16.0 Information Security Aspects of Business Continuity Management Policy
Content: 16.0 Information Security Aspects of Business Continuity Management Policy
Content: 16.0 Information Security Aspects of Business Continuity Management Policy
AI Justification
The mention of agreements specifying how information flow is enforced aligns with the CA-3 control regarding information transfer policies.
Document Content
Matched Section
Section: Segregation of Duties
Content: Segregation of Duties
Content: Segregation of Duties
AI Justification
The chunk mentions segregation of duties, which aligns with the control's focus on dividing functions among different individuals to reduce the risk of abuse of privileges.
Document Content
Matched Section
Section: Data Custodians responsibilities
Content: Data Custodians have overall responsibility for technical controls over Information Assets including the following responsibilities: a) Assign and remove access to user or service accounts based upon the direction of the Data Owner.
Content: Data Custodians have overall responsibility for technical controls over Information Assets including the following responsibilities: a) Assign and remove access to user or service accounts based upon the direction of the Data Owner.
AI Justification
The responsibilities outlined for Data Custodians emphasize the assignment and removal of access based on the direction of the Data Owner, which aligns with the principle of least privilege.
Document Content
Matched Section
Section: Role-Based Training
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
AI Justification
The text discusses the importance of role-based training tailored to the responsibilities and security requirements of individuals, which aligns with the control's focus on determining training content based on roles.
Document Content
Matched Section
Section: 1.9 ROLES & RESPONSIBILITIES
Content: Role Chief Information Security Officer Data Owner Data Custodian ● Periodic update and distribution of this policy. Responsibility ● Assigning appropriate classification to the data. ● Monitoring and reviewing data and its classification periodically. ● Approving access to the data in accordance with Access control policy. ● Ensuring that appropriate data labelling and handling requirements are followed. ● Securing information based upon Business Line classification and direction. It is the responsibility of the Data Custodian to work with a Data Owner who can identify all confidential information and define the appropriate security measures for that information.
Content: Role Chief Information Security Officer Data Owner Data Custodian ● Periodic update and distribution of this policy. Responsibility ● Assigning appropriate classification to the data. ● Monitoring and reviewing data and its classification periodically. ● Approving access to the data in accordance with Access control policy. ● Ensuring that appropriate data labelling and handling requirements are followed. ● Securing information based upon Business Line classification and direction. It is the responsibility of the Data Custodian to work with a Data Owner who can identify all confidential information and define the appropriate security measures for that information.
AI Justification
The chunk discusses roles and responsibilities related to data retention, which aligns with the need for documentation and training on data handling and retention policies.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request.
AI Justification
The text discusses the importance of audit and accountability policies and procedures, including the need for documentation and maintenance of records for approved exceptions, which aligns with the requirements of AU-1.
Document Content
Matched Section
Section: Individual who has approved management responsibility for an Asset’s lifecycle
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
AI Justification
The text discusses the importance of digital certificates and cryptographic keys, which are essential for non-repudiation services, ensuring that actions such as approvals and communications can be verified.
Document Content
Matched Section
Section: Data retention policies are driven by legal and regulatory requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
AI Justification
The text discusses data retention policies driven by legal and regulatory requirements, which aligns with the need to retain audit records for administrative, legal, audit, or operational purposes.
Document Content
Matched Section
Section: Restricted Data
Content: Restricted Data is characterized as sensitive data that is intended for a very limited group of individuals. This level contains data, which if disclosed would provide access to business secrets and could jeopardize material interests or actions of Lazard or its clients and could lead to material personal or financial detriment if revealed to unauthorized persons.
Content: Restricted Data is characterized as sensitive data that is intended for a very limited group of individuals. This level contains data, which if disclosed would provide access to business secrets and could jeopardize material interests or actions of Lazard or its clients and could lead to material personal or financial detriment if revealed to unauthorized persons.
AI Justification
The chunk discusses sensitive data characteristics and the implications of unauthorized disclosure, aligning with the control's focus on data leakage.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the protection of log information, which aligns with the need for coordinated audit logging across organizations as described in AU-16.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the importance of maintaining the confidentiality, integrity, and non-repudiation of log information, which aligns with the requirements for logging significant events for security and privacy.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: System logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.
Content: System logs need to be protected, because if the data can be modified or data in them deleted, their existence may create a false sense of security.
AI Justification
The need to protect system logs and ensure their integrity supports the control's focus on the content and protection of audit records.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: a) Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: a) Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the importance of maintaining log information and addresses the need for sufficient storage capacity to prevent loss or overwriting of logs.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the need to maintain the confidentiality, integrity, and non-repudiation of log information, which aligns with the requirements for audit logging process failures and actions to be taken in case of storage capacity issues.
Document Content
Matched Section
Section: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
AI Justification
The chunk discusses the handling of personal information and data that could be sensitive, which aligns with the need for audit records to include event descriptions and user identifiers to support auditing functions.
Document Content
Matched Section
Section: iv. Internal and external audit reports.
Content: iv. Internal and external audit reports.
Content: iv. Internal and external audit reports.
AI Justification
The mention of internal and external audit reports indicates the need for maintaining records that can support auditing functions, including the potential privacy risks associated with the data.
Document Content
Matched Section
Section: vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
Content: vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
Content: vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
AI Justification
The reference to reports produced by Information Security Data highlights the importance of documenting sensitive information that could impact security and privacy.
Document Content
Matched Section
Section: viii. All personal data that is not required solely for identification.
Content: viii. All personal data that is not required solely for identification.
Content: viii. All personal data that is not required solely for identification.
AI Justification
The mention of personal data that is not solely for identification suggests a need for careful handling and auditing of sensitive information.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the establishment of controls to maintain the confidentiality, integrity, and non-repudiation of log information, which aligns with the requirements for audit record review and analysis.
Document Content
Matched Section
Section: 1.7 PROTECTION OF LOG INFORMATION
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
Content: Lazard should establish controls to maintain the confidentiality, integrity, and non-repudiation of log information. The log information may be subjected to these operational problems: i. Alterations to the message types. ii. Log files being edited or deleted. iii. Storage capacity of the log file media being exceeded, resulting in either the failure to record events or over-writing of past recorded events.
AI Justification
The section discusses the protection of log information, including confidentiality, integrity, and non-repudiation, which aligns with the requirements for audit information protection.
Document Content
Matched Section
Section: b) Classifying and securing data according to the criteria stipulated within this Policy.
Content: b) Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible.
Content: b) Classifying and securing data according to the criteria stipulated within this Policy. Each Data Owner will be responsible for identifying and classifying all information for which he/she is responsible.
AI Justification
The text discusses the establishment and review of access groupings and authorizing access to information assets, which aligns with access control policies.
Document Content
Matched Section
Section: f) Access privileges of all users, especially those with the abilities to modify and delete data, should be reviewed, and approved by Data/Business Owners on a regular basis, depending on data sensitivity.
Content: f) Access privileges of all users, especially those with the abilities to modify and delete data, should be reviewed, and approved by Data/Business Owners on a regular basis, depending on data sensitivity.
Content: f) Access privileges of all users, especially those with the abilities to modify and delete data, should be reviewed, and approved by Data/Business Owners on a regular basis, depending on data sensitivity.
AI Justification
The text mentions reviewing and approving access privileges, which is part of account management.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring
Content: Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate.
Content: Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate.
AI Justification
The text discusses the importance of ensuring that control assessors have the necessary skills and expertise to conduct assessments effectively, which aligns directly with the requirements of CA-2.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring
Content: Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures.
Content: Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures.
AI Justification
The text mentions the need for risk-based decisions and the assessment of controls to identify weaknesses, which aligns with the objectives of RA-2.
Document Content
Matched Section
Section: Assessment, Authorization & Monitoring
Content: Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle.
Content: Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle.
AI Justification
The text emphasizes the importance of maintaining a security and privacy posture throughout the system life cycle, which relates to the continuous assessment and management of risks.
Document Content
Matched Section
Section: Control References and Policies related to Data Security and Information Transfer
Content: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications.
Content: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications.
AI Justification
The chunk discusses the requirements and considerations for system information exchanges, which aligns directly with the CA-3 control that outlines the need for risk assessment and management in such exchanges.
Document Content
Matched Section
Section: Mobile Device Policy
Content: Mobile Device Policy
Content: Mobile Device Policy
AI Justification
The chunk discusses mobile device policies and their security, which aligns with access control measures for mobile devices.
Document Content
Matched Section
Section: Teleworking
Content: Teleworking
Content: Teleworking
AI Justification
The mention of teleworking implies the need for remote access controls to secure connections from off-premises locations.
Document Content
Matched Section
Section: Chunk: 1.12 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
AI Justification
The text discusses the importance of having a configuration management policy and procedures, as well as the process for handling exceptions to these policies.
Document Content
Matched Section
Section: Scope and Applicability
Content: Appropriate security controls should be implemented to protect Lazard′s information resources. A data classification scheme should be designed to ensure that all data is classified in accordance to its criticality, sensitivity and people dealing with it are aware of how to handle and protect it.
Content: Appropriate security controls should be implemented to protect Lazard′s information resources. A data classification scheme should be designed to ensure that all data is classified in accordance to its criticality, sensitivity and people dealing with it are aware of how to handle and protect it.
AI Justification
The text discusses the need for appropriate security controls to protect information resources and mentions data classification, which aligns with understanding where information is processed and stored.
Document Content
Matched Section
Section: Discussion on digital certificates and their role in verifying authenticity.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
AI Justification
The text discusses the importance of digital certificates for verifying the authenticity of software and firmware components, which aligns with the control's focus on preventing unauthorized installations.
Document Content
Matched Section
Section: Data Protection
Content: Data Protection Access Control Management Network Infrastructure Management Network Monitoring & Defense
Content: Data Protection Access Control Management Network Infrastructure Management Network Monitoring & Defense
AI Justification
The text discusses limiting component functionality and removing unnecessary services, which aligns with the principle of least functionality.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management Network Monitoring & Defense
Content: Network Infrastructure Management Network Monitoring & Defense
AI Justification
The mention of employing network scanning tools and intrusion detection systems relates to boundary protection measures.
Document Content
Matched Section
Section: Network Controls
Content: Network Controls Security of Network Services Protecting Application Services Transactions
Content: Network Controls Security of Network Services Protecting Application Services Transactions
AI Justification
The focus on preventing unauthorized connections and managing network services aligns with the need for secure network services.
Document Content
Matched Section
Section: Contingency Planning Policy and Procedures
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the necessity of having policies and procedures for contingency planning, including the process for exceptions and emergency situations, which aligns with the requirements of CP-1.
Document Content
Matched Section
Section: Business continuity plans should include provisions for verifying the accuracy of data stored and generated by applications and systems.
Content: Business continuity plans should include provisions for verifying the accuracy of data stored and generated by applications and systems. This is especially critical when back-up media is utilized to recover applications and/or systems in a business continuity situation.
Content: Business continuity plans should include provisions for verifying the accuracy of data stored and generated by applications and systems. This is especially critical when back-up media is utilized to recover applications and/or systems in a business continuity situation.
AI Justification
The chunk discusses the importance of business continuity plans and verifying the integrity of data, which aligns with the need for alternate storage sites to ensure data availability and integrity during disruptions.
Document Content
Matched Section
Section: 1.3 DATA OWNER RESPONSIBILITIES
Content: Data Owners have overall responsibility for information security for their application(s) including the following responsibilities: a) Reviewing and verifying, at least annually, that users continue to require current access privileges, including associated privileges (e.g. transferring and/or copying of data).
Content: Data Owners have overall responsibility for information security for their application(s) including the following responsibilities: a) Reviewing and verifying, at least annually, that users continue to require current access privileges, including associated privileges (e.g. transferring and/or copying of data).
AI Justification
The chunk discusses the responsibilities of Data Owners in managing access privileges and protecting sensitive information, which aligns with the need for system-level and user-level information management as outlined in CP-9.
Document Content
Matched Section
Section: f) The use of multifactor authentication should be enforced.
Content: f) The use of multifactor authentication should be enforced.
Content: f) The use of multifactor authentication should be enforced.
AI Justification
The chunk discusses the importance of multifactor authentication and the need for strong passwords, which aligns with the concept of adaptive authentication to enhance security measures.
Document Content
Matched Section
Section: Device Identification and Authentication
Content: SSID is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture.
Content: SSID is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture.
AI Justification
The chunk discusses unique identifiers such as SSID and cryptographic keys, which relate to device identification and authentication mechanisms.
Document Content
Matched Section
Section: Individual who has approved management responsibility for an Asset’s lifecycle
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
AI Justification
The text discusses the use of digital certificates, which are a form of authentication mechanism, to verify the identity of users and ensure they are authorized to perform actions.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the necessity of having policies and procedures for incident response, including the management of exceptions and the roles involved in approving such exceptions.
Document Content
Matched Section
Section: 1.3 DATA OWNER RESPONSIBILITIES
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
AI Justification
The text discusses the implementation of a data loss prevention mechanism to prevent sensitive information from being leaked, which aligns with the concept of managing information spillage.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the importance of maintenance policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the importance of media protection policies and procedures, including the process for exceptions and the roles involved in approving those exceptions.
Document Content
Matched Section
Section: Handling of Assets
Content: Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
Content: Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
AI Justification
The text discusses restricting access to both digital and non-digital media, which aligns with the control's focus on managing access to media.
Document Content
Matched Section
Section: Media Protection | Media Marking
Content: Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs.
Content: Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs.
AI Justification
The chunk discusses security marking and the application of security attributes to various types of media, which aligns with the control's focus on media marking.
Document Content
Matched Section
Section: Media Protection | Media Sanitization
Content: Disposal of Media and Secure Disposal or Re-Use of Equipment.
Content: Disposal of Media and Secure Disposal or Re-Use of Equipment.
AI Justification
The mention of disposal and secure disposal of media aligns with the control's focus on sanitization of media.
Document Content
Matched Section
Section: Access Control | Information Flow Enforcement
Content: Access Control | Information Flow Enforcement Access Control | Concurrent Session Control System & Communications Protection | Boundary Protection System & Communications Protection | Network Disconnect System & Communications Protection | Secure Name/Address Resolution (Authoritative Source)
Content: Access Control | Information Flow Enforcement Access Control | Concurrent Session Control System & Communications Protection | Boundary Protection System & Communications Protection | Network Disconnect System & Communications Protection | Secure Name/Address Resolution (Authoritative Source)
AI Justification
The chunk discusses the physical control and management of stored media, which aligns with the requirements of MP-4 regarding the handling and protection of both digital and non-digital media.
Document Content
Matched Section
Section: Media Protection | Media Sanitization
Content: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed.
Content: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed.
AI Justification
The text discusses the process of media sanitization, including techniques and policies for both digital and non-digital media, which aligns directly with the control's focus on sanitization methods.
Document Content
Matched Section
Section: Media Protection | Media Use
Content: Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices.
Content: Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices.
AI Justification
The text discusses restrictions on the use of various types of media, including portable storage devices, which aligns with the control's focus on managing the use of system media.
Document Content
Matched Section
Section: Media Protection | Media Access
Content: Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned.
Content: Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned.
AI Justification
The text implies access controls related to media, particularly regarding the management and restriction of access to portable storage devices.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the necessity of policies and procedures for physical and environmental protection, including the handling of exceptions and the roles involved in approving them.
Document Content
Matched Section
Section: Data Protection
Content: Control: MP-5: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
Content: Control: MP-5: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
AI Justification
The text discusses the protection of system media during transport, including the use of cryptography and locked containers, which aligns with the requirements of control MP-5.
Document Content
Matched Section
Section: Handling of Assets
Content: Control: MP-5: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
Content: Control: MP-5: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.
AI Justification
The text emphasizes the importance of maintaining accountability of media during transport and the need for documentation, which aligns with the requirements of control A.11.2.5.
Document Content
Matched Section
Section: d) A data loss prevention (DLP) mechanism should be implemented.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
AI Justification
The chunk discusses the implementation of a data loss prevention (DLP) mechanism to prevent sensitive information from being leaked, which aligns with the control's focus on protecting against information leakage.
Document Content
Matched Section
Section: Physical access control applies to employees and visitors.
Content: Control: PE-3: Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
Content: Control: PE-3: Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.
AI Justification
The chunk discusses various aspects of physical access control, including the roles of employees and visitors, types of access controls, and compliance with laws and regulations.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The chunk discusses the necessity of having policies and procedures for exceptions, which aligns with the planning and implementation of controls as described in PL-1.
Document Content
Matched Section
Section: Tailoring Actions and Customization of Controls
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
AI Justification
The text discusses the concept of tailoring controls to meet specific organizational needs, which aligns with the control's focus on customizing baseline controls.
Document Content
Matched Section
Section: Central management refers to organization-wide management and implementation of selected controls and processes.
Content: Control: PL-9: Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes.
Content: Control: PL-9: Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes.
AI Justification
The text discusses the organization-wide management and implementation of controls, which aligns with the concept of central management as described in PL-9.
Document Content
Matched Section
Section: The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all)...
Content: The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all)...
Content: The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all)...
AI Justification
The mention of centrally managed controls includes specific controls related to account management, indicating alignment with AC-2(1).
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied.
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied.
AI Justification
The text discusses the importance of classifying information to apply appropriate security measures, which aligns with the need to define protection and processing needs for information.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied. For instance, it is as important not to surround trivial information with excessive security, as it is to pay keen attention to the most sensitive matters. Classification of data is also necessary to facilitate compliance with governmental regulations.
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied. For instance, it is as important not to surround trivial information with excessive security, as it is to pay keen attention to the most sensitive matters. Classification of data is also necessary to facilitate compliance with governmental regulations.
AI Justification
The text discusses the classification of information and the importance of applying appropriate security measures, which aligns with the requirements for controlled unclassified information as defined by PM-17.
Document Content
Matched Section
Section: Section ii to viii regarding personal and sensitive information.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number. iii. All data classified as production, including all customer information when used in system testing or development environments. iv. Internal and external audit reports. v. Regulatory agency reports, unless specified by the regulatory agency as public data. vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage. vii. Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports. viii. All personal data that is not required solely for identification. This includes information regarding an individual′s:
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number. iii. All data classified as production, including all customer information when used in system testing or development environments. iv. Internal and external audit reports. v. Regulatory agency reports, unless specified by the regulatory agency as public data. vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage. vii. Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports. viii. All personal data that is not required solely for identification. This includes information regarding an individual′s:
AI Justification
The chunk discusses various types of personal and sensitive information, which aligns with the need for accounting of disclosures to ensure compliance with privacy regulations.
Document Content
Matched Section
Section: Data retention policies are driven by legal and regulatory requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
AI Justification
The text discusses the establishment of data retention policies driven by legal and regulatory requirements, which aligns with the responsibilities of a Data Governance Body to manage data effectively and ensure compliance with applicable laws.
Document Content
Matched Section
Section: Approving access to the data in accordance with Access control policy.
Content: Approving access to the data in accordance with Access control policy.
Content: Approving access to the data in accordance with Access control policy.
AI Justification
The responsibilities of the Data Owner include approving access to data in accordance with the Access Control Policy, which is directly related to managing access to sensitive information.
Document Content
Matched Section
Section: Handling of personal information and data classified as production.
Content: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number. All data classified as production, including all customer information when used in system testing or development environments.
Content: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number. All data classified as production, including all customer information when used in system testing or development environments.
AI Justification
The chunk discusses the handling of personal information, including Social Security Numbers and other sensitive data, which aligns with the need to consult with privacy officials and use placeholder data to mitigate risks.
Document Content
Matched Section
Section: Personnel security policy and procedures for the controls in the PS family
Content: Control: PS-1: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development.
Content: Control: PS-1: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development.
AI Justification
The text discusses the importance of personnel security policies and procedures, their development, and the collaboration between security and privacy programs, which aligns with the control's focus.
Document Content
Matched Section
Section: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
AI Justification
The text discusses the importance of position risk designations and their alignment with OPM policy, which is directly related to the control PS-2.
Document Content
Matched Section
Section: Applicability
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary contingency workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data.
Content: This policy is applicable to all Lazard employees, contractors, consultants, temporary contingency workers, and other employees at Lazard, including all personnel affiliated with third parties who access, process, or store the organization's data.
AI Justification
The chunk discusses the applicability of security controls to contractors and third-party personnel, which aligns with the requirements for managing external providers.
Document Content
Matched Section
Section: ENFORCEMENT Non-Compliance
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The section discusses disciplinary actions for users who violate policies, which aligns with the concept of organizational sanctions.
Document Content
Matched Section
Section: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
AI Justification
The chunk discusses various types of personal information and data that may be processed, which aligns with the control's focus on the operations involving personally identifiable information across its life cycle.
Document Content
Matched Section
Section: Internal and external audit reports.
Content: iv. Internal and external audit reports.
Content: iv. Internal and external audit reports.
AI Justification
The mention of internal and external audit reports and regulatory agency reports indicates the processing of sensitive information, which is relevant to the control.
Document Content
Matched Section
Section: All personal data that is not required solely for identification.
Content: viii. All personal data that is not required solely for identification. This includes information regarding an individual′s:
Content: viii. All personal data that is not required solely for identification. This includes information regarding an individual′s:
AI Justification
The reference to personal data that is not required solely for identification aligns with the control's emphasis on the processing of personally identifiable information.
Document Content
Matched Section
Section: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
AI Justification
The chunk discusses various categories of personal information, including Social Security Numbers and other sensitive data, which aligns with the need for protections as outlined in PT-7.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied. For instance, it is as important not to surround trivial information with excessive security, as it is to pay keen attention to the most sensitive matters. Classification of data is also necessary to facilitate compliance with governmental regulations.
Content: To achieve effective Information Security, it is essential to classify information so that appropriate security and control measures are applied. For instance, it is as important not to surround trivial information with excessive security, as it is to pay keen attention to the most sensitive matters. Classification of data is also necessary to facilitate compliance with governmental regulations.
AI Justification
The text discusses the importance of classifying information to apply appropriate security measures, which aligns with the concept of security categorization and its impact on organizational operations and assets.
Document Content
Matched Section
Section: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
AI Justification
The text discusses the importance of risk assessments in considering various factors such as threats, vulnerabilities, and impacts on organizational operations, which aligns with the control's focus on comprehensive risk assessment.
Document Content
Matched Section
Section: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
AI Justification
The text mentions that risk assessments can be conducted at various stages in the system development life cycle, which aligns with the control's requirement for ongoing risk assessments.
Document Content
Matched Section
Section: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
AI Justification
The text highlights the role of risk assessments in control selection processes, which aligns with the control's focus on assessing risks related to controls.
Document Content
Matched Section
Section: A.14.1.3 Protecting Application Services Transactions
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, and the processes involved in identifying and addressing vulnerabilities.
Document Content
Matched Section
Section: A.14.1.3 Protecting Application Services Transactions
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
AI Justification
The text emphasizes the need for continuous monitoring of vulnerabilities and the use of various tools to ensure system integrity.
Document Content
Matched Section
Section: A.14.1.3 Protecting Application Services Transactions
Content: Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large.
Content: Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large.
AI Justification
The text mentions the importance of monitoring for vulnerabilities and the processes for receiving reports of security vulnerabilities.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the organization's policy on exceptions and the process for managing risks associated with those exceptions, which aligns with the control's focus on risk response options.
Document Content
Matched Section
Section: 1.12 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures in the context of system and services acquisition, including the need for approval for exceptions and the role of InfoSec.
Document Content
Matched Section
Section: Protecting Application Services Transactions
Content: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction.
Content: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction.
AI Justification
The chunk discusses the importance of configuration management activities conducted by developers and the need to protect configuration items from unauthorized changes.
Document Content
Matched Section
Section: Protecting Application Services Transactions
Content: Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes.
Content: Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes.
AI Justification
The text discusses the importance of developmental testing and evaluation to ensure that security and privacy controls are correctly implemented and effective, which aligns with the requirements of control SA-11.
Document Content
Matched Section
Section: System & Services Acquisition | Developer Security & Privacy
Content: System & Services Acquisition | Developer Security & Privacy
Content: System & Services Acquisition | Developer Security & Privacy
AI Justification
The chunk discusses various aspects of system acquisition and development, which aligns with the need for maintaining the integrity of development tools and processes.
Document Content
Matched Section
Section: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
AI Justification
The text discusses the derivation of security and privacy requirements and the importance of documentation in the system development life cycle, which aligns with the control's focus on functional requirements.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The mention of access control policies and procedures aligns with the control's focus on establishing access control policies.
Document Content
Matched Section
Section: Teleworking
Content: Teleworking
Content: Teleworking
AI Justification
The mention of teleworking and remote access aligns with the control's focus on access control mechanisms for remote connections.
Document Content
Matched Section
Section: Access Control | Access Control for Mobile Devices
Content: Access Control | Access Control for Mobile Devices
Content: Access Control | Access Control for Mobile Devices
AI Justification
The mention of mobile device policies aligns with the control's focus on access control for mobile devices.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The mention of external systems aligns with the control's focus on managing access to external systems.
Document Content
Matched Section
Section: Mobile Device Policy, Teleworking, Security of Kit and Assets off Premises, Network Controls, Information Transfer Policies & Procedures
Content: Control: SC-1: System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures.
Content: Control: SC-1: System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures.
AI Justification
The text discusses the importance of system and communications protection policies and procedures, which aligns with SC-1.
Document Content
Matched Section
Section: Mobile Device Policy, Teleworking, Security of Kit and Assets off Premises, Network Controls, Information Transfer Policies & Procedures
Content: Control: AC-1: Access Control | Policy & Procedures
Content: Control: AC-1: Access Control | Policy & Procedures
AI Justification
The mention of policies and procedures in the context of access control aligns with AC-1.
Document Content
Matched Section
Section: Cryptographic Key Management and Establishment
Content: A cryptographic key is the core part of cryptographic operations. Many cryptographic systems include pairs of operations, such as encryption and decryption. A key is a part of the variable data that is provided as input to a cryptographic algorithm to execute this sort of
Content: A cryptographic key is the core part of cryptographic operations. Many cryptographic systems include pairs of operations, such as encryption and decryption. A key is a part of the variable data that is provided as input to a cryptographic algorithm to execute this sort of
AI Justification
The text discusses the importance of digital certificates and cryptographic keys, which are essential components of cryptographic key management.
Document Content
Matched Section
Section: Cryptographic Protection and Digital Certificates
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real. A cryptographic key is the core part of cryptographic operations.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real. A cryptographic key is the core part of cryptographic operations.
AI Justification
The chunk discusses the use of digital certificates and cryptographic keys, which are essential components of cryptographic operations, aligning with the control's focus on cryptography for security solutions.
Document Content
Matched Section
Section: Shareholders personal information and all data classified as production.
Content: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number. All data classified as production, including all customer information when used in system testing or development environments.
Content: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number. All data classified as production, including all customer information when used in system testing or development environments.
AI Justification
The chunk discusses various types of personal and sensitive information, which aligns with the control's focus on security and privacy attributes associated with information.
Document Content
Matched Section
Section: Discussion on digital certificates and their verification
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
AI Justification
The chunk discusses digital certificates, their components, and their verification process, which aligns with the description of PKI certificates.
Document Content
Matched Section
Section: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
AI Justification
The chunk discusses authoritative source information for name and address resolution, which aligns with the control's focus on providing assurances for network address resolution.
Document Content
Matched Section
Section: System & Communications Protection| Session Authenticity
Content: System & Communications Protection| Session Authenticity
Content: System & Communications Protection| Session Authenticity
AI Justification
The mention of session authenticity in the chunk aligns with ensuring the integrity of communications, which is a key aspect of this control.
Document Content
Matched Section
Section: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source) System & Communications Protection| Secure Name/address Resolution Service (recursive or Caching Resolver)
Content: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source) System & Communications Protection| Secure Name/address Resolution Service (recursive or Caching Resolver)
AI Justification
The chunk discusses secure name/address resolution services and the validation mechanisms for DNS, which aligns with SC-21's focus on validation of name resolution services.
Document Content
Matched Section
Section: System & Communications Protection| Secure Name/address Resolution Service (authoritative Source)
Content: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server.
Content: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server.
AI Justification
The text discusses the implementation of DNS servers, including redundancy and role separation, which aligns with the requirements of SC-22.
Document Content
Matched Section
Section: Information at rest refers to the state of information when it is not in process or in transit and is located on system components.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
Content: A digital certificate provides identifying information is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.
AI Justification
The text discusses the importance of protecting information at rest, including the use of cryptographic mechanisms and digital certificates, which aligns with the control's focus on confidentiality and integrity of information.
Document Content
Matched Section
Section: Control: SC-3
Content: Control: SC-3: Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains.
Content: Control: SC-3: Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains.
AI Justification
The chunk discusses the importance of isolating security functions from nonsecurity functions, which aligns directly with the control SC-3.
Document Content
Matched Section
Section: Control: SC-3
Content: Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities.
Content: Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities.
AI Justification
The mention of access control mechanisms and least privilege capabilities aligns with the need for access enforcement as described in AC-3.
Document Content
Matched Section
Section: Data Loss Prevention Mechanism
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
AI Justification
The DLP mechanism mentioned in the chunk is aimed at preventing sensitive information from being leaked, which aligns with the control's focus on preventing unauthorized information transfer via shared system resources.
Document Content
Matched Section
Section: Data Protection, Access Control Management, Network Infrastructure Management
Content: Data Protection Access Control Management Network Infrastructure Management Network Monitoring & Defense
Content: Data Protection Access Control Management Network Infrastructure Management Network Monitoring & Defense
AI Justification
The control SC-40 specifically addresses the protection of wireless communication links, which aligns with the need to secure wireless systems against unauthorized access and exploitation.
Document Content
Matched Section
Section: Access Control | Remote Access
Content: Access Control | Remote Access
Content: Access Control | Remote Access
AI Justification
The control AC-17 relates to the management of remote access, which can include wireless access points that need protection as per SC-40.
Document Content
Matched Section
Section: Access Control | Wireless Access
Content: Access Control | Wireless Access
Content: Access Control | Wireless Access
AI Justification
The control AC-18 directly addresses wireless access, which is relevant to the protection of wireless links as described in SC-40.
Document Content
Matched Section
Section: Mobile Device Policy
Content: Mobile Device Policy Teleworking Security of Kit and Assets off Premises Network Controls Information Transfer Policies & Procedures
Content: Mobile Device Policy Teleworking Security of Kit and Assets off Premises Network Controls Information Transfer Policies & Procedures
AI Justification
The control emphasizes the importance of applying usage restrictions to all system components, which aligns with the mention of mobile devices and network controls in the chunk.
Document Content
Matched Section
Section: Mobile Device Policy
Content: Mobile Device Policy Teleworking Security of Kit and Assets off Premises Network Controls Information Transfer Policies & Procedures
Content: Mobile Device Policy Teleworking Security of Kit and Assets off Premises Network Controls Information Transfer Policies & Procedures
AI Justification
This control is relevant as it pertains to the access control measures specifically for mobile devices, which are mentioned in the chunk.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management
Content: Network Infrastructure Management
AI Justification
The chunk discusses denial-of-service events and the measures to protect against them, which aligns directly with the control SC-5.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management
Content: Network Infrastructure Management
AI Justification
The mention of boundary protection devices filtering packets aligns with SC-7, which focuses on boundary protection mechanisms.
Document Content
Matched Section
Section: Network Controls
Content: Control: SC-7: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
Content: Control: SC-7: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
AI Justification
The text discusses managed interfaces and boundary protection measures, which align with the SC-7 control description.
Document Content
Matched Section
Section: Network Controls
Content: Control: SC-15: System & Communications Protection | Collaborative Computing
Content: Control: SC-15: System & Communications Protection | Collaborative Computing
AI Justification
The mention of network-based malicious code analysis and boundary protection relates to the collaborative computing aspect of SC-15.
Document Content
Matched Section
Section: System & Communications Protection | Protecting the confidentiality and integrity of transmitted information
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.
AI Justification
The text discusses protecting the confidentiality and integrity of transmitted information, which aligns directly with SC-8.
Document Content
Matched Section
Section: 1.12 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the process for handling exceptions to these policies.
Document Content
Matched Section
Section: Data Owners are ultimately responsible for the integrity of data resident within their applications.
Content: Data Owners should receive training concerning methods for verifying the integrity of data stored and/or processed by their applications. Additionally, the Data Owners are responsible for the following.
Content: Data Owners should receive training concerning methods for verifying the integrity of data stored and/or processed by their applications. Additionally, the Data Owners are responsible for the following.
AI Justification
The text discusses the importance of verifying the integrity of data and implementing checks such as data type checks, range checks, and format checks, which align with the control's focus on validating system inputs.
Document Content
Matched Section
Section: Data retention policies are driven by legal and regulatory requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
AI Justification
The text discusses data retention policies driven by legal and regulatory requirements, which aligns with the information management and retention requirements outlined in SI-12.
Document Content
Matched Section
Section: Data Protection
Content: Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks.
Content: Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks.
AI Justification
The text discusses the implementation of non-persistent components and services to mitigate risks from advanced persistent threats, aligning directly with the intent of control SI-14.
Document Content
Matched Section
Section: System and Communications Protection
Content: Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).
Content: Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent).
AI Justification
The mention of secure configurations and refreshing system components aligns with the need for maintaining confidentiality and integrity in system communications.
Document Content
Matched Section
Section: d) A data loss prevention (DLP) mechanism should be implemented.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
Content: A data loss prevention (DLP) mechanism should be implemented. This mechanism helps prevent sensitive information from being leaked. It can do this by monitoring and blocking certain types of data from being sent out.
AI Justification
The text discusses the implementation of a data loss prevention mechanism to monitor and block sensitive information from being leaked, which aligns with the control's focus on protecting organizational information from exfiltration.
Document Content
Matched Section
Section: Data retention policies
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
Content: Data retention policies are driven by legal and regulatory requirements. The Data Owner should ensure that data is retained as it pertains to Global, Federal, State and Local statutes and regulations and/or requirements.
AI Justification
The text discusses data retention policies and the importance of adhering to legal and regulatory requirements, which aligns with the need to retain information only as long as necessary.
Document Content
Matched Section
Section: Data Owners are ultimately responsible for the integrity of data resident within their applications.
Content: Data Owners should receive training concerning methods for verifying the integrity of data stored and/or processed by their applications.
Content: Data Owners should receive training concerning methods for verifying the integrity of data stored and/or processed by their applications.
AI Justification
The text discusses the integrity of data and the importance of verifying data accuracy, which aligns with the need to protect against corruption and ensure reliable information sources.
Document Content
Matched Section
Section: Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
Content: ii. Shareholders personal information such as Social Security Number (SSN), Date of Birth, and Bank Account Number.
AI Justification
The chunk discusses the handling of personal information, including Social Security Numbers and other sensitive data, which aligns with the need for quality operations to ensure the accuracy and relevance of personally identifiable information.
Document Content
Matched Section
Section: All data classified as production, including all customer information when used in system testing or development environments.
Content: iii. All data classified as production, including all customer information when used in system testing or development environments.
Content: iii. All data classified as production, including all customer information when used in system testing or development environments.
AI Justification
The mention of customer information in production environments indicates the need for measures to validate and protect the quality of personally identifiable information.
Document Content
Matched Section
Section: Internal and external audit reports.
Content: iv. Internal and external audit reports.
Content: iv. Internal and external audit reports.
AI Justification
The reference to internal and external audit reports suggests a need for oversight and validation of personally identifiable information quality.
Document Content
Matched Section
Section: Regulatory agency reports, unless specified by the regulatory agency as public data.
Content: v. Regulatory agency reports, unless specified by the regulatory agency as public data.
Content: v. Regulatory agency reports, unless specified by the regulatory agency as public data.
AI Justification
Regulatory agency reports may contain personally identifiable information that requires validation and protection.
Document Content
Matched Section
Section: Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
Content: vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
Content: vi. Reports produced by Information Security Data (e.g., vulnerability scan / penetration test report) that the Data Owner determines has potential for providing competitive advantage.
AI Justification
Reports produced by Information Security Data may include sensitive information that needs to be validated and protected.
Document Content
Matched Section
Section: Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports.
Content: vii. Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports.
Content: vii. Data such as balance sheet and profit and loss figures, Lazard-owned holdings, country exposure, total exposure of major clients, general ledger accounts, legal files, and confidential reports.
AI Justification
The mention of various financial and legal data indicates the need for measures to ensure the quality and accuracy of personally identifiable information.
Document Content
Matched Section
Section: All personal data that is not required solely for identification. This includes information regarding an individual′s:
Content: viii. All personal data that is not required solely for identification. This includes information regarding an individual′s:
Content: viii. All personal data that is not required solely for identification. This includes information regarding an individual′s:
AI Justification
The reference to personal data that is not solely for identification suggests a need for quality operations to manage and validate such information.
Document Content
Matched Section
Section: Data Owners Responsibility for Data Integrity
Content: Data Owners are ultimately responsible for the integrity of data resident within their applications. Data Owners should receive training concerning methods for verifying the integrity of data stored and/or processed by their applications.
Content: Data Owners are ultimately responsible for the integrity of data resident within their applications. Data Owners should receive training concerning methods for verifying the integrity of data stored and/or processed by their applications.
AI Justification
The text discusses the responsibility of Data Owners for the integrity of data within their applications and mentions methods for verifying data integrity, which aligns with the control's focus on unauthorized changes and integrity-checking mechanisms.
Document Content
Matched Section
Section: Handling of Assets
Content: Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code.
Content: Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code.
AI Justification
The mention of anti-counterfeiting policies and procedures aligns with the need for managing risks associated with the supply chain, particularly in the context of counterfeit components.
Document Content
Matched Section
Section: Secure Disposal or Re-Use of Equipment
Content: Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code.
Content: Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code.
AI Justification
The focus on secure disposal and protection against malicious code relates to the sanitization of media and ensuring that data is not recoverable.
Document Content
Matched Section
Section: Disposal of Media
Content: Control: SR-12: Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components.
Content: Control: SR-12: Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components.
AI Justification
The text discusses the disposal of data, documentation, and system components at any time during the system development life cycle, which aligns with the control's focus on proper disposal methods.
Document Content
Matched Section
Section: Media Protection | Media Sanitization
Content: Control: SR-12: Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle).
Content: Control: SR-12: Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle).
AI Justification
The control aligns with the need for proper sanitization and disposal methods mentioned in the text to prevent sensitive information from being compromised.
5.0_IS_Human_Resource_Security_Policy_1.pdf NIST
91 matches foundDocument Content
Matched Section
Section: Access Control Policy
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures.
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures.
AI Justification
The text discusses the importance of access control policies and procedures, their development, and the factors influencing them, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: 1.9 LEAVING LAZARD
Content: Access privileges of employees should be removed from all systems upon termination. Application Security Administrators (System Administrators) are responsible for disabling IDs in their respective applications.
Content: Access privileges of employees should be removed from all systems upon termination. Application Security Administrators (System Administrators) are responsible for disabling IDs in their respective applications.
AI Justification
The text discusses the removal of access privileges and the responsibilities of administrators to disable IDs upon employee termination, which aligns with the concept of session termination.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The text discusses the creation and management of user accounts, including the approval process for access and the roles involved in managing permissions.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The text discusses the restrictions on access to nonpublic information and the management of publicly accessible content, which aligns with the principles of access control.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The chunk discusses various aspects of access control, including policies and management of access rights, which aligns with the concept of access control decisions.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The chunk mentions 'Access Control Policy', which directly relates to the enforcement of access control policies as described in control AC-3.
Document Content
Matched Section
Section: Segregation of Duties
Content: Segregation of Duties
Content: Segregation of Duties
AI Justification
The chunk discusses segregation of duties, which aligns directly with the control's focus on dividing functions among different individuals to prevent abuse of privileges.
Document Content
Matched Section
Section: security responsibilities by employees under their supervision
Content: Ensure disabling of IDs in their respective applications following termination or change of access requirements.
Content: Ensure disabling of IDs in their respective applications following termination or change of access requirements.
AI Justification
The text discusses ensuring that employees have appropriate access levels and responsibilities, which aligns with the principle of least privilege.
Document Content
Matched Section
Section: Security Awareness Training Responsibilities
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text discusses the responsibilities of employees regarding security awareness training and the importance of ensuring that employees complete refresher training, which aligns with the requirements of the AT-1 control.
Document Content
Matched Section
Section: 1.7 INFORMATION SECURITY EDUCATION & TRAINING
Content: Periodic Information Security Training will be provided to employees and a recording of these sessions will be maintained. Training materials are prepared by Information Security Management. Specialized Information Security Training should be carried out periodically for employees performing security duties as part of their job requirements. Based on roles and responsibilities, training should include, but is not limited to, Information Security Procedures, Proper Use of Information Security Resources and Current Threats to Information Systems. At a minimum, the following topics should be covered in Information Security Awareness training for employees: Information Security Policies and Procedures, Password and User ID Practices.
Content: Periodic Information Security Training will be provided to employees and a recording of these sessions will be maintained. Training materials are prepared by Information Security Management. Specialized Information Security Training should be carried out periodically for employees performing security duties as part of their job requirements. Based on roles and responsibilities, training should include, but is not limited to, Information Security Procedures, Proper Use of Information Security Resources and Current Threats to Information Systems. At a minimum, the following topics should be covered in Information Security Awareness training for employees: Information Security Policies and Procedures, Password and User ID Practices.
AI Justification
The chunk discusses periodic information security training for employees, which aligns with the requirement for organizations to provide literacy training and awareness based on specific organizational requirements.
Document Content
Matched Section
Section: Security Awareness Training Responsibilities
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text discusses the importance of security awareness training and the responsibilities of employees to complete such training, which aligns with the requirements for role-based training as outlined in control AT-3.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The section discusses the importance of reviewing and validating security roles and responsibilities, which aligns with the need for audit and accountability policies.
Document Content
Matched Section
Section: Managers
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The text emphasizes the segregation of conflicting duties to minimize risks, which aligns with the separation of duties control.
Document Content
Matched Section
Section: Managers
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
AI Justification
The mention of assigning primary and alternate roles for critical functions relates to contingency planning.
Document Content
Matched Section
Section: Managers
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The text discusses ensuring that conflicting functions are not carried out by the same person, which relates to access enforcement.
Document Content
Matched Section
Section: Managers
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
AI Justification
Monitoring security policy compliance relates to the review and analysis of audit logs and security events.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The section discusses the confidentiality of the document and the restrictions on copying, using, or disclosing the information, which aligns with the control's focus on preventing unauthorized disclosure.
Document Content
Matched Section
Section: Managers
Content: • Monitor security policy compliance, IT security compliance and performance of assigned
Content: • Monitor security policy compliance, IT security compliance and performance of assigned
AI Justification
The text discusses the importance of monitoring security roles and responsibilities, which aligns with the continuous monitoring aspect of CA-7.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The text emphasizes the need to review and validate security roles and responsibilities, which aligns with the account management control.
Document Content
Matched Section
Section: Configuration Management Policy and Procedures
Content: Control: CM-1: Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: CM-1: Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of configuration management policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Segregation of Duties
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The chunk discusses the segregation of conflicting duties and responsibilities to minimize risks, which aligns with the control's focus on ensuring that no individual has control over all aspects of a financial transaction.
Document Content
Matched Section
Section: Security Roles and Responsibilities
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
AI Justification
The mention of ensuring depth of expertise in critical functions and assigning primary and alternate roles indicates a focus on training and awareness in security roles.
Document Content
Matched Section
Section: Applicability
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
AI Justification
The chunk discusses responsibilities for ensuring the security of information and access control, which aligns with the management of personally identifiable information and its lifecycle.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The text discusses the review and validation of security roles and responsibilities, which aligns with conducting impact analyses to understand the implications of changes in personnel roles on security.
Document Content
Matched Section
Section: Applicability
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
AI Justification
The policy emphasizes that individuals should only have access to the information they need, which aligns with access enforcement principles.
Document Content
Matched Section
Section: Applicability
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
AI Justification
The text discusses the need for individuals to understand their responsibilities and the conditions under which they can access information systems, which relates to the control's focus on authorized access and changes.
Document Content
Matched Section
Section: Managers
Content: Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
Content: Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
AI Justification
The chunk discusses the assignment of primary and alternate roles for critical information security functions, which aligns with the need for alternative mechanisms to ensure continuity of operations.
Document Content
Matched Section
Section: Managers
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
AI Justification
The text discusses the assignment of primary and alternate personnel for critical information security functions, which aligns with the concept of alternate processing capabilities.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary.
AI Justification
The process of providing IDs and passwords to new hires involves validating and verifying their identity, which aligns with the identity proofing control.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary.
AI Justification
The text discusses the provision of IDs and passwords to new hires, which aligns with the identification and authentication requirements outlined in IA-2.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
AI Justification
The mention of identification and authentication requirements for non-organizational users aligns with IA-8.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The chunk discusses the management of IDs and passwords for new hires, which relates to the management of individual identifiers as mentioned in IA-4.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The chunk mentions the creation and administration of login IDs and permissions for employees, which aligns with account management activities.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The section discusses the provision of IDs and passwords to new hires, which aligns with the requirements for managing authenticators, including the creation and administration of login IDs and permissions.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager. For Key business applications, the application business owner should approve access to the application.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager. For Key business applications, the application business owner should approve access to the application.
AI Justification
The section discusses the provision of IDs and passwords to new hires, which relates to the authentication of users accessing systems.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary.
AI Justification
The section discusses the provision of IDs and passwords to new hires, which aligns with the identification and authentication of users accessing systems.
Document Content
Matched Section
Section: 1.4 NEW HIRE IDS & PASSWORDS
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
Content: IDs and passwords are provided to new hires in order to access required systems as determined by the employee’s group. Hiring managers will review and approve applications and adjust as necessary. Network Administrators create network login IDs and administer network-level permissions granted to each employee for perimeter-level security. Application Security Administrators create application login IDs and administer permissions granted to each employee based upon instructions from the hiring manager.
AI Justification
The section discusses the provision of IDs and passwords to new hires, which aligns with the identification and authentication requirements outlined in control IA-9.
Document Content
Matched Section
Section: Incident Response | Incident Response Training
Content: Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.
Content: Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources.
AI Justification
The chunk discusses the importance of incident response training tailored to different roles within the organization, which aligns directly with the requirements of control IR-2.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents.
Content: For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents.
AI Justification
The mention of role-based training for users, system administrators, and incident responders aligns with control AT-3, which emphasizes the need for training based on specific roles.
Document Content
Matched Section
Section: Incident Response | Incident Response Training
Content: Incident Response | Incident Response Training
Content: Incident Response | Incident Response Training
AI Justification
The chunk discusses incident response training and resources, which aligns with the need for support resources in incident response.
Document Content
Matched Section
Section: Incident Response | Incident Response Training
Content: Incident Response | Incident Response Training
Content: Incident Response | Incident Response Training
AI Justification
The mention of incident response training indicates alignment with the need for training in incident response capabilities.
Document Content
Matched Section
Section: 1.0 PURPOSE and 1.2 SCOPE & APPLICABILITY
Content: This IS Global Policies & Standards Document summarizes the policies and procedures in effect on the date of publication and is intended to serve as a guide for employees of Lazard. Employees are required to review the contents of this document, as it may answer questions about employment with Lazard and set forth some of your responsibilities as an employee.
Content: This IS Global Policies & Standards Document summarizes the policies and procedures in effect on the date of publication and is intended to serve as a guide for employees of Lazard. Employees are required to review the contents of this document, as it may answer questions about employment with Lazard and set forth some of your responsibilities as an employee.
AI Justification
The text discusses the importance of maintenance policies and procedures in ensuring security and privacy assurance, which aligns with the control's focus on maintenance policy and procedures.
Document Content
Matched Section
Section: Media protection policy and procedures
Content: Control: MP-1: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: MP-1: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of policies and procedures related to media protection, which aligns with the control's focus on establishing such policies and procedures within organizations.
Document Content
Matched Section
Section: Security Awareness Training responsibilities
Content: • Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: • Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text emphasizes the need for employees to complete Security Awareness Training, which aligns with the requirement for organizations to provide security training to their personnel.
Document Content
Matched Section
Section: ID management responsibilities
Content: • Ensure disabling of IDs in their respective applications following termination or change of access requirements.
Content: • Ensure disabling of IDs in their respective applications following termination or change of access requirements.
AI Justification
The text mentions the responsibility of disabling IDs following termination or change of access requirements, which aligns with account management practices.
Document Content
Matched Section
Section: 1.0 PURPOSE and 1.2 SCOPE & APPLICABILITY
Content: This IS Global Policies & Standards Document summarizes the policies and procedures in effect on the date of publication and is intended to serve as a guide for employees of Lazard. Employees are required to review the contents of this document, as it may answer questions about employment with Lazard and set forth some of your responsibilities as an employee. This IS Global Policies & Standards Document is not intended to be comprehensive or address all possible applications of, or exceptions to, the general policies and procedures that are described. The purpose of this policy is to ensure that appropriate Information Security measures are taken during the employee lifecycle. This policy is applicable to all Lazard employees. Third party consultants, contractors and vendors should be held accountable at the same level of security compliance as Lazard employees.
Content: This IS Global Policies & Standards Document summarizes the policies and procedures in effect on the date of publication and is intended to serve as a guide for employees of Lazard. Employees are required to review the contents of this document, as it may answer questions about employment with Lazard and set forth some of your responsibilities as an employee. This IS Global Policies & Standards Document is not intended to be comprehensive or address all possible applications of, or exceptions to, the general policies and procedures that are described. The purpose of this policy is to ensure that appropriate Information Security measures are taken during the employee lifecycle. This policy is applicable to all Lazard employees. Third party consultants, contractors and vendors should be held accountable at the same level of security compliance as Lazard employees.
AI Justification
The text discusses the importance of policies and procedures in ensuring security and privacy, which aligns with the planning and implementation of controls as described in PL-1.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The text discusses the importance of reviewing and validating security roles and responsibilities, which aligns with the concept of tailoring controls to fit organizational needs.
Document Content
Matched Section
Section: Managers
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The text emphasizes the segregation of conflicting duties to minimize risks, which aligns with the separation of duties principle.
Document Content
Matched Section
Section: Managers
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
AI Justification
The text mentions ensuring depth of expertise in critical functions to prevent disruption, which relates to contingency planning.
Document Content
Matched Section
Section: Managers
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The text discusses ensuring that conflicting functions are not carried out by the same person, which relates to access enforcement.
Document Content
Matched Section
Section: Managers
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
AI Justification
The text mentions monitoring security policy compliance and performance, which aligns with audit review and analysis.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The chunk discusses the need for reviewing and validating security roles and responsibilities, which aligns with the requirement to define protection needs and ensure appropriate controls are in place to mitigate risks.
Document Content
Matched Section
Section: Managers
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The mention of segregating conflicting duties to minimize risks aligns with the need to understand adverse impacts and implement necessary controls.
Document Content
Matched Section
Section: Managers
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
AI Justification
Ensuring depth of expertise in critical functions relates to the organizational risk management strategy and the need to maintain operational integrity.
Document Content
Matched Section
Section: Managers
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The control of conflicting functions ensures that risks are managed effectively, which is a key aspect of defining protection needs.
Document Content
Matched Section
Section: Managers
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
AI Justification
Monitoring compliance with security policies is essential for maintaining the defined protection needs and ensuring that risks are managed.
Document Content
Matched Section
Section: Security responsibilities by employees under their supervision.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The chunk discusses responsibilities related to security awareness training and ensuring that employees complete necessary training, which aligns with the development of workforce capabilities in security and privacy.
Document Content
Matched Section
Section: Security Awareness Training Responsibilities
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text emphasizes the importance of security awareness training for employees and the coordination of training programs, which aligns with the need for organization-wide security and privacy training and monitoring.
Document Content
Matched Section
Section: Security responsibilities by employees under their supervision
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis. Ensure notification to HR of all new hires and resignations.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis. Ensure notification to HR of all new hires and resignations.
AI Justification
The text discusses the responsibilities of employees regarding security awareness training and the management of personnel changes, which aligns with the requirements of a personnel security policy.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The text discusses the review and validation of security roles and responsibilities, which aligns with the need for proper position designation and the assessment of duties and responsibilities to minimize risks.
Document Content
Matched Section
Section: 1.9 LEAVING LAZARD
Content: Termination dates should be added to PeopleSoft to ensure correct and accurate termination notices are distributed. Access privileges of employees should be removed from all systems upon termination. Application Security Administrators (System Administrators) are responsible for disabling IDs in their respective applications. Refer to the Access Control Policy for additional details. Upon termination, managers should inspect any materials an employee wishes to remove from the premises. The IT Department should examine any computing or communications equipment issued to or used by terminated employees to ensure that all internal information is retrieved or destroyed from the device prior to reuse of the device or issuance to another employee. There should be an exception if an employee is replacing a terminated employee with identical responsibilities and access requirements.
Content: Termination dates should be added to PeopleSoft to ensure correct and accurate termination notices are distributed. Access privileges of employees should be removed from all systems upon termination. Application Security Administrators (System Administrators) are responsible for disabling IDs in their respective applications. Refer to the Access Control Policy for additional details. Upon termination, managers should inspect any materials an employee wishes to remove from the premises. The IT Department should examine any computing or communications equipment issued to or used by terminated employees to ensure that all internal information is retrieved or destroyed from the device prior to reuse of the device or issuance to another employee. There should be an exception if an employee is replacing a terminated employee with identical responsibilities and access requirements.
AI Justification
The chunk discusses the process of managing access privileges and responsibilities during employee termination, which aligns with the control's focus on ensuring accountability and security constraints for terminated individuals.
Document Content
Matched Section
Section: LEAVING LAZARD
Content: Access privileges of employees should be removed from all systems upon termination. Application Security Administrators (System Administrators) are responsible for disabling IDs in their respective applications.
Content: Access privileges of employees should be removed from all systems upon termination. Application Security Administrators (System Administrators) are responsible for disabling IDs in their respective applications.
AI Justification
The section discusses the removal of access privileges and the responsibilities of administrators in managing access upon employee termination, which aligns with the actions required for personnel transfers.
Document Content
Matched Section
Section: 1.6 INFORMATION SECURITY AWARENESS
Content: Upon joining Lazard, employees should sign a confidentiality agreement.
Content: Upon joining Lazard, employees should sign a confidentiality agreement.
AI Justification
The chunk mentions that employees should sign a confidentiality agreement, which aligns with the requirement for access agreements that include nondisclosure agreements.
Document Content
Matched Section
Section: 1.8 DISCIPLINARY PROCESS
Content: There should be a formal disciplinary process for employees who violate Lazard’s Information Security policies and procedures. Disciplinary action should be taken when there is appropriate evidence of a violation. The formal disciplinary process should provide for an appropriate management response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether it is a first or repeat offence, whether the violator was properly trained, relevant legislation, business contracts and other factors, as required. Disciplinary actions may include but are not limited to: loss of access privileges to information resources, termination of employment and/or other actions as may be deemed appropriate by HR and the Chief Information Security Officer.
Content: There should be a formal disciplinary process for employees who violate Lazard’s Information Security policies and procedures. Disciplinary action should be taken when there is appropriate evidence of a violation. The formal disciplinary process should provide for an appropriate management response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether it is a first or repeat offence, whether the violator was properly trained, relevant legislation, business contracts and other factors, as required. Disciplinary actions may include but are not limited to: loss of access privileges to information resources, termination of employment and/or other actions as may be deemed appropriate by HR and the Chief Information Security Officer.
AI Justification
The disciplinary process described aligns with the need for organizational sanctions that reflect applicable laws and policies, as well as the involvement of management in determining appropriate responses to violations.
Document Content
Matched Section
Section: Security responsibilities by employees under their supervision.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text discusses the responsibilities of employees and the importance of training, which aligns with the specification of security and privacy roles.
Document Content
Matched Section
Section: 1.0 PURPOSE and 1.2 SCOPE & APPLICABILITY
Content: This IS Global Policies & Standards Document summarizes the policies and procedures in effect on the date of publication and is intended to serve as a guide for employees of Lazard. Employees are required to review the contents of this document, as it may answer questions about employment with Lazard and set forth some of your responsibilities as an employee. This IS Global Policies & Standards Document is not intended to be comprehensive or address all possible applications of, or exceptions to, the general policies and procedures that are described. The purpose of this policy is to ensure that appropriate Information Security measures are taken during the employee lifecycle.
Content: This IS Global Policies & Standards Document summarizes the policies and procedures in effect on the date of publication and is intended to serve as a guide for employees of Lazard. Employees are required to review the contents of this document, as it may answer questions about employment with Lazard and set forth some of your responsibilities as an employee. This IS Global Policies & Standards Document is not intended to be comprehensive or address all possible applications of, or exceptions to, the general policies and procedures that are described. The purpose of this policy is to ensure that appropriate Information Security measures are taken during the employee lifecycle.
AI Justification
The text discusses the importance of policies and procedures related to personally identifiable information and emphasizes the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable.
AI Justification
The text discusses the importance of reviewing and validating security roles and responsibilities, which aligns with the need for a risk assessment policy that addresses controls and responsibilities.
Document Content
Matched Section
Section: Managers
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The text emphasizes the segregation of conflicting duties to minimize risks, which is a core principle of the Separation of Duties control.
Document Content
Matched Section
Section: Managers
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur.
AI Justification
The mention of ensuring depth of expertise in critical functions and assigning alternates aligns with the need for contingency planning.
Document Content
Matched Section
Section: Managers
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
Content: • Ensure that conflicting functions such as data entry, computer operations, network management business system use, system administration, system development, change management, security administration, and security audit are not carried out by the same person.
AI Justification
The control regarding ensuring that conflicting functions are not carried out by the same person relates to enforcing access controls.
Document Content
Matched Section
Section: Managers
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
Content: • Monitor security policy compliance, IT security compliance and performance of assigned.
AI Justification
Monitoring security policy compliance and performance relates to the need for audit review and analysis.
Document Content
Matched Section
Section: Detailed explanation of why the exception is necessary and Detailed mitigation information, if available.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures. The procedures described in the beginning of this section should be completed within 5 business days of the approval of the emergency exception. If the CISO or his/her designee determines that emergency exceptions are being used inappropriately, they can revoke this privilege.
AI Justification
The chunk discusses the process of handling exceptions and the need for mitigation, which aligns with the risk response strategies outlined in RA-7.
Document Content
Matched Section
Section: Security Awareness Training Program responsibilities
Content: • Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: • Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The chunk discusses the importance of security awareness training for employees, which aligns with the need for training as outlined in SA-16.
Document Content
Matched Section
Section: Security responsibilities by employees under their supervision.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The text discusses the importance of policies and procedures related to security and privacy, which aligns with the control's focus on establishing a system and communications protection policy.
Document Content
Matched Section
Section: Security responsibilities by employees under their supervision.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
Content: Ensure employees under their supervision complete a Security Awareness Training refresher on a periodic basis.
AI Justification
The chunk emphasizes the need for Security Awareness Training for employees, which aligns with the control's focus on ensuring personnel are trained in security awareness.
Document Content
Matched Section
Section: Application Security Administrators (Systems Administrators)
Content: Ensure disabling of IDs in their respective applications following termination or change of access requirements.
Content: Ensure disabling of IDs in their respective applications following termination or change of access requirements.
AI Justification
The text mentions the disabling of IDs following termination or change of access requirements, which aligns with the control's focus on managing user accounts.
Document Content
Matched Section
Section: Managers
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The chunk discusses the segregation of conflicting duties and responsibilities in job descriptions, which aligns with the need for separation of user functions from system management functions as described in SC-2.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The control emphasizes the need for access control mechanisms to protect security functions, which aligns with the isolation of security functions from nonsecurity functions.
Document Content
Matched Section
Section: Management of Privileged Access Rights
Content: Management of Privileged Access Rights
Content: Management of Privileged Access Rights
AI Justification
This control relates to managing access rights, which is essential for maintaining the integrity of security functions and ensuring that only authorized personnel can access them.
Document Content
Matched Section
Section: Information Access Restriction
Content: Information Access Restriction
Content: Information Access Restriction
AI Justification
This control supports the concept of restricting access to security functions, which is a key aspect of maintaining an isolation boundary.
Document Content
Matched Section
Section: Applicability
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: Fully understand their responsibilities for ensuring the security of the information. Only have access to the information they need. Request that this access be removed as soon as it is no longer required.
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: Fully understand their responsibilities for ensuring the security of the information. Only have access to the information they need. Request that this access be removed as soon as it is no longer required.
AI Justification
The text emphasizes the importance of controlling access to information systems and ensuring that users understand their responsibilities, which aligns with preventing unauthorized information transfer.
Document Content
Matched Section
Section: Managers
Content: Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
Content: Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
AI Justification
The text discusses the importance of having primary and alternate personnel for critical functions, which aligns with the need for alternate communications paths to ensure continuity during incidents.
Document Content
Matched Section
Section: Access Control Policy
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
AI Justification
The text discusses managed interfaces and boundary protection measures to secure organizational networks, which aligns with the SC-7 control.
Document Content
Matched Section
Section: Access Control Policy
Content: Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces.
Content: Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces.
AI Justification
The mention of restricting external web traffic and managing access aligns with the access control policies outlined in A.9.1.1.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable. • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable. • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The text discusses the importance of policies and procedures in managing system and information integrity, which aligns with the requirements of control SI-1.
Document Content
Matched Section
Section: Managers
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The text emphasizes the segregation of conflicting duties to minimize risks, which aligns with the requirements of control AC-5.
Document Content
Matched Section
Section: Managers
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
Content: • Ensure that there is enough depth of expertise in critical functions to prevent disruption if unexpected staff changes occur. A primary and an alternate should be assigned to all critical information security functions, and alternates should have the necessary expertise to perform those functions in the event the primary is not available.
AI Justification
The text mentions the need for depth of expertise and assigning alternates for critical functions, which aligns with the requirements of control CP-2.
Document Content
Matched Section
Section: Information management and retention requirements cover the full life cycle of information
Content: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
Content: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
AI Justification
The text discusses the importance of managing and retaining information throughout its life cycle, which aligns with the requirements of SI-12.
Document Content
Matched Section
Section: 1.8 DISCIPLINARY PROCESS
Content: There should be a formal disciplinary process for employees who violate Lazard’s Information Security policies and procedures. Disciplinary action should be taken when there is appropriate evidence of a violation.
Content: There should be a formal disciplinary process for employees who violate Lazard’s Information Security policies and procedures. Disciplinary action should be taken when there is appropriate evidence of a violation.
AI Justification
The section discusses the formal disciplinary process for employees who violate information security policies, which aligns with the need to protect organizational information from unauthorized access or exfiltration.
Document Content
Matched Section
Section: Applicability
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
Content: To reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Lazard’s information systems should: • Fully understand their responsibilities for ensuring the security of the information. • Only have access to the information they need. • Request that this access be removed as soon as it is no longer required.
AI Justification
The text discusses measures to reduce the risk of theft and inappropriate use of information systems, which aligns with the objective of preventing data exfiltration.
Document Content
Matched Section
Section: Managers
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable. • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
Content: • Review and validate security roles and responsibilities in job descriptions, if applicable. • Segregate conflicting duties and areas of responsibility to minimize the risk of theft, fraud, error, and unauthorized changes to information.
AI Justification
The text discusses the importance of validating roles and responsibilities to prevent unauthorized changes to information, which aligns with the integrity-checking mechanisms mentioned in SI-7.
7.1_IS_Asset_Management_Standard.pdf NIST
39 matches foundDocument Content
Matched Section
Section: Policy Exceptions
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the access control policy, which aligns with the need for policies and procedures that address access control measures.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
Content: c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
AI Justification
The text discusses the need for devices to automatically lock after idle time, which aligns with the control's focus on preventing unauthorized access when users are away from their devices.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
AI Justification
The text discusses mobile device security standards, authentication, and endpoint security management, which aligns with the requirements for controlling mobile devices as outlined in AC-19.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: All users should be authenticated prior to accessing the organization’s resources.
Content: All users should be authenticated prior to accessing the organization’s resources.
AI Justification
The mention of authentication prior to accessing organizational resources and the need for secure access aligns with the requirements for remote access controls.
Document Content
Matched Section
Section: Section 1.6 - EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance.
AI Justification
The text discusses the enforcement of policies and the consequences of violations, which aligns with the concept of access control policies that govern user actions and responsibilities.
Document Content
Matched Section
Section: Policy exception process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to policies, which aligns with the need for audit and accountability procedures in managing exceptions and risks.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for assessment and authorization procedures as outlined in CA-1.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for configuration management policies and procedures that address risk management strategies.
Document Content
Matched Section
Section: IT Asset Procurement
Content: This document establishes required data elements to be recorded and tracked during inventory of information technology (IT) assets and when these data elements are to be updated.
Content: This document establishes required data elements to be recorded and tracked during inventory of information technology (IT) assets and when these data elements are to be updated.
AI Justification
The document establishes required data elements to be recorded and tracked during inventory of IT assets, aligning with the need for effective accountability of system components as outlined in CM-8.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to policy, which aligns with the need for contingency planning and procedures to address risks.
Document Content
Matched Section
Section: 1.2 Endpoint Security Device Management
Content: c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
Content: c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
AI Justification
The chunk discusses the need for user authentication prior to accessing organizational resources, which aligns with the re-authentication requirements outlined in IA-11.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
Content: All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
AI Justification
The text discusses the requirement for user authentication before accessing organizational resources, which aligns with the identification and authentication control.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
Content: c) All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
AI Justification
The chunk discusses the need for authentication of users and securing endpoint devices, which aligns with the requirement for unique device identification and authentication.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
Content: All users should be authenticated prior to accessing the organization’s resources. Due diligence should be conducted; forgotten passwords should be reset, and devices should automatically lock after idle time.
AI Justification
The text discusses the importance of authenticating users before they access organizational resources, which aligns with the requirements for managing authenticators.
Document Content
Matched Section
Section: Policy Exceptions Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for incident response policies and procedures that address security risks.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process for media protection, which aligns with the need for policies and procedures that address media protection controls.
Document Content
Matched Section
Section: IT Asset (NEW) and other assets Retirement and Disposal
Content: Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting. Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The text discusses the need for asset disposal procedures and data security measures to protect sensitive data during asset retirement, which aligns with the requirements for media sanitization.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process that aligns with the need for policies and procedures addressing physical and environmental protection, particularly in exceptional cases where a lower protection level is deemed necessary.
Document Content
Matched Section
Section: Policy exception process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process, which aligns with the need for planning policies and procedures related to security and privacy assurance.
Document Content
Matched Section
Section: 1.6 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions and functions to define and implement stronger security requirements, which aligns with the concept of tailoring controls to meet specific needs.
Document Content
Matched Section
Section: Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution.
Content: Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination.
Content: Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination.
AI Justification
The text discusses the consequences of violating policies and the importance of adherence to rules, which aligns with the concept of rules of behavior as outlined in PL-4.
Document Content
Matched Section
Section: Rules of behavior for organizational and non-organizational users can also be established in AC-8.
Content: Rules of behavior for organizational and non-organizational users can also be established in AC-8.
Content: Rules of behavior for organizational and non-organizational users can also be established in AC-8.
AI Justification
The mention of rules and policies that govern user behavior aligns with the need for system use notifications and agreements as described in AC-8.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses a policy exception process that aligns with the organization's risk management strategy, indicating a structured approach to managing security risks.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to security policies, which aligns with the need for established personnel security policies and procedures.
Document Content
Matched Section
Section: Section discussing user liability and policy violations
Content: Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses individual liability for illegal activities and the consequences of violating policies, which aligns with the concept of organizational sanctions.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process which aligns with the need for policies and procedures regarding information security risks, particularly in relation to personally identifiable information.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process to address information security risks, which aligns with the need for risk assessment policies and procedures.
Document Content
Matched Section
Section: Policy exception process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for established procedures in system and services acquisition.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
Content: Lazard should follow its mobile device security standards as outlined in the Lazard IS 7.2 End User Device Standard.
AI Justification
The text discusses the application of systems security and privacy engineering principles throughout the system development life cycle, which aligns with the control's focus on integrating security principles into system development.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: All users should be authenticated prior to accessing the organization’s resources.
Content: All users should be authenticated prior to accessing the organization’s resources.
AI Justification
The requirement for all users to be authenticated before accessing organizational resources aligns with the control's focus on user identification and authentication.
Document Content
Matched Section
Section: Endpoint Security Device Management
Content: Each organization-issued endpoint device should be fully secured before allowing a user to access it.
Content: Each organization-issued endpoint device should be fully secured before allowing a user to access it.
AI Justification
The requirement for each organization-issued endpoint device to be fully secured before allowing user access aligns with the control's focus on establishing and maintaining baseline configurations.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process which aligns with the need for policies and procedures that address system and communications protection.
Document Content
Matched Section
Section: IT Asset (NEW) and other assets Retirement and Disposal
Content: Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
Content: Establish data security procedures to protect sensitive (classification internal, confidential, restricted) data when assets are planned to be retired.
AI Justification
The chunk discusses the need for data security procedures to protect sensitive data during asset retirement and disposal, which aligns with the protection of information at rest.
Document Content
Matched Section
Section: Section 1.6 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance.
AI Justification
The text discusses the consequences of violating policies and the need for approval for exceptions, which aligns with the concept of usage restrictions for system components.
Document Content
Matched Section
Section: 1.6 EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability for divisions and functions to implement stronger security requirements and mechanisms, which aligns with the concept of ensuring domain separation and policy enforcement.
Document Content
Matched Section
Section: 1.6 EXCEPTION
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions and functions to implement stronger security requirements and mechanisms, which aligns with the need for additional strength of mechanism for domain separation and policy enforcement.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process to address information security risks, which aligns with the need for policies and procedures regarding system and information integrity.
Document Content
Matched Section
Section: IT Asset (NEW) and other assets Retirement and Disposal
Content: Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting.
Content: Define an asset disposal procedure encompassing identification of assets, assessment of assets, approval, disposal methods, and reporting.
AI Justification
The chunk discusses the need for asset disposal procedures and data security procedures to protect sensitive data during asset retirement, which aligns with the control's focus on proper disposal methods throughout the system development life cycle.
Document Content
Matched Section
Section: IT Asset Procurement
Content: Lazard should establish supplier management plans like:
Content: Lazard should establish supplier management plans like:
AI Justification
The text discusses the establishment of supplier management plans, which aligns with the need to manage supply chain risks and relationships with external providers.
8.0_IS_Access_Control_Identity_Management_Policy_1.pdf NIST
154 matches foundDocument Content
Matched Section
Section: Access Control Policy and Procedures
Content: d. Segregate access control roles between access request, access authorization, and access administration. e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: d. Segregate access control roles between access request, access authorization, and access administration. e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The text discusses the importance of access control policies and procedures, including the segregation of access control roles and the prevention of unauthorized access, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: User Access Management
Content: i. Privileged users should understand their roles and responsibilities.
Content: i. Privileged users should understand their roles and responsibilities.
AI Justification
The mention of ensuring that privileged users understand their roles and responsibilities aligns with the need for account management controls.
Document Content
Matched Section
Section: Access Enforcement
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The text emphasizes the need to prevent unauthorized access and implement information access controls, which is a key aspect of access enforcement.
Document Content
Matched Section
Section: Remote Access Security
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The mention of ensuring security controls while using mobile computing and remote access facilities aligns with the requirements for remote access controls.
Document Content
Matched Section
Section: Mobile Device Security
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The focus on security controls for mobile computing aligns with the need for access control specific to mobile devices.
Document Content
Matched Section
Section: Lazard should define, document, implement, and maintain policies to control access to their Information Resources.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access. It also includes the periodic review of information system access privileges.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access. It also includes the periodic review of information system access privileges.
AI Justification
The text discusses the need for defining, documenting, implementing, and maintaining policies to control access to information resources, which aligns with the principles of access control and the management of attributes associated with subjects and objects.
Document Content
Matched Section
Section: Wireless technologies and authentication protocols
Content: SSID is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture.
Content: SSID is a case sensitive, 32 alphanumeric character unique identifier attached to the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN architecture.
AI Justification
The text discusses SSID as a unique identifier for wireless networks, which relates to the authentication protocols and security measures in wireless technologies.
Document Content
Matched Section
Section: v. All external connections to Lazard networks or Information Resources require strong two-factor authentication using Lazard approved method(s) over secure communications channels.
Content: v. All external connections to Lazard networks or Information Resources require strong two-factor authentication using Lazard approved method(s) over secure communications channels.
Content: v. All external connections to Lazard networks or Information Resources require strong two-factor authentication using Lazard approved method(s) over secure communications channels.
AI Justification
The text discusses the requirements for remote access, including strong authentication, encryption, and the use of secure communication channels, which aligns with the definition of remote access controls.
Document Content
Matched Section
Section: vii. Controls such as file access limitation, time limit for access and automatic expiration of third-party accounts on specific date are required.
Content: vii. Controls such as file access limitation, time limit for access and automatic expiration of third-party accounts on specific date are required.
Content: vii. Controls such as file access limitation, time limit for access and automatic expiration of third-party accounts on specific date are required.
AI Justification
The mention of access restrictions and controls for remote access aligns with the need for access enforcement.
Document Content
Matched Section
Section: 1.2.2 Access to Networks and Network Services
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The chunk discusses the need for security controls while using mobile computing and remote access facilities, which aligns with the definition and requirements outlined in AC-19 regarding the protection and control of mobile devices.
Document Content
Matched Section
Section: 1.2.2 Access to Networks and Network Services
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The mention of mobile devices and the need for adequate security measures aligns with AC-20, which addresses mobile devices that are not organization-controlled.
Document Content
Matched Section
Section: Definition of User, Privileged User, User Account, Service Account, Privileged Account, Application Administration Account
Content: An individual who utilizes the Information Resources they are authorized to access. A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. User accounts, also known as human accounts, are defined as those that match the OpSysID field in employee HR records. Service accounts, also known as non-human accounts, are all other accounts that do not fit the description of a User Account.
Content: An individual who utilizes the Information Resources they are authorized to access. A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. User accounts, also known as human accounts, are defined as those that match the OpSysID field in employee HR records. Service accounts, also known as non-human accounts, are all other accounts that do not fit the description of a User Account.
AI Justification
The chunk discusses various types of user accounts, their definitions, and the management of these accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for defined policies to control access to information resources based on roles, which aligns with the principles of managing access to external systems.
Document Content
Matched Section
Section: Access Control
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Lazard’s 8.0 IS Asset Management Policy. Access controls should be deployed on the principle of least privilege to protect the information from unauthorized access.
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Lazard’s 8.0 IS Asset Management Policy. Access controls should be deployed on the principle of least privilege to protect the information from unauthorized access.
AI Justification
The text discusses access control principles that align with the restrictions on sharing information based on classification and need-to-know basis, which is a key aspect of AC-21.
Document Content
Matched Section
Section: 8.0 Access Control & Identity Management Policy
Content: The purpose of this policy is to provide requirements controlling access to Lazard information systems and assets for authorized Users (employees, contractors and suppliers).
Content: The purpose of this policy is to provide requirements controlling access to Lazard information systems and assets for authorized Users (employees, contractors and suppliers).
AI Justification
The section discusses the management of access to nonpublic information and the policies governing public access, which aligns with the requirements of AC-22.
Document Content
Matched Section
Section: Segregate access control roles between access request, access authorization, and access administration.
Content: d. Segregate access control roles between access request, access authorization, and access administration.
Content: d. Segregate access control roles between access request, access authorization, and access administration.
AI Justification
The text discusses the segregation of access control roles and the prevention of unauthorized access, which aligns with the concept of access control decisions and enforcement.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text describes the need for defining, documenting, implementing, and maintaining access control policies, which aligns with the requirements of AC-25 regarding enforcement of access control policies.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses policies to control access to information resources, which aligns with the concept of regulating information flow within a system based on roles and responsibilities.
Document Content
Matched Section
Section: Segregation of Duties
Content: Segregation of Duties
Content: Segregation of Duties
AI Justification
The chunk discusses segregation of duties and the importance of dividing functions among different individuals to prevent abuse of privileges.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: d. Segregate access control roles between access request, access authorization, and access administration.
Content: d. Segregate access control roles between access request, access authorization, and access administration.
AI Justification
The chunk discusses the segregation of access control roles and the prevention of unauthorized access, which aligns with the principles of access control policies.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The mention of preventing unauthorized access to information systems directly relates to access control policies.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
Ensuring security controls for mobile computing and remote access aligns with the enforcement of access control policies.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: g. Ensure that information access controls are implemented to meet applicable or relevant contractual, legal and regulatory requirements.
Content: g. Ensure that information access controls are implemented to meet applicable or relevant contractual, legal and regulatory requirements.
AI Justification
The implementation of information access controls to meet legal and regulatory requirements is a key aspect of access control policies.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: h. Should ensure that physical access to assets is managed and protected.
Content: h. Should ensure that physical access to assets is managed and protected.
AI Justification
Managing and protecting physical access to assets relates to the broader access control policies.
Document Content
Matched Section
Section: Privileged (Application Administration) Account
Content: a. Administrative access to Lazard computing resources should only be used only for official Lazard business. b. Use of administrative access should be consistent with an individual’s role or job responsibilities.
Content: a. Administrative access to Lazard computing resources should only be used only for official Lazard business. b. Use of administrative access should be consistent with an individual’s role or job responsibilities.
AI Justification
The text discusses the use of administrative access consistent with an individual's role and responsibilities, which aligns with the principle of least privilege.
Document Content
Matched Section
Section: Account Management
Content: The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection.
Content: The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection.
AI Justification
The text discusses the need to limit unsuccessful logon attempts and outlines actions to be taken when the maximum number of attempts is exceeded, which aligns directly with control AC-7.
Document Content
Matched Section
Section: Access Control | Concurrent Session Control
Content: Control: AT-2: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
Content: Control: AT-2: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
AI Justification
The text discusses the provision of literacy training and awareness for system users, which aligns with the requirements of AT-2.
Document Content
Matched Section
Section: Access Control | Concurrent Session Control
Content: Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Content: Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
AI Justification
The content emphasizes the importance of ongoing security awareness and training, which aligns with PR.AT-2.
Document Content
Matched Section
Section: Access Control | Concurrent Session Control
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
AI Justification
The text discusses the importance of role-based training tailored to the responsibilities and security requirements of individuals, which aligns directly with control AT-3.
Document Content
Matched Section
Section: Audit and accountability policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures related to security and accountability, which aligns with the requirements of AU-1.
Document Content
Matched Section
Section: Role Responsibility
Content: ● Is responsible for reviewing the access rights for respective business systems post initiation by IT team. ● Is responsible for reporting suspicious activity and account compromise to the Information security team in a timely manner.
Content: ● Is responsible for reviewing the access rights for respective business systems post initiation by IT team. ● Is responsible for reporting suspicious activity and account compromise to the Information security team in a timely manner.
AI Justification
The responsibilities outlined include reviewing access rights and reporting suspicious activity, which aligns with the auditing and monitoring aspects of AU-6.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for policies to control access to information resources based on roles, which aligns with the Access Control Policy.
Document Content
Matched Section
Section: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions the management of access through authorizing, modifying, and revoking access, which aligns with account management practices.
Document Content
Matched Section
Section: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
AI Justification
The chunk discusses the segregation and segmentation of networks, which aligns with the requirements for managing system information exchanges and ensuring network integrity.
Document Content
Matched Section
Section: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
AI Justification
The chunk outlines the enforcement of user access controls and authorization processes, which aligns with access enforcement requirements.
Document Content
Matched Section
Section: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
Content: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
Content: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
AI Justification
The chunk mentions the authorization process for user access, which is a key aspect of account management.
Document Content
Matched Section
Section: Scope & Applicability
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The text discusses the need for policies to control access to information resources, which aligns with the requirements for an access control policy.
Document Content
Matched Section
Section: Scope & Applicability
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions the need for authorizing and modifying access, which aligns with the control regarding official management decisions to authorize operations.
Document Content
Matched Section
Section: Configuration Management Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of defining and implementing security requirements and mechanisms, which aligns with the need for configuration management policies and procedures.
Document Content
Matched Section
Section: Scope & Applicability
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The text discusses the need for policies to control access to information resources based on roles, which aligns with the Access Control Policy control.
Document Content
Matched Section
Section: Scope & Applicability
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions the need for managing access through authorizing, modifying, and revoking access, which aligns with the Account Management control.
Document Content
Matched Section
Section: Scope & Applicability
Content: This policy assigns and describes roles and responsibilities for access needs by minimizing risks and maximizing the protection levels for Lazard’s Information Resources.
Content: This policy assigns and describes roles and responsibilities for access needs by minimizing risks and maximizing the protection levels for Lazard’s Information Resources.
AI Justification
The text implies the enforcement of access controls based on roles and responsibilities, which aligns with the Access Enforcement control.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need to define, document, implement, and maintain policies to control access to information resources, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions controlling access based on roles and the management of access privileges, which aligns with account management practices.
Document Content
Matched Section
Section: 1.2.2 Access to Networks and Network Services
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
AI Justification
The chunk discusses the segregation of access control roles and preventing unauthorized access, which aligns with the need for access enforcement.
Document Content
Matched Section
Section: h. Should ensure that physical access to assets is managed and protected.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
AI Justification
The mention of managing and protecting physical access to assets aligns with the physical access control requirements.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The text discusses limiting component functionality and preventing unauthorized connections, which aligns with access enforcement principles.
Document Content
Matched Section
Section: Access Control | Account Management
Content: Access Control | Account Management
Content: Access Control | Account Management
AI Justification
The mention of limiting services and functions to reduce risk aligns with the principle of separation of duties.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The text emphasizes the importance of limiting functionality to reduce risk, which is a core aspect of least privilege.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The discussion of disabling unnecessary ports and protocols relates to boundary protection measures.
Document Content
Matched Section
Section: Contingency Planning Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures in defining security requirements and the process for requesting exceptions, which aligns with the need for contingency planning policies.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for policies to control access to information resources based on roles, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions controlling access through a managed process that includes authorizing, modifying, and revoking access, which aligns with account management practices.
Document Content
Matched Section
Section: Identification and Authentication Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to identification and authentication, aligning with the requirements of IA-1.
Document Content
Matched Section
Section: Account Management, Access Control Management, Audit Log Management, Network Monitoring & Defense, Service Provider Management
Content: Control: IA-10: Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior.
Content: Control: IA-10: Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior.
AI Justification
The text discusses the need for adaptive authentication mechanisms to enhance security against impersonation and suspicious behavior, which aligns directly with the control's focus on addressing threats to individual authentication mechanisms.
Document Content
Matched Section
Section: Account Management, User Registration & De-Registration
Content: Account Management, Access Control Management, Audit Log Management, Network Monitoring & Defense, Service Provider Management, User Registration & De-Registration
Content: Account Management, Access Control Management, Audit Log Management, Network Monitoring & Defense, Service Provider Management, User Registration & De-Registration
AI Justification
The chunk discusses user registration and identity management, which aligns with the identity proofing process described in IA-12.
Document Content
Matched Section
Section: iii. Appropriate authentication mechanisms are applied for Users of information systems.
Content: iii. Appropriate authentication mechanisms are applied for Users of information systems.
Content: iii. Appropriate authentication mechanisms are applied for Users of information systems.
AI Justification
The chunk discusses appropriate authentication mechanisms for users of information systems, which aligns with the requirements for identification and authentication of users.
Document Content
Matched Section
Section: v. Users are provided access only to those services that they are specifically authorized to use.
Content: v. Users are provided access only to those services that they are specifically authorized to use.
Content: v. Users are provided access only to those services that they are specifically authorized to use.
AI Justification
The text mentions that access is granted only to authorized users, which relates to the control that addresses actions that can occur without individual authentication.
Document Content
Matched Section
Section: Identification & Authentication | Device Identification & Authentication
Content: Identification & Authentication | Device Identification & Authentication
Content: Identification & Authentication | Device Identification & Authentication
AI Justification
The chunk discusses various aspects of device identification and authentication, which aligns directly with the requirements of IA-3.
Document Content
Matched Section
Section: Privileged User Accounts and Application Administration Accounts
Content: Privileged User Accounts are accounts that are created for use by individuals and are assigned privileges and rights beyond that of a standard user account as appropriate. Privileged User Accounts are made up of the user’s network account (OpSysID) with a usage indicator appended to the name (e.g., SmithJ_priv or SmithJ_adm).
Content: Privileged User Accounts are accounts that are created for use by individuals and are assigned privileges and rights beyond that of a standard user account as appropriate. Privileged User Accounts are made up of the user’s network account (OpSysID) with a usage indicator appended to the name (e.g., SmithJ_priv or SmithJ_adm).
AI Justification
The text discusses the management of user accounts and identifiers, which aligns with the control's focus on individual identifiers and their management.
Document Content
Matched Section
Section: Identification & Authentication | Authenticator Management
Content: Identification & Authentication | Authenticator Management
Content: Identification & Authentication | Authenticator Management
AI Justification
The chunk discusses various types of authenticators, their management, and the importance of protecting them, which aligns directly with the control's focus on authenticators.
Document Content
Matched Section
Section: Identification & Authentication | Authenticator Management
Content: Identification & Authentication | Authenticator Management
Content: Identification & Authentication | Authenticator Management
AI Justification
The text mentions safeguarding individual authenticators and the responsibilities of users, which aligns with the need for rules of behavior regarding the use of authenticators.
Document Content
Matched Section
Section: Identification & Authentication | Authenticator Management
Content: Identification & Authentication | Authenticator Management
Content: Identification & Authentication | Authenticator Management
AI Justification
The mention of protecting authenticators stored in organizational systems aligns with access enforcement controls.
Document Content
Matched Section
Section: Identification & Authentication | Cryptographic Module Authentication
Content: Identification & Authentication | Cryptographic Module Authentication
Content: Identification & Authentication | Cryptographic Module Authentication
AI Justification
The chunk discusses various aspects of identification and authentication, including cryptographic module authentication, which aligns with the requirement for authentication mechanisms.
Document Content
Matched Section
Section: Account Management, Access Control Management
Content: Account Management Access Control Management Audit Log Management Network Monitoring & Defense Service Provider Management
Content: Account Management Access Control Management Audit Log Management Network Monitoring & Defense Service Provider Management
AI Justification
The chunk discusses access control and management, which aligns with the identification and authentication of non-organizational users.
Document Content
Matched Section
Section: Maintenance policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for maintenance, including the need for collaboration between security and privacy programs, which aligns with the requirements of control MA-1.
Document Content
Matched Section
Section: Media protection policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for media protection, including the ability to define and implement security requirements based on risk management, which aligns with the control's focus on media protection policies.
Document Content
Matched Section
Section: Physical and Environmental Protection Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for physical and environmental protection, including the ability to define and implement security requirements based on risk assessments.
Document Content
Matched Section
Section: Physical Access Management
Content: h. Should ensure that physical access to assets is managed and protected.
Content: h. Should ensure that physical access to assets is managed and protected.
AI Justification
The chunk discusses the need to manage and protect physical access to assets, which aligns with the enforcement of authorizations for entry and exit of system components.
Document Content
Matched Section
Section: h. Should ensure that physical access to assets is managed and protected.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
AI Justification
The chunk discusses the management and protection of physical access to assets, which aligns with the requirements for physical access authorizations.
Document Content
Matched Section
Section: h. Should ensure that physical access to assets is managed and protected.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
AI Justification
The chunk discusses the management and protection of physical access to assets, which aligns with the requirements of PE-3.
Document Content
Matched Section
Section: h. Should ensure that physical access to assets is managed and protected.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
Content: h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information.
AI Justification
The text discusses managing and protecting physical access to assets, which aligns with controlling access to output devices.
Document Content
Matched Section
Section: Planning policy and procedures for the controls in the PL family
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for security controls, including the process for requesting exceptions to the policy, which aligns with the planning and procedural aspects of control PL-1.
Document Content
Matched Section
Section: Access Control Policy
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The text discusses the need for policies to control access to Information Resources, which aligns with the need for maintaining visitor access records as part of access control.
Document Content
Matched Section
Section: Access Control Policy
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The mention of authorizing, modifying, and revoking access aligns with account management practices.
Document Content
Matched Section
Section: Access Control Policy
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The text implies the enforcement of access controls based on roles, which aligns with access enforcement requirements.
Document Content
Matched Section
Section: Access Control Policy
Content: This policy assigns and describes roles and responsibilities for access needs by minimizing risks and maximizing the protection levels for Lazard’s Information Resources.
Content: This policy assigns and describes roles and responsibilities for access needs by minimizing risks and maximizing the protection levels for Lazard’s Information Resources.
AI Justification
The policy assigns roles and responsibilities, which is related to the separation of duties to minimize risks.
Document Content
Matched Section
Section: Access Control Policy
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The text emphasizes limiting access to the minimum necessary, which aligns with the principle of least privilege.
Document Content
Matched Section
Section: Section 1.2.2 Access to Networks and Network Services
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
AI Justification
The text discusses the importance of security and privacy plans in the context of access control and the implementation of security measures, which aligns with the requirements outlined in control PL-2.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
Content: a. Appropriate controls for User access to networks and network services should be deployed to ensure that:
AI Justification
The text discusses the segregation of access control roles and the implementation of access controls to prevent unauthorized access, which aligns with the need for an access control policy.
Document Content
Matched Section
Section: Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The mention of preventing unauthorized access to information systems and ensuring security controls are in place aligns with the need for access enforcement.
Document Content
Matched Section
Section: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The requirement to ensure security controls while using mobile computing and remote access facilities aligns with the remote access control.
Document Content
Matched Section
Section: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The emphasis on security controls for mobile computing aligns with the need for access control specific to mobile devices.
Document Content
Matched Section
Section: Privileged users should understand their roles and responsibilities.
Content: i. Privileged users should understand their roles and responsibilities.
Content: i. Privileged users should understand their roles and responsibilities.
AI Justification
The mention of privileged users understanding their roles and responsibilities aligns with the principle of least privilege.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The section discusses the importance of tailoring access control policies and procedures to meet specific organizational needs, which aligns with the concept of access enforcement.
Document Content
Matched Section
Section: Access Control | Account Management
Content: Access Control | Account Management
Content: Access Control | Account Management
AI Justification
The mention of account management and tailoring actions implies the need for separation of duties in access control, which is a key aspect of this control.
Document Content
Matched Section
Section: Access Control | Account Management
Content: Access Control | Account Management
Content: Access Control | Account Management
AI Justification
The tailoring of controls to reflect specific organizational needs supports the principle of least privilege in access control.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The tailoring actions discussed can influence the permitted actions within access control frameworks.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The emphasis on security and privacy plans aligns with the need to define security and privacy attributes in access control.
Document Content
Matched Section
Section: Access Control Roles and Responsibilities
Content: d. Segregate access control roles between access request, access authorization, and access administration. e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems. f. Ensure that the security controls are in place while using mobile computing and remote access facilities. g. Ensure that information access controls are implemented to meet applicable or relevant contractual, legal and regulatory requirements. h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information3. i. Privileged users should understand their roles and responsibilities.
Content: d. Segregate access control roles between access request, access authorization, and access administration. e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems. f. Ensure that the security controls are in place while using mobile computing and remote access facilities. g. Ensure that information access controls are implemented to meet applicable or relevant contractual, legal and regulatory requirements. h. Should ensure that physical access to assets is managed and protected. Please see 10.0 Physical and Environmental Security Policy for more information3. i. Privileged users should understand their roles and responsibilities.
AI Justification
The text discusses the segregation of access control roles and the responsibilities of privileged users, which aligns with the establishment of rules of behavior for users.
Document Content
Matched Section
Section: Access Control Management
Content: Access Control Management
Content: Access Control Management
AI Justification
The text discusses central management of controls and processes, which includes the management of access controls that can enforce information flow.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access. It also includes the periodic review of information system access privileges.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access. It also includes the periodic review of information system access privileges.
AI Justification
The text describes the need for a formal access control policy that governs how access to information resources is managed based on roles and responsibilities.
Document Content
Matched Section
Section: Role Responsibility
Content: ● Is responsible for reviewing the access rights for respective business systems post initiation by IT team. ● Is responsible for implementing access as per the request post validation of Information owner approval. ● Is responsible for maintaining the updated list of authorized Information owners. ● Is responsible for initiating periodic reviews of access rights with Information owners. ● Is responsible for changing and revoking access as per approved requests. ● Is responsible for granting or denying permissions for remote control software installations on the systems. ● Is responsible for the review and approval of wireless access points and modems. ● Is responsible for conducting risk assessment wherever required. ● Is responsible for ensuring security of access rights. ● Is responsible for reporting suspicious activity and account compromise to the Information security team in a timely manner.
Content: ● Is responsible for reviewing the access rights for respective business systems post initiation by IT team. ● Is responsible for implementing access as per the request post validation of Information owner approval. ● Is responsible for maintaining the updated list of authorized Information owners. ● Is responsible for initiating periodic reviews of access rights with Information owners. ● Is responsible for changing and revoking access as per approved requests. ● Is responsible for granting or denying permissions for remote control software installations on the systems. ● Is responsible for the review and approval of wireless access points and modems. ● Is responsible for conducting risk assessment wherever required. ● Is responsible for ensuring security of access rights. ● Is responsible for reporting suspicious activity and account compromise to the Information security team in a timely manner.
AI Justification
The chunk outlines responsibilities related to access rights, validation, and periodic reviews, which align with the need for an organization-wide risk management process and authorization.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for policies to control access to information resources, which aligns with the Access Control Policy control.
Document Content
Matched Section
Section: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions controlling access based on roles and the need for periodic review of access privileges, which aligns with Account Management.
Document Content
Matched Section
Section: Access Control | Concurrent Session Control, System & Communications Protection | Boundary Protection, System & Communications Protection | Network Disconnect, System & Communications Protection | Secure Name/address Resolution Service (authoritative Source)
Content: Access Control | Concurrent Session Control System & Communications Protection | Boundary Protection System & Communications Protection | Network Disconnect System & Communications Protection | Secure Name/address Resolution Service (authoritative Source)
Content: Access Control | Concurrent Session Control System & Communications Protection | Boundary Protection System & Communications Protection | Network Disconnect System & Communications Protection | Secure Name/address Resolution Service (authoritative Source)
AI Justification
The chunk discusses the importance of security and privacy training, monitoring, and testing, which aligns with the control's focus on organization-wide processes for these activities.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
AI Justification
The chunk mentions security and privacy training activities focused on individual systems and specific roles, which aligns with the need for role-based training.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for defining, documenting, implementing, and maintaining policies to control access to information resources, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions controlling access based on roles and the periodic review of access privileges, which aligns with account management practices.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for a defined access control policy that limits access based on roles and responsibilities, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The chunk mentions the management of access privileges, including authorizing, modifying, and revoking access, which aligns with account management controls.
Document Content
Matched Section
Section: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The text indicates that access should be limited to the minimum necessary to perform job functions, which is a key aspect of access enforcement.
Document Content
Matched Section
Section: Protection Strategies and Policy Exceptions
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the implementation of security requirements based on the prioritization of assets and the ability to define stronger or lower protection levels based on risk, which aligns with the concept of protection strategies.
Document Content
Matched Section
Section: Personnel security policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for security, including the ability to define stronger or lower protection levels based on risk, which aligns with the requirements of personnel security policies.
Document Content
Matched Section
Section: Personnel Security | Position Risk Designation
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
AI Justification
The text discusses the importance of position risk designations and their alignment with OPM policy, which is directly related to the control PS-2.
Document Content
Matched Section
Section: Service Account: Upon termination of the service account owner
Content: The service account ownership should be transferred to a current employee within two weeks. If the service account is no longer required, it should be locked immediately and deleted within two weeks of the owner’s termination.
Content: The service account ownership should be transferred to a current employee within two weeks. If the service account is no longer required, it should be locked immediately and deleted within two weeks of the owner’s termination.
AI Justification
The section discusses the transfer of service account ownership upon termination of the service account owner, which aligns with the requirements for personnel transfers.
Document Content
Matched Section
Section: User accounts management upon employment status changes
Content: User accounts, including privileged user accounts, entitlements (roles, rights and privileges) should be reviewed immediately upon any significant change to the user’s employment status.
Content: User accounts, including privileged user accounts, entitlements (roles, rights and privileges) should be reviewed immediately upon any significant change to the user’s employment status.
AI Justification
The chunk discusses the immediate review and locking of user accounts upon employment status changes, which aligns with the management of system-related property and accountability for access.
Document Content
Matched Section
Section: User accounts management upon termination
Content: User accounts, including privileged user accounts, should be locked immediately when an employee is terminated for cause.
Content: User accounts, including privileged user accounts, should be locked immediately when an employee is terminated for cause.
AI Justification
The locking and deletion of user accounts upon termination directly relates to ensuring accountability for system-related property.
Document Content
Matched Section
Section: User accounts management upon termination
Content: User accounts, including privileged user accounts, should be locked (disabled) within 24 hours of an employee leaving the firm on their scheduled termination date.
Content: User accounts, including privileged user accounts, should be locked (disabled) within 24 hours of an employee leaving the firm on their scheduled termination date.
AI Justification
The timely locking and deletion of user accounts after termination is crucial for maintaining security and accountability.
Document Content
Matched Section
Section: User accounts management upon termination
Content: User accounts, including privileged user accounts, should be deleted within two weeks following the employee termination.
Content: User accounts, including privileged user accounts, should be deleted within two weeks following the employee termination.
AI Justification
The deletion of user accounts within a specified timeframe after termination ensures that access to system-related property is properly managed.
Document Content
Matched Section
Section: Scope & Applicability
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text discusses the need for policies that control access to information resources, which aligns with the requirements for access agreements that include acknowledgments of understanding and compliance.
Document Content
Matched Section
Section: Scope & Applicability
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need for a documented access control policy that defines roles and responsibilities, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: Scope & Applicability
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access. It also includes the periodic review of information system access privileges.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access. It also includes the periodic review of information system access privileges.
AI Justification
The text mentions controlling access based on roles and the need for periodic review of access privileges, which aligns with AC-2.
Document Content
Matched Section
Section: Risk Assessment Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of defining security requirements and the process for requesting exceptions to policy, which aligns with the need for risk assessment policies and procedures.
Document Content
Matched Section
Section: System and services acquisition policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for security and privacy, which aligns with the requirements of SA-1 regarding the acquisition of systems and services.
Document Content
Matched Section
Section: System & Services Acquisition | Developer Screening
Content: Control: SA-21: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy.
Content: Control: SA-21: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy.
AI Justification
The text discusses the importance of developer screening for external developers, which aligns directly with the control SA-21.
Document Content
Matched Section
Section: Personnel Security | Personnel Screening
Content: Internal developer screening is addressed by PS-3.
Content: Internal developer screening is addressed by PS-3.
AI Justification
The text mentions that internal developer screening is addressed by PS-3, indicating a connection to personnel screening practices.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: Appropriate controls for User access to networks and network services should be deployed to ensure that:
Content: Appropriate controls for User access to networks and network services should be deployed to ensure that:
AI Justification
The text discusses the segregation of access control roles and the implementation of access controls to prevent unauthorized access, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Segregate access control roles between access request, access authorization, and access administration.
Content: Segregate access control roles between access request, access authorization, and access administration.
Content: Segregate access control roles between access request, access authorization, and access administration.
AI Justification
The mention of segregating access control roles and ensuring privileged users understand their roles indicates a focus on account management practices.
Document Content
Matched Section
Section: Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The requirement to prevent unauthorized access to information systems and ensure security controls are in place aligns with access enforcement practices.
Document Content
Matched Section
Section: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
Ensuring security controls while using mobile computing and remote access facilities directly relates to remote access controls.
Document Content
Matched Section
Section: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The mention of mobile computing indicates the need for specific access controls for mobile devices.
Document Content
Matched Section
Section: Privileged users should understand their roles and responsibilities.
Content: Privileged users should understand their roles and responsibilities.
Content: Privileged users should understand their roles and responsibilities.
AI Justification
The requirement for privileged users to understand their roles and responsibilities aligns with the principle of least privilege.
Document Content
Matched Section
Section: System and Communications Protection Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for security and privacy, including the ability to define and implement security requirements, which aligns with the need for a system and communications protection policy.
Document Content
Matched Section
Section: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
AI Justification
The text discusses the segregation and segmentation of networks, which aligns with the control's focus on managing network connections and ensuring integrity.
Document Content
Matched Section
Section: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
AI Justification
The text mentions control over user access and ensuring users are only provided access to authorized services, which aligns with access enforcement principles.
Document Content
Matched Section
Section: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
Content: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
Content: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
AI Justification
The authorization process mentioned ensures that only authorized users can access network segments and services, which relates to account management.
Document Content
Matched Section
Section: Access Control
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Lazard’s 8.0 IS Asset Management Policy.
Content: Access to Information Resources should be controlled, based on the business and security requirements and in keeping with the asset’s classification in accordance to Lazard’s 8.0 IS Asset Management Policy.
AI Justification
The text discusses access control and the management of information resources, which aligns with the concept of security and privacy attributes associated with information.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: d. Segregate access control roles between access request, access authorization, and access administration.
Content: d. Segregate access control roles between access request, access authorization, and access administration.
AI Justification
The chunk discusses the segregation of access control roles and preventing unauthorized access, which aligns with the need for system management functionality that requires privileged user access.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: d. Segregate access control roles between access request, access authorization, and access administration.
Content: d. Segregate access control roles between access request, access authorization, and access administration.
AI Justification
The text discusses segregation of access control roles and preventing unauthorized access, which aligns with the principles of access control policies.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: e. Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The mention of preventing unauthorized access to information systems and ensuring security controls aligns with access enforcement requirements.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
Ensuring security controls while using mobile computing and remote access facilities aligns with remote access controls.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: f. Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The text emphasizes the need for security controls in mobile computing, which relates to access control for mobile devices.
Document Content
Matched Section
Section: Access to Networks and Network Services
Content: i. Privileged users should understand their roles and responsibilities.
Content: i. Privileged users should understand their roles and responsibilities.
AI Justification
The mention of ensuring that privileged users understand their roles and responsibilities aligns with the least privilege principle.
Document Content
Matched Section
Section: Scope & Applicability
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
Content: This policy covers all Lazard networks, information systems, company data, employees and contractors. This document is to be used in conjunction with specific procedures to facilitate the implementation of the access control policy and associated access controls.
AI Justification
The text discusses the need to define, document, implement, and maintain policies to control access to information resources, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Scope & Applicability
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text mentions controlling access based on roles and includes authorizing, modifying, and revoking access, which aligns with account management practices.
Document Content
Matched Section
Section: c. The following controls apply to wireless access points within Lazard’s premises
Content: c. The following controls apply to wireless access points within Lazard’s premises: i. All wireless access points should be approved by IT management or information security. Wireless access points should be registered/monitored by the network management operations team as well as information security.
Content: c. The following controls apply to wireless access points within Lazard’s premises: i. All wireless access points should be approved by IT management or information security. Wireless access points should be registered/monitored by the network management operations team as well as information security.
AI Justification
The section discusses the requirement for strong authentication and secure communications for external connections, which aligns with the need to protect wireless links from unauthorized access and exploitation.
Document Content
Matched Section
Section: Section 1.2.2 Access to Networks and Network Services
Content: Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
Content: Prevent unauthorized access to information systems, network services, operating systems, and information held in database and application systems.
AI Justification
The chunk discusses preventing unauthorized access and ensuring security controls for mobile computing, which aligns with the usage restrictions outlined in SC-43.
Document Content
Matched Section
Section: Section 1.2.2 Access to Networks and Network Services
Content: Ensure that the security controls are in place while using mobile computing and remote access facilities.
Content: Ensure that the security controls are in place while using mobile computing and remote access facilities.
AI Justification
The mention of ensuring security controls while using mobile computing and remote access facilities aligns with the need for controls over remote access.
Document Content
Matched Section
Section: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
AI Justification
The text discusses the segregation and segmentation of networks, which aligns with the concept of managed interfaces and boundary protection as outlined in control SC-7.
Document Content
Matched Section
Section: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
AI Justification
The text emphasizes the enforcement of user access control and authorization processes, which aligns with access enforcement requirements.
Document Content
Matched Section
Section: v. Users are provided access only to those services that they are specifically authorized to use.
Content: v. Users are provided access only to those services that they are specifically authorized to use.
Content: v. Users are provided access only to those services that they are specifically authorized to use.
AI Justification
The text mentions that users are provided access only to authorized services, which relates to account management and user access control.
Document Content
Matched Section
Section: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
Content: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
Content: vi. Authorization process is developed and implemented to ensure that only Users who are authorized may access the network segments and services.
AI Justification
The text indicates that an authorization process is developed and implemented, which is part of access control policies and procedures.
Document Content
Matched Section
Section: System and information integrity policy and procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for security and privacy, which aligns with the requirements of SI-1 for addressing controls in the SI family.
Document Content
Matched Section
Section: Information management and retention requirements
Content: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
Content: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
AI Justification
The text discusses the importance of managing and retaining information throughout its lifecycle, which aligns with the requirements of SI-12.
Document Content
Matched Section
Section: Access Control Policy
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Lazard should define, document, implement, and maintain policies to control access to their Information Resources. Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function. Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The text discusses the need for defining, documenting, implementing, and maintaining policies to control access to information resources, which aligns with the requirements of an access control policy.
Document Content
Matched Section
Section: Access Control Policy
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
Content: Access to Information Resources should be controlled through a managed process that addresses authorizing and modifying and revoking access.
AI Justification
The mention of authorizing, modifying, and revoking access privileges relates to account management processes.
Document Content
Matched Section
Section: Access Control Policy
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
Content: Access is based on an employee/contractor’s role and should be limited to the minimum necessary to perform their job function.
AI Justification
The policy emphasizes limiting access based on roles, which is a fundamental aspect of access enforcement.
Document Content
Matched Section
Section: System monitoring includes external and internal monitoring.
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.
Content: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.
AI Justification
The text discusses the importance of system monitoring, including both external and internal monitoring, which aligns directly with the SI-4 control.
Document Content
Matched Section
Section: Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17.
Content: Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17.
Content: Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17.
AI Justification
The mention of monitoring devices employed at managed interfaces associated with controls SC-7 and AC-17 indicates a connection to access control and monitoring.
Document Content
Matched Section
Section: Supply Chain Risk Management Policy and Procedures
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the establishment of policies and procedures for managing security and privacy risks, including the ability to define and implement security requirements that may deviate from the standard policy, which aligns with the principles of supply chain risk management.
Document Content
Matched Section
Section: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
Content: i. Appropriate interfaces are created to segregate Lazard’s networks from the networks owned by other organizations and public networks.
AI Justification
The text discusses the segregation and segmentation of networks, which aligns with the control's focus on system entry and exit points, including firewalls and network integrity.
Document Content
Matched Section
Section: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
Content: iv. Control over User access to information services is enforced.
AI Justification
The text mentions control over user access and authorization processes, which aligns with the access enforcement control.
Document Content
Matched Section
Section: v. Users are provided access only to those services that they are specifically authorized to use.
Content: v. Users are provided access only to those services that they are specifically authorized to use.
Content: v. Users are provided access only to those services that they are specifically authorized to use.
AI Justification
The text refers to providing users access only to authorized services and implementing an authorization process, which aligns with account management.
7.2_IS_End_User_Device_Standard.pdf NIST
76 matches foundDocument Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the access control policy, which aligns with the need for documented policies and procedures regarding access control.
Document Content
Matched Section
Section: Section 10 and 1.1.4
Content: Employees should take appropriate measures, whenever possible, to protect and secure laptops that contain sensitive information when not in use (i.e., laptops should be secured in a locked desk or cabinet at night, office doors should be locked at night, etc.). Laptops should never be left unattended on premises outside Lazard offices and should never be checked as luggage. Devices should be password-protected and encrypted. If a device offers a timeout function that enforces re-entry of the password after a period of inactivity, it should be applied and should not exceed 60 minutes.
Content: Employees should take appropriate measures, whenever possible, to protect and secure laptops that contain sensitive information when not in use (i.e., laptops should be secured in a locked desk or cabinet at night, office doors should be locked at night, etc.). Laptops should never be left unattended on premises outside Lazard offices and should never be checked as luggage. Devices should be password-protected and encrypted. If a device offers a timeout function that enforces re-entry of the password after a period of inactivity, it should be applied and should not exceed 60 minutes.
AI Justification
The chunk discusses measures to secure laptops and devices when not in use, which aligns with the concept of device locks as a temporary action to prevent unauthorized access.
Document Content
Matched Section
Section: Overview and Scope & Applicability
Content: Workstations, computers, laptops, mobile computing devices, portable data storage devices (such as floppy disks, USB external drives, and writeable CDs and DVDs) are considered “desktop” or “end user device” equipment. A desktop may be located within a Lazard facility or at a remote location, including sites occupied by a vendor and/or service provider.
Content: Workstations, computers, laptops, mobile computing devices, portable data storage devices (such as floppy disks, USB external drives, and writeable CDs and DVDs) are considered “desktop” or “end user device” equipment. A desktop may be located within a Lazard facility or at a remote location, including sites occupied by a vendor and/or service provider.
AI Justification
The text discusses mobile devices, their characteristics, and the security measures that need to be implemented for their protection, which aligns with the requirements of AC-19.
Document Content
Matched Section
Section: Access to nonpublic personal, restricted, confidential, or proprietary information.
Content: or access nonpublic personal, restricted, confidential, or proprietary information.
Content: or access nonpublic personal, restricted, confidential, or proprietary information.
AI Justification
The chunk discusses access to nonpublic personal, restricted, confidential, or proprietary information, which aligns with the control's focus on information sharing restrictions.
Document Content
Matched Section
Section: Overview and Scope & Applicability
Content: The purpose of this Policy document is to: i. Describe general security controls concerning desktop and end-user device security. ii. Define desktop and end-user device security access controls. iii. Explain monitoring activities that support desktop and end-user device security.
Content: The purpose of this Policy document is to: i. Describe general security controls concerning desktop and end-user device security. ii. Define desktop and end-user device security access controls. iii. Explain monitoring activities that support desktop and end-user device security.
AI Justification
The text discusses access control policies and the enforcement mechanisms that ensure security for desktop and end-user devices, aligning with the requirements of a reference monitor.
Document Content
Matched Section
Section: Access Control Policies and Device Management
Content: Equipment and media containing confidential information should be retained in a secured location while unattended. Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-user owned) devices may not be attached to the corporate network without permission from the IT department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended. Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-user owned) devices may not be attached to the corporate network without permission from the IT department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
AI Justification
The text discusses the retention of confidential information and the restrictions on device access to the network, which aligns with the principles of access control policies.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The section discusses the unauthorized use or disclosure of information, which aligns with the control's focus on preventing data leakage.
Document Content
Matched Section
Section: Voice Communications Equipment protection and Maintenance
Content: They should have Call Loggers to monitor (and alarm) unusual call patterns. A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement.
Content: They should have Call Loggers to monitor (and alarm) unusual call patterns. A periodical review for this standard and the associated core documents should be performed to identify and implement measures for improvement.
AI Justification
The chunk discusses the need for monitoring unusual call patterns and conducting periodic reviews, which aligns with the requirements for audit record review and analysis.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to policy, which aligns with the need for assessment and authorization procedures as outlined in CA-1.
Document Content
Matched Section
Section: Overview
Content: Workstations, computers, laptops, mobile computing devices, portable data storage devices (such as floppy disks, USB external drives, and writeable CDs and DVDs) are considered “desktop” or “end user device” equipment.
Content: Workstations, computers, laptops, mobile computing devices, portable data storage devices (such as floppy disks, USB external drives, and writeable CDs and DVDs) are considered “desktop” or “end user device” equipment.
AI Justification
The text discusses security controls concerning desktop and end-user devices, which aligns with the concept of internal system connections as it includes mobile computing devices and other end-user devices.
Document Content
Matched Section
Section: Section 10 and 11 regarding approved end-user devices and unauthorized devices
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
AI Justification
The chunk discusses access controls and restrictions related to devices that can connect to the network, which aligns with the need for authorized individuals to manage changes to systems.
Document Content
Matched Section
Section: Section 12 regarding Network Access Control (NAC)
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy. Non-compliant devices will not be allowed to access the Lazard network.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy. Non-compliant devices will not be allowed to access the Lazard network.
AI Justification
The mention of network access control technology and monitoring compliance indicates enforcement of access policies.
Document Content
Matched Section
Section: Section 4: Configuration of security measures and software.
Content: 4. There should be a screen saver configured to enforce re-input of the user's password after a period of inactivity, not to exceed 60 minutes. 5. Anti-Virus software should be installed and set up per the policies described in 3.1 above. 6. Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall. 7. Remote access should be configured to use a strong authentication system connection (e.g, SSL VPN) in conjunction with multi factor authentication.
Content: 4. There should be a screen saver configured to enforce re-input of the user's password after a period of inactivity, not to exceed 60 minutes. 5. Anti-Virus software should be installed and set up per the policies described in 3.1 above. 6. Personal firewalls software should be installed and subject to update from a central policy server; users should not be able to disable or change the configuration of this firewall. 7. Remote access should be configured to use a strong authentication system connection (e.g, SSL VPN) in conjunction with multi factor authentication.
AI Justification
The chunk discusses the need for specific configurations such as screen savers, anti-virus software, personal firewalls, and remote access configurations, which are all related to the management of configuration settings.
Document Content
Matched Section
Section: Section 7: Configuration of remote access security.
Content: 7. Remote access should be configured to use a strong authentication system connection (e.g, SSL VPN) in conjunction with multi factor authentication.
Content: 7. Remote access should be configured to use a strong authentication system connection (e.g, SSL VPN) in conjunction with multi factor authentication.
AI Justification
The mention of strong authentication for remote access and the configuration of personal firewalls relates to access control measures for devices.
Document Content
Matched Section
Section: Section 4: All PCs and laptops should be equipped with up-to-date and fully operational anti-virus software.
Content: All PCs and laptops should be equipped with up-to-date and fully operational anti-virus software. Disabling or interfering with anti-virus software is prohibited.
Content: All PCs and laptops should be equipped with up-to-date and fully operational anti-virus software. Disabling or interfering with anti-virus software is prohibited.
AI Justification
The text discusses the necessity of ensuring that computing devices are equipped with up-to-date anti-virus software and the prohibition of disabling such software, which aligns with limiting unnecessary functionality.
Document Content
Matched Section
Section: Section 2: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis.
Content: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis. Automated tools should be used if possible and if available.
Content: All Firm workstations and laptops should be inventoried for hardware and software on a regular basis. Automated tools should be used if possible and if available.
AI Justification
The text discusses the need for inventorying all Firm workstations and laptops for hardware and software, aligning with the requirements for maintaining a centralized system component inventory.
Document Content
Matched Section
Section: Policy Exceptions Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for established procedures in contingency planning.
Document Content
Matched Section
Section: 1.1.4 Smartphones, Mobile, and Other Wireless Devices
Content: Devices should be password-protected and encrypted. If a device offers a timeout function that enforces re-entry of the password after a period of inactivity, it should be applied and should not exceed 60 minutes.
Content: Devices should be password-protected and encrypted. If a device offers a timeout function that enforces re-entry of the password after a period of inactivity, it should be applied and should not exceed 60 minutes.
AI Justification
The chunk discusses the importance of password protection and timeout functions for devices, which aligns with the need for re-authentication in certain situations.
Document Content
Matched Section
Section: Section 10 and 12
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Network Access Control (NAC) technology is used to monitor compliance with this policy.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Network Access Control (NAC) technology is used to monitor compliance with this policy.
AI Justification
The text discusses the requirement for approved end-user devices to be attached to the LAN and the use of Network Access Control (NAC) technology to monitor compliance, which aligns with the need for unique device identification and authentication.
Document Content
Matched Section
Section: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: or access nonpublic personal, restricted, confidential, or proprietary information.
Content: or access nonpublic personal, restricted, confidential, or proprietary information.
AI Justification
The text discusses the requirements for identification and authentication of users accessing organizational systems, which aligns with the control's focus on unique identification and authentication.
Document Content
Matched Section
Section: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The mention of access restrictions and the requirement for approved end-user devices aligns with the control's focus on defining and enforcing permitted actions for users.
Document Content
Matched Section
Section: Remote access is a type of network access that involves communication through external networks.
Content: Remote access is a type of network access that involves communication through external networks.
Content: Remote access is a type of network access that involves communication through external networks.
AI Justification
The mention of remote access and the use of encrypted virtual private networks aligns with the control's focus on managing remote access to organizational systems.
Document Content
Matched Section
Section: Section 10 and 11 regarding approved end-user devices and network access control.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department.
AI Justification
The chunk discusses the management of devices and their identifiers, particularly in the context of network access and compliance with security policies.
Document Content
Matched Section
Section: The reference to account management activities of AC-2 using account names provided by IA-4.
Content: Typically, individual identifiers are the usernames of the system accounts assigned to those individuals.
Content: Typically, individual identifiers are the usernames of the system accounts assigned to those individuals.
AI Justification
The mention of account management activities in relation to identifiers aligns with the control's focus on managing user accounts and their access.
Document Content
Matched Section
Section: Section 4: Password and Authentication Management
Content: There should be a screen saver configured to enforce re-input of the user's password after a period of inactivity, not to exceed 60 minutes.
Content: There should be a screen saver configured to enforce re-input of the user's password after a period of inactivity, not to exceed 60 minutes.
AI Justification
The chunk discusses the importance of password protection and the use of strong authentication systems, which aligns with the requirements for authenticators.
Document Content
Matched Section
Section: Section 7: Remote Access Configuration
Content: Remote access should be configured to use a strong authentication system connection (e.g, SSL VPN) in conjunction with multi factor authentication.
Content: Remote access should be configured to use a strong authentication system connection (e.g, SSL VPN) in conjunction with multi factor authentication.
AI Justification
The mention of strong authentication systems and multi-factor authentication in remote access aligns with the control's focus on authenticators.
Document Content
Matched Section
Section: Policy exception process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which relates to the establishment and maintenance of policies and procedures within the organization.
Document Content
Matched Section
Section: 4. Voice Communications Equipment
Content: Voice Communications Equipment should be protected in the following ways: a. They should be kept in a locked room. b. Management software should be protected by username and password logon. c. They should be configured to prevent hacking. d. They should have system-controlled dial-out access (premium rate numbers barred). e. They should have controlled dial-in access from direct exchange lines for support/maintenance.
Content: Voice Communications Equipment should be protected in the following ways: a. They should be kept in a locked room. b. Management software should be protected by username and password logon. c. They should be configured to prevent hacking. d. They should have system-controlled dial-out access (premium rate numbers barred). e. They should have controlled dial-in access from direct exchange lines for support/maintenance.
AI Justification
The chunk discusses the need for controlled access and maintenance procedures for voice communications equipment, which aligns with the information security aspects of system maintenance.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process related to media protection, which aligns with the need for policies and procedures that address media protection controls.
Document Content
Matched Section
Section: Media Protection | Media Access
Content: Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
Content: Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.
AI Justification
The text discusses restricting access to both digital and non-digital media, which aligns with the control's focus on media access.
Document Content
Matched Section
Section: Media Protection | Media Marking
Content: Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm.
Content: Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm.
AI Justification
The text discusses the application of security markings to digital and non-digital media, which aligns directly with the control's focus on security marking.
Document Content
Matched Section
Section: Media Protection | Media Storage
Content: Control: MP-4: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media.
Content: Control: MP-4: System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media.
AI Justification
The chunk discusses the physical control and secure storage of both digital and non-digital media, which aligns directly with the requirements of MP-4.
Document Content
Matched Section
Section: Media Protection | Media Access
Content: Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel.
Content: Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel.
AI Justification
The mention of controlled areas and physical access controls aligns with the access control aspects of MP-2.
Document Content
Matched Section
Section: Media Protection | Media Transport
Content: Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented.
Content: Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented.
AI Justification
The section discusses the protection of media during transport, including the use of cryptography and locked containers, which aligns with the requirements of control MP-5.
Document Content
Matched Section
Section: Media Protection | Media Sanitization
Content: Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
Content: Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering.
AI Justification
The mention of maintaining accountability of media during transport and ensuring that media enters appropriate transport processes aligns with the requirements of control MP-6.
Document Content
Matched Section
Section: Media Protection | Media Sanitization
Content: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed.
Content: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed.
AI Justification
The text explicitly discusses the processes and techniques for media sanitization, which aligns directly with control MP-6.
Document Content
Matched Section
Section: Media Protection | Media Downgrading
Content: Media Protection | Media Downgrading
Content: Media Protection | Media Downgrading
AI Justification
The chunk discusses the process of downgrading media to ensure that information cannot be retrieved or reconstructed, which aligns directly with the definition of MP-8.
Document Content
Matched Section
Section: Media Protection | Media Use
Content: Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices.
Content: Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices.
AI Justification
The text discusses the restrictions and protections related to the use of various types of media, including portable storage devices, which aligns directly with the control's focus on media use restrictions.
Document Content
Matched Section
Section: Media Protection | Media Access
Content: In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems.
Content: In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems.
AI Justification
The text mentions restricting user access to media, which aligns with the control's focus on access restrictions to media.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process related to physical and environmental protection, indicating a structured approach to managing exceptions in security policies.
Document Content
Matched Section
Section: Section 9: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
AI Justification
The text discusses the importance of securing confidential information and controlling access to the network, which relates to the physical and environmental hazards that could compromise security.
Document Content
Matched Section
Section: Section 10: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The mention of unauthorized devices and the use of Network Access Control (NAC) technology relates to controlling access to the network, which is a key aspect of remote access security.
Document Content
Matched Section
Section: Media Protection | Media Access
Content: Permissions controlling output to the output devices are addressed in AC-3 or AC-4.
Content: Permissions controlling output to the output devices are addressed in AC-3 or AC-4.
AI Justification
The chunk discusses the marking of hardware components and the control of output devices, which aligns with media access controls.
Document Content
Matched Section
Section: Media Protection | Media Marking
Content: Components are marked to indicate the impact level or classification level of the system to which the devices are connected.
Content: Components are marked to indicate the impact level or classification level of the system to which the devices are connected.
AI Justification
The text explicitly mentions the marking of hardware components to indicate impact levels or classification levels.
Document Content
Matched Section
Section: Media Protection | Media Storage
Content: Security marking refers to the use of human-readable security attributes.
Content: Security marking refers to the use of human-readable security attributes.
AI Justification
The control relates to the storage of media and the implications of marking for storage devices.
Document Content
Matched Section
Section: Media Protection | Media Transport
Content: Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
Content: Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
AI Justification
The control is relevant as it pertains to the transport of marked media and the associated security considerations.
Document Content
Matched Section
Section: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended.
AI Justification
The text discusses securing equipment and media containing confidential information, which aligns with the need to prevent physical tampering and unauthorized access.
Document Content
Matched Section
Section: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The mention of approved end-user devices and restrictions on personal devices aligns with access control measures.
Document Content
Matched Section
Section: In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
AI Justification
The restriction on unauthorized networking devices indicates a control over remote access to the network.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to the policy, which aligns with the need for planning policies and procedures in managing security risks.
Document Content
Matched Section
Section: Any User found to have violated any of these policies may be subject to disciplinary action...
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses the consequences of violating policies, which relates to the rules of behavior that govern user actions and responsibilities.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process of implementing lower protection levels and the necessity of following a policy exception process, which relates to the organization's protection needs and risk management strategy.
Document Content
Matched Section
Section: 1.10 DOCUMENT INFORMATION
Content: CONTACT(S): CONTACT DETAILS APPROVERS(S): POSITION SIGNATURE DATE Peter Keenan Chief Information Security Officer (CISO)
Content: CONTACT(S): CONTACT DETAILS APPROVERS(S): POSITION SIGNATURE DATE Peter Keenan Chief Information Security Officer (CISO)
AI Justification
The presence of the Chief Information Security Officer (CISO) in the document indicates the role of a senior agency information security officer, aligning with the control's definition.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a lower protection level to address information security risk, which aligns with the organization's risk management strategy and the need for a process to evaluate and mitigate risks.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the process for requesting exceptions to security policies, which aligns with the need for established personnel security policies and procedures.
Document Content
Matched Section
Section: Disciplinary Actions for Policy Violations
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the need for organizational sanctions as described in PS-8.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process, which aligns with the need for policies and procedures regarding information security risks and exceptions.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process to address information security risks, which aligns with the need for risk assessment policies and procedures.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the implementation of a policy exception process for lower protection levels, which relates to the overarching system and communications protection policies and procedures.
Document Content
Matched Section
Section: Overview and Scope & Applicability
Content: The purpose of this Policy document is to: i. Describe general security controls concerning desktop and end-user device security. ii. Define desktop and end-user device security access controls.
Content: The purpose of this Policy document is to: i. Describe general security controls concerning desktop and end-user device security. ii. Define desktop and end-user device security access controls.
AI Justification
The chunk discusses security controls and access controls related to desktop and end-user devices, which aligns with the concept of security and privacy attributes as described in control SC-16.
Document Content
Matched Section
Section: Section 6: Desktops and 1.1.3 Laptops
Content: Desktops should be re-imaged when reallocated to a different person. Remote control of desktops should be allowed for technical support purposes only unless specifically permitted. Wireless Network Interface Cards on desktops should be approved by Lazard IT to ensure that they provide proper security. Standard users should not have local administrative rights without approval of Information Security. Operating system and system software patches relating to security should be applied on a weekly basis. The only enabled local accounts should be administrative accounts; the administrative account should have a password. (Note: In Paris, laptops are set up with local user accounts with limited privileges.)
Content: Desktops should be re-imaged when reallocated to a different person. Remote control of desktops should be allowed for technical support purposes only unless specifically permitted. Wireless Network Interface Cards on desktops should be approved by Lazard IT to ensure that they provide proper security. Standard users should not have local administrative rights without approval of Information Security. Operating system and system software patches relating to security should be applied on a weekly basis. The only enabled local accounts should be administrative accounts; the administrative account should have a password. (Note: In Paris, laptops are set up with local user accounts with limited privileges.)
AI Justification
The text discusses the separation of user functions from system management functions, which aligns with the requirements of SC-2 regarding privileged user access and the need for separation.
Document Content
Matched Section
Section: 10. Employees should take appropriate measures, whenever possible, to protect and secure laptops that contain sensitive information when not in use.
Content: Employees should take appropriate measures, whenever possible, to protect and secure laptops that contain sensitive information when not in use (i.e., laptops should be secured in a locked desk or cabinet at night, office doors should be locked at night, etc.).
Content: Employees should take appropriate measures, whenever possible, to protect and secure laptops that contain sensitive information when not in use (i.e., laptops should be secured in a locked desk or cabinet at night, office doors should be locked at night, etc.).
AI Justification
The section discusses measures to protect sensitive information on laptops and other devices, which aligns with the focus on protecting information at rest.
Document Content
Matched Section
Section: 1.1.4 Smartphones, Mobile, and Other Wireless Devices
Content: Devices should be password-protected and encrypted.
Content: Devices should be password-protected and encrypted.
AI Justification
The mention of password protection and encryption for devices directly relates to the confidentiality and integrity of information at rest.
Document Content
Matched Section
Section: Section 10 and 11 regarding approved end-user devices and unauthorized networking devices.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
AI Justification
The section discusses the use of approved end-user devices and the prohibition of unauthorized networking devices, which aligns with the need to protect wireless communication links.
Document Content
Matched Section
Section: 1.1.4 Smartphones, Mobile, and Other Wireless Devices
Content: 1. Devices should be password-protected and encrypted.
Content: 1. Devices should be password-protected and encrypted.
AI Justification
The section discusses the security measures for mobile devices, including smartphones, which aligns with the control's focus on sensor capabilities and potential risks associated with mobile devices.
Document Content
Matched Section
Section: Equipment and media containing confidential information should be retained in a secured location while unattended.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The text discusses the restrictions on the use of devices that can access the network, aligning with the control's focus on usage restrictions for system components.
Document Content
Matched Section
Section: Section 9 and 10 regarding equipment and media security and approved end-user devices.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended. Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
Content: Equipment and media containing confidential information should be retained in a secured location while unattended. Only approved end-user devices may be attached to the LAN (per wire or WIFI) in any Lazard office.
AI Justification
The text discusses the need for securing access to confidential information and the use of approved devices, which aligns with the need to prevent unauthorized access and ensure policy enforcement.
Document Content
Matched Section
Section: Section 10 regarding approved devices and network access control.
Content: Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department.
Content: Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the IT department.
AI Justification
The mention of controlling access to the network and the prohibition of unauthorized devices aligns with the need for access control measures.
Document Content
Matched Section
Section: Section 12 regarding Network Access Control technology.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy. Non-compliant devices will not be allowed to access the Lazard network.
Content: Network Access Control (NAC) technology is used to monitor compliance with this policy. Non-compliant devices will not be allowed to access the Lazard network.
AI Justification
The use of Network Access Control (NAC) technology to monitor compliance and restrict access aligns with access enforcement requirements.
Document Content
Matched Section
Section: EXCEPTION
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The chunk discusses the ability of divisions and functions to implement stronger security requirements and mechanisms, which aligns with the concept of ensuring domain separation and policy enforcement.
Document Content
Matched Section
Section: EXCEPTION
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the enforcement of policies and the ability of divisions to implement stronger security requirements, which aligns with the need for additional strength of mechanism for specific threats.
Document Content
Matched Section
Section: Voice Communications Equipment Protection
Content: Voice Communications Equipment should be protected in the following ways: a. They should be kept in a locked room. b. Management software should be protected by username and password logon. c. They should be configured to prevent hacking. d. They should have system-controlled dial-out access (premium rate numbers barred). e. They should have controlled dial-in access from direct exchange lines for support/maintenance. f. They should have Call Loggers to monitor (and alarm) unusual call patterns.
Content: Voice Communications Equipment should be protected in the following ways: a. They should be kept in a locked room. b. Management software should be protected by username and password logon. c. They should be configured to prevent hacking. d. They should have system-controlled dial-out access (premium rate numbers barred). e. They should have controlled dial-in access from direct exchange lines for support/maintenance. f. They should have Call Loggers to monitor (and alarm) unusual call patterns.
AI Justification
The text discusses the protection of voice communications equipment and the management of access, which aligns with the concept of boundary protection in network security.
Document Content
Matched Section
Section: 1.1.6 Telecommunications
Content: 1. Voicemail boxes should be secured through a PIN. Outbound dialing from mailboxes should be prevented.
Content: 1. Voicemail boxes should be secured through a PIN. Outbound dialing from mailboxes should be prevented.
AI Justification
The chunk discusses the use of approved removable devices that support password protection and encryption, which aligns with protecting the confidentiality and integrity of transmitted information.
Document Content
Matched Section
Section: Policy Exception Process
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the policy exception process and the need for a structured approach to managing exceptions, which aligns with the need for policies and procedures regarding system and information integrity.
Document Content
Matched Section
Section: Operating system and system software patches relating to security should be applied on an as-needed basis by the Lazard IT Department.
Content: Operating system and system software patches relating to security should be applied on an as-needed basis by the Lazard IT Department.
Content: Operating system and system software patches relating to security should be applied on an as-needed basis by the Lazard IT Department.
AI Justification
The text discusses the application of operating system and system software patches, which aligns with the need to remediate system flaws and apply security-relevant updates.
Document Content
Matched Section
Section: Overview and Scope & Applicability
Content: The purpose of this Policy document is to: iii. Explain monitoring activities that support desktop and end-user device security.
Content: The purpose of this Policy document is to: iii. Explain monitoring activities that support desktop and end-user device security.
AI Justification
The chunk discusses monitoring activities that support desktop and end-user device security, which aligns with the definition of system monitoring as described in control SI-4.
23.0_IS_Network_and_Firewall_Security_Policy.pdf NIST
129 matches foundDocument Content
Matched Section
Section: Access Control Policy and Procedures
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for access control policies and procedures, including the approval process for exceptions, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: Section 1.2.5 Wired Public Internet Connections
Content: c) A specific set of devices and applications to which users can connect via the SSL VPN device will be created on the device.
Content: c) A specific set of devices and applications to which users can connect via the SSL VPN device will be created on the device.
AI Justification
The text discusses the creation of a specific set of devices and applications for user connections via SSL VPN, which aligns with the definition of remote access and its management.
Document Content
Matched Section
Section: Section 1.2.5 Wired Public Internet Connections
Content: d) No other form of incoming user connection should be permitted via the Internet. Any exceptions to this should be submitted to information security team for review and approval.
Content: d) No other form of incoming user connection should be permitted via the Internet. Any exceptions to this should be submitted to information security team for review and approval.
AI Justification
The text mentions that no other form of incoming user connection should be permitted via the Internet, which aligns with enforcing access restrictions.
Document Content
Matched Section
Section: Protection and control of mobile devices
Content: Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
Content: Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.
AI Justification
The text discusses the protection and control of mobile devices, including restrictions on unauthorized devices and the need for approval for device connections, which aligns with the requirements of AC-19.
Document Content
Matched Section
Section: Adequate security for mobile devices
Content: Adequate security for mobile devices goes beyond the requirements specified in AC-19. Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.
Content: Adequate security for mobile devices goes beyond the requirements specified in AC-19. Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.
AI Justification
The text mentions that adequate security for mobile devices goes beyond AC-19 and refers to AC-20, which addresses mobile devices that are not organization-controlled, indicating a broader context of mobile device management.
Document Content
Matched Section
Section: Section v. Remote Management and the principle of least privilege
Content: The principle of least privilege should be employed by: Limiting account rights and privileges to only that access that is required by a user’s job functions.
Content: The principle of least privilege should be employed by: Limiting account rights and privileges to only that access that is required by a user’s job functions.
AI Justification
The text discusses the identification of authorized users, specification of access privileges, and management of various types of system accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: Section v. Remote Management and the principle of least privilege
Content: The principle of least privilege should be employed by: Limiting account rights and privileges to only that access that is required by a user’s job functions.
Content: The principle of least privilege should be employed by: Limiting account rights and privileges to only that access that is required by a user’s job functions.
AI Justification
The text emphasizes limiting account rights and privileges to only what is necessary for job functions, which aligns with the principle of least privilege.
Document Content
Matched Section
Section: External System Access Principles
Content: There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees.
Content: There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees.
AI Justification
The text discusses the principles for allowing external connections from system vendors, which aligns with the control's focus on managing external systems and their access.
Document Content
Matched Section
Section: Access Control Procedures
Content: Employees, consultants, or service providers no longer employed or utilized by Lazard should not have access to company-owned networks.
Content: Employees, consultants, or service providers no longer employed or utilized by Lazard should not have access to company-owned networks.
AI Justification
The text discusses access control decisions related to employees and service providers, indicating that access should be restricted based on employment status and that procedures for emergency access are in place.
Document Content
Matched Section
Section: Password Management for Access
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
AI Justification
The mention of different passwords for accessing distributed corporate services suggests a control over remote access to ensure security.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The chunk discusses access control and its importance in managing access between users and systems, which aligns with the definition of AC-3.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The mention of external systems and the need for controls suggests a focus on managing information flow, which aligns with AC-4.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
AI Justification
The section discusses the mapping and monitoring of organizational data flows, which aligns with the principles of information flow control as it regulates where information can travel within a system and between systems.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The chunk discusses various aspects of access control and mentions the importance of separating duties to mitigate risks associated with authorized privileges.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management
Content: Network Infrastructure Management
AI Justification
The mention of network controls and segregation in networks aligns with the need for enforcing information flow and separation of duties.
Document Content
Matched Section
Section: Section v. Remote Management and subsection f) The principle of least privilege should be employed
Content: f) The principle of least privilege should be employed by: i. Limiting account rights and privileges to only that access that is required by a user’s job functions. ii. Assigning rights to file systems will be on an as-needed basis. Only the minimum rights necessary to accomplish a task will be issued.
Content: f) The principle of least privilege should be employed by: i. Limiting account rights and privileges to only that access that is required by a user’s job functions. ii. Assigning rights to file systems will be on an as-needed basis. Only the minimum rights necessary to accomplish a task will be issued.
AI Justification
The text explicitly discusses the principle of least privilege, detailing how account rights and privileges should be limited to only what is necessary for job functions.
Document Content
Matched Section
Section: Section t) A login/warning banner should be displayed on all system connections
Content: A login/warning banner should be displayed on all system connections to warn potential users that unauthorized access is prohibited. No identifying information such as Lazard′s name, logo or address should be displayed before a successful login. System login banners should be approved by Information Security and should adhere to all local regulations and Lazard directives.
Content: A login/warning banner should be displayed on all system connections to warn potential users that unauthorized access is prohibited. No identifying information such as Lazard′s name, logo or address should be displayed before a successful login. System login banners should be approved by Information Security and should adhere to all local regulations and Lazard directives.
AI Justification
The chunk explicitly mentions the requirement for a login/warning banner to be displayed on all system connections, which aligns with the control's focus on system use notifications.
Document Content
Matched Section
Section: t) A login/warning banner should be displayed on all system connections to warn potential users that unauthorized access is prohibited.
Content: A login/warning banner should be displayed on all system connections to warn potential users that unauthorized access is prohibited. No identifying information such as Lazard′s name, logo or address should be displayed before a successful login. System login banners should be approved by Information Security and should adhere to all local regulations and Lazard directives.
Content: A login/warning banner should be displayed on all system connections to warn potential users that unauthorized access is prohibited. No identifying information such as Lazard′s name, logo or address should be displayed before a successful login. System login banners should be approved by Information Security and should adhere to all local regulations and Lazard directives.
AI Justification
The mention of a login/warning banner aligns with the concept of notifying users about access attempts, which is part of the previous logon notification control.
Document Content
Matched Section
Section: Information Security Awareness, Education & Training
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
AI Justification
The text discusses the provision of literacy training and awareness for system users, which aligns with the requirements of AT-2.
Document Content
Matched Section
Section: Information Security Awareness, Education & Training
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
Content: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
AI Justification
The text discusses the determination of training content based on roles and responsibilities, which aligns with the requirements of AT-3 for role-based training.
Document Content
Matched Section
Section: Section 1.5 - Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of audit and accountability policies and procedures, including the need for approval for exceptions and the definition of minimum security requirements.
Document Content
Matched Section
Section: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
AI Justification
The chunk discusses appropriate logging and monitoring, which aligns with the session auditing capabilities described in AU-14.
Document Content
Matched Section
Section: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
AI Justification
The text discusses the importance of logging and monitoring actions that affect the confidentiality, integrity, and availability of information systems, which aligns with the requirements for logging significant events.
Document Content
Matched Section
Section: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
AI Justification
The chunk discusses the importance of logging and monitoring actions that may affect the confidentiality, integrity, and availability of information systems, which aligns with the need for coordinated audit logging across organizations.
Document Content
Matched Section
Section: i) Network services provided by third parties are assumed to have different security models than are required by Lazard. Lazard Business Units leveraging such network services should request detailed documentation on the security attributes of all network services provided by third parties.
Content: i) Network services provided by third parties are assumed to have different security models than are required by Lazard. Lazard Business Units leveraging such network services should request detailed documentation on the security attributes of all network services provided by third parties.
Content: i) Network services provided by third parties are assumed to have different security models than are required by Lazard. Lazard Business Units leveraging such network services should request detailed documentation on the security attributes of all network services provided by third parties.
AI Justification
The mention of third-party network services and the need for security documentation aligns with the control's emphasis on coordinating audit information requirements across organizational boundaries.
Document Content
Matched Section
Section: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
AI Justification
The chunk discusses the importance of logging and monitoring actions that may affect the confidentiality, integrity, and availability of information systems, which aligns with the need for audit logging and addressing failures in that process.
Document Content
Matched Section
Section: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
AI Justification
The chunk discusses appropriate logging and monitoring to detect actions affecting the confidentiality, integrity, and availability of information systems, which aligns with the requirements for audit record review and analysis.
Document Content
Matched Section
Section: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
Content: f) Appropriate logging and monitoring should be applied to enable recording and detection of actions that may affect, or are relevant to, the confidentiality, integrity, and availability of Lazard information systems.
AI Justification
The chunk discusses logging and monitoring, which aligns with the need for audit information and logging activities as outlined in AU-9.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for assessment, authorization, and monitoring, which aligns directly with CA-1.
Document Content
Matched Section
Section: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
AI Justification
The text discusses the identification and inclusion of security mechanisms and management requirements in network services agreements, which aligns with the requirements for system information exchange and risk considerations outlined in CA-3.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
Content: Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
AI Justification
The section discusses the importance of monitoring devices and data flows, which aligns with the continuous monitoring aspect of CA-7.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: Organizational data flows should be mapped and monitored.
Content: Organizational data flows should be mapped and monitored.
AI Justification
The mention of mapping and monitoring organizational data flows aligns with the requirements of AU-13 for monitoring activities.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: Configurations of a random sampling of routers and other network devices providing distributed corporate services will be reviewed on a periodic basis to ensure compliance with security controls.
Content: Configurations of a random sampling of routers and other network devices providing distributed corporate services will be reviewed on a periodic basis to ensure compliance with security controls.
AI Justification
The periodic review of configurations of network devices aligns with CM-6d, which emphasizes the need for configuration monitoring.
Document Content
Matched Section
Section: Chunk: 1.5
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of configuration management policies and procedures, including the approval process for exceptions and the definition of security requirements.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
AI Justification
The chunk discusses the mapping and monitoring of organizational data flows, which aligns with the control's focus on processing personally identifiable information and understanding data actions.
Document Content
Matched Section
Section: p) Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls...
Content: p) Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department.
Content: p) Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department.
AI Justification
The chunk discusses security controls related to network devices and firewalls, which aligns with the systematic proposal and implementation of configuration changes.
Document Content
Matched Section
Section: q) Only firewalls approved by Information Security will be utilized. Firewall traffic logs will be monitored on a regular basis for suspicious traffic flows.
Content: q) Only firewalls approved by Information Security will be utilized. Firewall traffic logs will be monitored on a regular basis for suspicious traffic flows.
Content: q) Only firewalls approved by Information Security will be utilized. Firewall traffic logs will be monitored on a regular basis for suspicious traffic flows.
AI Justification
The mention of monitoring firewall traffic logs and restricting access to network devices indicates a focus on managing configuration changes and security controls.
Document Content
Matched Section
Section: r) Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff.
Content: r) Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff. They should have an enabled password for making configuration changes known only to infrastructure staff.
Content: r) Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff. They should have an enabled password for making configuration changes known only to infrastructure staff.
AI Justification
The protection of network devices with logon accounts and enabled passwords for configuration changes reflects the need for controlled access and management of configuration settings.
Document Content
Matched Section
Section: Access Control Policy
Content: Employees, consultants, or service providers no longer employed or utilized by Lazard should not have access to company-owned networks.
Content: Employees, consultants, or service providers no longer employed or utilized by Lazard should not have access to company-owned networks.
AI Justification
The text discusses access control measures for employees and service providers, emphasizing that only authorized individuals should have access to company-owned networks, which aligns with the need for controlled changes to systems.
Document Content
Matched Section
Section: Access Control Policy
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
AI Justification
The mention of different passwords for accessing corporate services indicates a need for enforcing access controls, which is a key aspect of AC-3.
Document Content
Matched Section
Section: Security mechanisms, service levels and management requirements of all network services
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
AI Justification
The text discusses the identification of security mechanisms and management requirements for network services, which aligns with the concept of configuration settings that affect security posture.
Document Content
Matched Section
Section: Procedures for the network service usage to restrict access to network services
Content: Procedures for the network service usage to restrict access to network services or applications, where necessary.
Content: Procedures for the network service usage to restrict access to network services or applications, where necessary.
AI Justification
The mention of restricting access to network services aligns with access control measures.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Control: CM-7: Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component.
Content: Control: CM-7: Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component.
AI Justification
The text discusses limiting component functionality to necessary services and removing unnecessary software, which aligns with the principle of least functionality.
Document Content
Matched Section
Section: Network Monitoring and Defense
Content: Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services.
Content: Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services.
AI Justification
The mention of employing network scanning tools and intrusion detection systems relates to boundary protection measures.
Document Content
Matched Section
Section: Contingency Planning Policy and Procedures
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having contingency planning policies and procedures, including the approval process for exceptions, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Security mechanisms, service levels and management requirements of all network services
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
AI Justification
The chunk discusses the identification of security mechanisms and management requirements for network services, which aligns with the need for telecommunications services to maintain essential functions despite service loss.
Document Content
Matched Section
Section: Identification and authentication policy and procedures
Content: Control: IA-1: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: IA-1: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of having identification and authentication policies and procedures, which aligns with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Identification and authentication requirements
Content: Employees, consultants, or service providers no longer employed or utilized by Lazard should not have access to company-owned networks.
Content: Employees, consultants, or service providers no longer employed or utilized by Lazard should not have access to company-owned networks.
AI Justification
The text discusses the identification and authentication of users, including the requirement for unique identification and the use of passwords, which aligns with IA-2.
Document Content
Matched Section
Section: Access Control Procedures
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
AI Justification
The mention of access control and the differentiation of passwords for various services aligns with the need to define permitted actions for users.
Document Content
Matched Section
Section: Section discussing approved devices and restrictions on personal devices
Content: Only approved devices may be attached to the LAN in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the Information Security department.
Content: Only approved devices may be attached to the LAN in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the Information Security department.
AI Justification
The text discusses the requirement for approved devices to be attached to the network and the restrictions on personal devices, aligning with the need for unique identification and authentication of devices.
Document Content
Matched Section
Section: i. Routers and other network devices will be accessed by means of passwords that are difficult to guess or to decipher by means of automated or other password detection tools; ii. Passwords remain confidential and are not shared by technical staff responsible for the maintenance of networks.
Content: i. Routers and other network devices will be accessed by means of passwords that are difficult to guess or to decipher by means of automated or other password detection tools; ii. Passwords remain confidential and are not shared by technical staff responsible for the maintenance of networks.
Content: i. Routers and other network devices will be accessed by means of passwords that are difficult to guess or to decipher by means of automated or other password detection tools; ii. Passwords remain confidential and are not shared by technical staff responsible for the maintenance of networks.
AI Justification
The section discusses the use of passwords for accessing network devices, emphasizing the importance of password complexity and confidentiality, which aligns with the requirements for authenticators.
Document Content
Matched Section
Section: iii. Passwords should be changed at a minimum of every 90 days or when employees or contractors who are responsible for the maintenance of networks, and who may have knowledge of passwords, leave the Firm’s employment;
Content: iii. Passwords should be changed at a minimum of every 90 days or when employees or contractors who are responsible for the maintenance of networks, and who may have knowledge of passwords, leave the Firm’s employment;
Content: iii. Passwords should be changed at a minimum of every 90 days or when employees or contractors who are responsible for the maintenance of networks, and who may have knowledge of passwords, leave the Firm’s employment;
AI Justification
The requirement to change passwords regularly aligns with the control's emphasis on managing authenticator content and ensuring security.
Document Content
Matched Section
Section: b) Lazard employees should authenticate using their Network user-id and password or using certificates on approved devices (IOS, etc.). c) Guests should authenticate using a pre-defined password which will expire after a limited time period.
Content: b) Lazard employees should authenticate using their Network user-id and password or using certificates on approved devices (IOS, etc.). c) Guests should authenticate using a pre-defined password which will expire after a limited time period.
Content: b) Lazard employees should authenticate using their Network user-id and password or using certificates on approved devices (IOS, etc.). c) Guests should authenticate using a pre-defined password which will expire after a limited time period.
AI Justification
The text specifies authentication methods for both employees and guests, aligning with the requirement for authentication mechanisms.
Document Content
Matched Section
Section: Section j) Where feasible, an authorized user’s password(s) for accessing distributed corporate services...
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
Content: Where feasible, an authorized user’s password(s) for accessing distributed corporate services (e.g., routers and firewalls) should be different than the user’s password(s) used for desktop services.
AI Justification
The text discusses the identification and authentication of users, including non-organizational users, which aligns with the requirements of IA-8.
Document Content
Matched Section
Section: Security features of network services include, but are not limited to:
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
AI Justification
The chunk discusses the identification of security features and management requirements for network services, which aligns with the need for identification and authentication mechanisms.
Document Content
Matched Section
Section: Section 1.5 - Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of incident response policies and procedures, including the need for approval for exceptions and the definition of minimum security requirements.
Document Content
Matched Section
Section: Chunk: 1.5
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of maintenance policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the MA-1 control.
Document Content
Matched Section
Section: h) A current network architecture must be maintained that includes, at a minimum, tiered network segmentation between:
Content: should connect through an approved secure channel and be authenticated with approved two-factor authentication.
Content: should connect through an approved secure channel and be authenticated with approved two-factor authentication.
AI Justification
The chunk mentions the requirement for two-factor authentication, which aligns with the identification and authentication control.
Document Content
Matched Section
Section: h) A current network architecture must be maintained that includes, at a minimum, tiered network segmentation between:
Content: should connect through an approved secure channel and be authenticated with approved two-factor authentication.
Content: should connect through an approved secure channel and be authenticated with approved two-factor authentication.
AI Justification
The mention of secure channels and authentication relates to the requirements for nonlocal maintenance activities.
Document Content
Matched Section
Section: m) Remote maintenance ports for Lazard′s information and communication resources should be disabled until the specific time they are needed. Third parties providing remote maintenance require prior authorization by Lazard Information Security.
Content: m) Remote maintenance ports for Lazard′s information and communication resources should be disabled until the specific time they are needed. Third parties providing remote maintenance require prior authorization by Lazard Information Security.
Content: m) Remote maintenance ports for Lazard′s information and communication resources should be disabled until the specific time they are needed. Third parties providing remote maintenance require prior authorization by Lazard Information Security.
AI Justification
The text discusses the need for controls related to remote maintenance and the authorization of third parties, which aligns with the requirements for maintenance personnel.
Document Content
Matched Section
Section: m) Remote maintenance ports for Lazard′s information and communication resources should be disabled until the specific time they are needed. Third parties providing remote maintenance require prior authorization by Lazard Information Security.
Content: m) Remote maintenance ports for Lazard′s information and communication resources should be disabled until the specific time they are needed. Third parties providing remote maintenance require prior authorization by Lazard Information Security.
Content: m) Remote maintenance ports for Lazard′s information and communication resources should be disabled until the specific time they are needed. Third parties providing remote maintenance require prior authorization by Lazard Information Security.
AI Justification
The mention of requiring prior authorization for third parties aligns with the need for physical access controls for maintenance personnel.
Document Content
Matched Section
Section: Protection of network devices and approved devices
Content: Only approved devices may be attached to the LAN in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the Information Security department.
Content: Only approved devices may be attached to the LAN in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the Information Security department.
AI Justification
The text discusses the protection of network devices and the restriction of unauthorized devices, which aligns with the control's focus on managing the use of media and devices.
Document Content
Matched Section
Section: Section 1.5 - Policy Exceptions
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the necessity of having policies and procedures for physical and environmental protection, including the approval process for exceptions, which aligns with the requirements of PE-1.
Document Content
Matched Section
Section: Section p) and r)
Content: Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department. Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff.
Content: Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department. Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff.
AI Justification
The text discusses restricting access to remote access lines and ensuring that only authorized personnel can access network devices, which aligns with the control's focus on enforcing authorizations.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Control: PE-22: Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or AC-4. Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
Content: Control: PE-22: Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or AC-4. Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.
AI Justification
The text discusses the marking of hardware components to indicate their impact or classification level, which aligns with the requirements of PE-22.
Document Content
Matched Section
Section: Section p) Telephone lines that could enable remote access into the network
Content: Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed).
Content: Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed).
AI Justification
The chunk discusses the implementation of security controls on telephone lines to prevent unauthorized access, which aligns with the intent of PE-4 regarding the protection of system distribution and transmission lines.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the approval process for exceptions to the policy, which aligns with the need for planning policies and procedures that govern security and privacy assurance.
Document Content
Matched Section
Section: Control: PL-10
Content: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline.
Content: Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline.
AI Justification
The text discusses predefined sets of controls, their selection based on stakeholder needs, and the importance of control baselines in managing risk, which aligns directly with the definition of PL-10.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: The purpose of this policy document is to describe security-related controls necessary to ensure the effective implementation and monitoring of network security.
Content: The purpose of this policy document is to describe security-related controls necessary to ensure the effective implementation and monitoring of network security.
AI Justification
The chunk discusses the purpose of a policy document that outlines security-related controls, which aligns with the concept of an information security program plan as described in control PM-1.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The text discusses centrally managed controls, which includes AC-4 as a candidate for central management, indicating its relevance to the management and implementation of access controls.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The mention of centrally managed controls includes AC-10, which is relevant to the management of access control measures.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management
Content: Network Infrastructure Management
AI Justification
SC-7 is included in the list of controls that can be centrally managed, aligning with the text's focus on central management of controls.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management
Content: Network Infrastructure Management
AI Justification
SC-10 is mentioned as a candidate for central management, which aligns with the text's emphasis on managing network controls.
Document Content
Matched Section
Section: Network Infrastructure Management
Content: Network Infrastructure Management
Content: Network Infrastructure Management
AI Justification
SC-20 is relevant as it is part of the centrally managed controls, supporting the overall management of network services.
Document Content
Matched Section
Section: Section 1.5 - Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for defining protection requirements and the process for exceptions to security policies, which aligns with the concept of protection needs outlined in PM-11.
Document Content
Matched Section
Section: Information Security Awareness, Education & Training
Content: Information Security Awareness, Education & Training
Content: Information Security Awareness, Education & Training
AI Justification
The chunk discusses the importance of information security awareness and training, which aligns with the development of workforce capabilities in security and privacy roles.
Document Content
Matched Section
Section: Information Security Awareness, Education & Training
Content: Information Security Awareness, Education & Training
Content: Information Security Awareness, Education & Training
AI Justification
The mention of role-based training programs aligns with the requirements of AT-3.
Document Content
Matched Section
Section: Information Security Awareness, Education & Training
Content: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
AI Justification
The chunk discusses Information Security Awareness, Education & Training, which aligns with the need for awareness and training programs.
Document Content
Matched Section
Section: Information Security Awareness, Education & Training
Content: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
AI Justification
The chunk emphasizes the importance of training and monitoring activities, which aligns with the PM-14 control.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
AI Justification
The text discusses the importance of monitoring organizational data flows and configurations of network devices, which aligns with the continuous monitoring concept outlined in PM-31.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: c) Configurations of a random sampling of routers and other network devices providing distributed corporate services will be reviewed on a periodic basis to ensure compliance with security controls.
Content: c) Configurations of a random sampling of routers and other network devices providing distributed corporate services will be reviewed on a periodic basis to ensure compliance with security controls.
AI Justification
The mention of periodic reviews of configurations of network devices aligns with the continuous monitoring requirement in CA-7.
Document Content
Matched Section
Section: Section p) and r)
Content: p) Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department. r) Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff. They should have an enabled password for making configuration changes known only to infrastructure staff.
Content: p) Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department. r) Network devices (Routers, switches, WIFI access points, etc.) should be protected with logon accounts known only to the infrastructure staff and selected support staff. They should have an enabled password for making configuration changes known only to infrastructure staff.
AI Justification
The chunk discusses the implementation of security controls for critical assets, such as telephone lines and network devices, which aligns with the prioritization of critical assets and resources.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for personnel security policies and procedures, including the process for exceptions and approvals, which aligns with the requirements of PS-1.
Document Content
Matched Section
Section: External Provider Management
Content: There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees. The service provider should provide satisfactory evidence that their staff is rigorously authenticated before allowing such access. Wherever practical the connection or access method should be 'switched-off' when not in use and require a Lazard intervention to switch it on. This may be a physical act (such as powering on a modem) or a configuration change activated through software. The vendor should be assessed to assure Lazard that they are a reputable organization that is likely to be employing adequate security on its systems. There should be a log of connections and activity.
Content: There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees. The service provider should provide satisfactory evidence that their staff is rigorously authenticated before allowing such access. Wherever practical the connection or access method should be 'switched-off' when not in use and require a Lazard intervention to switch it on. This may be a physical act (such as powering on a modem) or a configuration change activated through software. The vendor should be assessed to assure Lazard that they are a reputable organization that is likely to be employing adequate security on its systems. There should be a log of connections and activity.
AI Justification
The text discusses the management of external connections from system vendors, including authentication and assessment of the vendor's security practices, which aligns with the requirements for external providers.
Document Content
Matched Section
Section: Violation of these policies by anyone other than an employee performing services for Lazard
Content: Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text discusses the consequences of policy violations, which aligns with the control's focus on organizational sanctions reflecting applicable laws and policies.
Document Content
Matched Section
Section: Exceptions to the policy and the process for requesting exceptions.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to personally identifiable information, including the need for approval for exceptions and the establishment of stronger security requirements.
Document Content
Matched Section
Section: Exceptions to the policy and technical and organizational controls
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of risk assessment policies and procedures, including the need for approval for exceptions and the definition of minimum security requirements.
Document Content
Matched Section
Section: Section 1.5 - Policy Exceptions
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, emphasizing the need for collaboration between security and privacy programs, which aligns with the requirements of control SA-1.
Document Content
Matched Section
Section: u) There are cases where Lazard will allow external connections from system vendors for the purposes of technical support.
Content: u) There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: i. Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees. ii. The service provider should provide satisfactory evidence that their staff is rigorously authenticated before allowing such access. iii. Wherever practical the connection or access method should be 'switched-off' when not in use and require a Lazard intervention to switch it on. This may be a physical act (such as powering on a modem) or a configuration change activated through software. iv. The vendor should be assessed to assure Lazard that they are a reputable organization that is likely to be employing adequate security on its systems. v. There should be a log of connections and activity.
Content: u) There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: i. Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees. ii. The service provider should provide satisfactory evidence that their staff is rigorously authenticated before allowing such access. iii. Wherever practical the connection or access method should be 'switched-off' when not in use and require a Lazard intervention to switch it on. This may be a physical act (such as powering on a modem) or a configuration change activated through software. iv. The vendor should be assessed to assure Lazard that they are a reputable organization that is likely to be employing adequate security on its systems. v. There should be a log of connections and activity.
AI Justification
The text discusses the principles for allowing external connections from system vendors for technical support, which aligns with the need for support for system components, including the assessment of vendors and ensuring adequate security measures.
Document Content
Matched Section
Section: Security features of network services include, but are not limited to:
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
AI Justification
The chunk discusses the identification and inclusion of security mechanisms and management requirements for network services, which aligns with enhancing the trustworthiness of systems as described in SA-23.
Document Content
Matched Section
Section: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements.
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
AI Justification
The text discusses the identification of security mechanisms and management requirements for network services, aligning with the principles of integrating security into the system development life cycle.
Document Content
Matched Section
Section: The IT team should identify the security features and management requirements of all network services included in any network services agreement.
Content: The IT team should identify the security features and management requirements of all network services included in any network services agreement, whether these services are provided in-house or outsourced.
Content: The IT team should identify the security features and management requirements of all network services included in any network services agreement, whether these services are provided in-house or outsourced.
AI Justification
The mention of identifying security features and management requirements for network services aligns with the principles of security engineering that guide the design and implementation of secure systems.
Document Content
Matched Section
Section: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements.
Content: v) Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Content: v) Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
AI Justification
The chunk discusses the identification and inclusion of security mechanisms and management requirements in network services agreements, which aligns with the derivation of security and privacy functional requirements.
Document Content
Matched Section
Section: The IT team should identify the security features and management requirements of all network services included in any network services agreement.
Content: w) The IT team should identify the security features and management requirements of all network services included in any network services agreement, whether these services are provided in-house or outsourced.
Content: w) The IT team should identify the security features and management requirements of all network services included in any network services agreement, whether these services are provided in-house or outsourced.
AI Justification
The chunk implies the need for high-level security and privacy requirements to be reflected in network service agreements, which is a core aspect of SA-2.
Document Content
Matched Section
Section: Control: SA-8
Content: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades.
Content: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades.
AI Justification
The text discusses the implementation of systems security and privacy engineering principles throughout the system development life cycle, which aligns with the control's focus on security engineering principles.
Document Content
Matched Section
Section: External Connections from System Vendors
Content: There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees. The service provider should provide satisfactory evidence that their staff is rigorously authenticated before allowing such access. Wherever practical the connection or access method should be 'switched-off' when not in use and require a Lazard intervention to switch it on. This may be a physical act (such as powering on a modem) or a configuration change activated through software. The vendor should be assessed to assure Lazard that they are a reputable organization that is likely to be employing adequate security on its systems. There should be a log of connections and activity.
Content: There are cases where Lazard will allow external connections from system vendors for the purposes of technical support. The general principles that should be followed in these cases are as follows: Wherever possible these connections should utilize the same policies, procedures and technologies that have been designed and approved for Lazard employees. The service provider should provide satisfactory evidence that their staff is rigorously authenticated before allowing such access. Wherever practical the connection or access method should be 'switched-off' when not in use and require a Lazard intervention to switch it on. This may be a physical act (such as powering on a modem) or a configuration change activated through software. The vendor should be assessed to assure Lazard that they are a reputable organization that is likely to be employing adequate security on its systems. There should be a log of connections and activity.
AI Justification
The text discusses the management of external connections from system vendors, emphasizing the need for security measures and assessment of the vendor's reputation, which aligns with the requirements of SA-9.
Document Content
Matched Section
Section: General Network Security & Management (Section 1.2.1) and Requirements
Content: This Policy describes the security-related controls and standards necessary to ensure the effective implementation and monitoring of network security, and to protect critical Company information that is transmitted via various Lazard networks, including public, internal, and trusted external networks.
Content: This Policy describes the security-related controls and standards necessary to ensure the effective implementation and monitoring of network security, and to protect critical Company information that is transmitted via various Lazard networks, including public, internal, and trusted external networks.
AI Justification
The text discusses the importance of having policies and procedures for system and communications protection, which aligns directly with control SC-1.
Document Content
Matched Section
Section: Devices that are Internet-facing and outside the Lazard firewall are subject to the policies below.
Content: Devices that are Internet-facing and outside the Lazard firewall are subject to the policies below. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.
Content: Devices that are Internet-facing and outside the Lazard firewall are subject to the policies below. These devices (network and host) are particularly vulnerable to attack from the Internet since they reside outside the corporate firewalls.
AI Justification
The text discusses the management of Internet-facing devices and the policies governing their connections, which aligns with the control's focus on terminating network connections and managing network access.
Document Content
Matched Section
Section: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
AI Justification
The chunk discusses the use of encryption as a security feature for network services, which aligns with the control's focus on employing cryptography for security solutions.
Document Content
Matched Section
Section: 1.2.3 Network Segregation & Segmentation
Content: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS).
Content: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS).
AI Justification
The chunk discusses infrastructure configuration standards that include DNS, which relates to the control's focus on authoritative source information for network address resolution.
Document Content
Matched Section
Section: 1.2.3 Network Segregation & Segmentation
Content: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS).
Content: infrastructure configuration standards including firewall, IDS/IPS, router, network communication protocols and Domain Name Server (DNS).
AI Justification
The text discusses the configuration and segregation of DNS servers, which aligns with the requirements for redundancy and role separation in SC-22.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The chunk discusses the separation of user functions from system management functions, which aligns with the requirements of SC-2 regarding privileged user access and the methods for achieving separation.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The mention of network controls and the need for separation of functions suggests alignment with AC-4, which focuses on controlling information flow.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The discussion of isolating administrative interfaces and employing additional access controls aligns with SC-7, which addresses boundary protection.
Document Content
Matched Section
Section: The principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions.
Content: The principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system.
Content: The principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system.
AI Justification
The principle of least functionality aligns with the concept of deploying system components with minimal functionality to reduce security risks.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
Content: Devices utilized to support networks (e.g., routers, switches) will be inventoried, configured, and managed in a manner consistent and in compliance with Lazard Standards and Policies, such as 7.0 Asset Management Policy and 7.1 Asset Management Standard.
AI Justification
The section discusses the management and configuration of network devices, which relates to the diversity of technologies and their configurations to mitigate risks.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Control: SC-3: Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions.
Content: Control: SC-3: Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions.
AI Justification
The text discusses the isolation of security functions from nonsecurity functions, which aligns directly with the description of SC-3.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities.
Content: Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities.
AI Justification
The mention of access control mechanisms and the implementation of least privilege capabilities aligns with AC-4, which focuses on controlling access to information.
Document Content
Matched Section
Section: 1.2.3 Network Segregation & Segmentation
Content: a) Group of information services, users and information systems should be segregated on networks. b) Networks should be segregated or divided into separate logical domains, so access between domains can be controlled by means of secure devices. The segregation can either be physical or logical (e.g., Virtual LANs). c) The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using an approved gateway.
Content: a) Group of information services, users and information systems should be segregated on networks. b) Networks should be segregated or divided into separate logical domains, so access between domains can be controlled by means of secure devices. The segregation can either be physical or logical (e.g., Virtual LANs). c) The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using an approved gateway.
AI Justification
The chunk discusses network segregation and segmentation, which aligns with the concept of system partitioning as part of a defense-in-depth strategy.
Document Content
Matched Section
Section: o) Modems and or any out of band management products that could permit access to and/or from the corporate network will be limited only to those required for a specific business purpose and that are approved by Information Security.
Content: Modems and or any out of band management products that could permit access to and/or from the corporate network will be limited only to those required for a specific business purpose and that are approved by Information Security. If connectivity or data transmission should occur via modem, specific security controls should be implemented.
Content: Modems and or any out of band management products that could permit access to and/or from the corporate network will be limited only to those required for a specific business purpose and that are approved by Information Security. If connectivity or data transmission should occur via modem, specific security controls should be implemented.
AI Justification
The chunk discusses the management of out-of-band channels, specifically mentioning modems and out-of-band management products, which aligns with the control's focus on the use and security of out-of-band channels.
Document Content
Matched Section
Section: Wireless Public Internet Connections (Section 1.2.6)
Content: f. Wireless Public Internet Connections (Section 1.2.6)
Content: f. Wireless Public Internet Connections (Section 1.2.6)
AI Justification
The text discusses the importance of protecting wireless communication links to prevent unauthorized access and exploitation, which aligns directly with the control's focus on wireless link protection.
Document Content
Matched Section
Section: Section s) and t)
Content: Other network devices which contain configuration information which, if lost or incorrectly amended, would cause disruption to the business or compromise security of information in any way should be protected by logon accounts and passwords known only to appropriate staff. Only approved devices may be attached to the LAN in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the Information Security department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
Content: Other network devices which contain configuration information which, if lost or incorrectly amended, would cause disruption to the business or compromise security of information in any way should be protected by logon accounts and passwords known only to appropriate staff. Only approved devices may be attached to the LAN in any Lazard office. Approved devices include Lazard issued workstations, laptops, and printers. Personal (end-used owned) devices may not be attached to the corporate network without permission from the Information Security department. In particular, the use of any unauthorized networking devices, including wireless access points or wireless routers, is expressly forbidden.
AI Justification
The text discusses the protection of network devices and the requirement for approved devices to be attached to the LAN, aligning with the concept of usage restrictions.
Document Content
Matched Section
Section: Section p) and q)
Content: Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department. Only firewalls approved by Information Security will be utilized. Firewall traffic logs will be monitored on a regular basis for suspicious traffic flows.
Content: Telephone lines that could enable remote access into the network from core data centers and other critical data and telecommunications areas will be implemented with security controls (e.g., lines will be unplugged until needed). All modem lines will be restricted to dial-out. Dial-in will be restricted to remote access concentrations (i.e., PERLE access switch). Exceptions to this policy should be authorized by the Lazard IS Department. Only firewalls approved by Information Security will be utilized. Firewall traffic logs will be monitored on a regular basis for suspicious traffic flows.
AI Justification
The text discusses the implementation of security controls to prevent unauthorized access and ensure policy enforcement, aligning with the need to avoid logical paths that could bypass security measures.
Document Content
Matched Section
Section: 1.2.1 General Network Security
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
Content: b) Organizational data flows should be mapped and monitored. To include, but not limited to: i. Network traffic between the internet and cloud environments ii. Traffic between applications within cloud environments (i.e., containers/microservices)
AI Justification
The text discusses the importance of monitoring and detection capabilities in the context of adversaries moving laterally and attempting to exfiltrate information, which aligns with the control's focus on adversary behavior and monitoring.
Document Content
Matched Section
Section: 1.2.3 Network Segregation & Segmentation
Content: a) Group of information services, users and information systems should be segregated on networks. b) Networks should be segregated or divided into separate logical domains, so access between domains can be controlled by means of secure devices. The segregation can either be physical or logical (e.g., Virtual LANs). c) The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using an approved gateway.
Content: a) Group of information services, users and information systems should be segregated on networks. b) Networks should be segregated or divided into separate logical domains, so access between domains can be controlled by means of secure devices. The segregation can either be physical or logical (e.g., Virtual LANs). c) The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using an approved gateway.
AI Justification
The text discusses the segregation of networks and the control of access between domains, which aligns with the need for additional strength of mechanism and robustness for domain separation as described in SC-49.
Document Content
Matched Section
Section: Security mechanisms, service levels and management requirements of all network services
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
Content: Security mechanisms, service levels and management requirements of all network services should be identified and included in network services agreements, whether these services are provided in-house or outsourced.
AI Justification
The text discusses the identification of security mechanisms and management requirements for network services, which aligns with the need to address denial-of-service events and implement protective measures.
Document Content
Matched Section
Section: 1.2.3 Network Segregation & Segmentation
Content: a) Group of information services, users and information systems should be segregated on networks. b) Networks should be segregated or divided into separate logical domains, so access between domains can be controlled by means of secure devices. The segregation can either be physical or logical (e.g., Virtual LANs). c) The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using an approved gateway.
Content: a) Group of information services, users and information systems should be segregated on networks. b) Networks should be segregated or divided into separate logical domains, so access between domains can be controlled by means of secure devices. The segregation can either be physical or logical (e.g., Virtual LANs). c) The perimeter of each domain should be well defined. Access between network domains is allowed but should be controlled at the perimeter using an approved gateway.
AI Justification
The text discusses the segregation of networks and the control of access between domains, which aligns with the requirement for additional strength of mechanism for domain separation and policy enforcement.
Document Content
Matched Section
Section: k) Information Security should explicitly authorize all network devices. m) Lazard′s Internet servers should be placed in a DMZ. A security device (e.g., Intrusion Detection Software, Firewall, etc.) should be implemented inside all DMZs to monitor communications allowed through the firewall.
Content: k) Information Security should explicitly authorize all network devices. m) Lazard′s Internet servers should be placed in a DMZ. A security device (e.g., Intrusion Detection Software, Firewall, etc.) should be implemented inside all DMZs to monitor communications allowed through the firewall.
Content: k) Information Security should explicitly authorize all network devices. m) Lazard′s Internet servers should be placed in a DMZ. A security device (e.g., Intrusion Detection Software, Firewall, etc.) should be implemented inside all DMZs to monitor communications allowed through the firewall.
AI Justification
The text discusses the need for explicit authorization of network devices, the placement of servers in a DMZ, and the implementation of security devices to monitor communications, which aligns with the control's focus on managed interfaces and boundary protection.
Document Content
Matched Section
Section: Security features of network services include, but are not limited to:
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
Content: Security features of network services include, but are not limited to: Technology applied for security of network services, such as authentication, encryption, and network connection controls.
AI Justification
The chunk discusses the identification of security mechanisms and requirements for network services, which aligns with protecting the confidentiality and integrity of transmitted information.
Document Content
Matched Section
Section: Section 1.5 - Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the approval process for exceptions, which aligns with the requirements of SI-1.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks.
Content: Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks.
AI Justification
The text discusses the implementation of non-persistent components and services to mitigate risks from advanced persistent threats, which aligns directly with the control's focus on reducing the attack surface and window of opportunity for adversaries.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Control: SI-4: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions.
Content: Control: SI-4: System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions.
AI Justification
The text discusses the importance of system monitoring, including both external and internal monitoring, and the tools and techniques used for this purpose.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17.
Content: Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17.
AI Justification
The mention of monitoring devices employed at managed interfaces associated with controls SC-7 indicates a direct relationship with boundary protection.
Document Content
Matched Section
Section: Supply Chain Risk Management
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
AI Justification
The text discusses the complexities and requirements of managing supply chain risks, which aligns directly with the control's focus on the risks associated with external providers and the need for coordinated efforts in risk management.
Document Content
Matched Section
Section: Network Security Management
Content: The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored. The right to audit clause should be agreed and included in the agreement with the vendor.
Content: The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored. The right to audit clause should be agreed and included in the agreement with the vendor.
AI Justification
The text discusses the need for agreements with vendors to include security measures and the ability to audit, which aligns with the assessment and review of supplier risk.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The section discusses the importance of safeguarding supply chain information and managing access to it, which aligns with access control principles.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The mention of withholding mission or business information from suppliers aligns with the need to enforce information flow controls.
Document Content
Matched Section
Section: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
Content: Access Control | Use of External Systems
AI Justification
The discussion of safeguarding against potential adversaries and protecting supply chain information relates to boundary protection measures.
Document Content
Matched Section
Section: Network Security Management
Content: agreements should be verified by the Legal and Compliance team. bb) The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored. The right to audit clause should be agreed and included in the agreement with the vendor.
Content: agreements should be verified by the Legal and Compliance team. bb) The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored. The right to audit clause should be agreed and included in the agreement with the vendor.
AI Justification
The text discusses the importance of agreements and procedures for managing relationships with third-party vendors, which aligns with the need for effective communication and monitoring in the supply chain.
3.0_IS_Information_Security_Policy_2.pdf NIST
176 matches foundDocument Content
Matched Section
Section: Access control policy and procedures
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of access control policies and procedures in managing security and privacy, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The mention of controls for applications and systems that handle confidential information implies the need for account management to ensure only authorized access.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The chunk discusses controls for applications and systems that include safeguards for devices used by employees, which aligns with the concept of device locks as a security measure.
Document Content
Matched Section
Section: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The text discusses the representation of information using data structures, the association of attributes with subjects and objects, and the enforcement of security and privacy policies, which aligns with the control's focus on information protection processes.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The chunk discusses the establishment of controls for computing devices, including mobile devices, which aligns with the requirements outlined in AC-19 regarding the protection and control of mobile devices.
Document Content
Matched Section
Section: Access Control
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
Content: Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
AI Justification
The text discusses the identification of authorized system users, specification of access privileges, and management of various types of accounts, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: Access Control
Content: Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
Content: Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
AI Justification
The chunk discusses the establishment of controls to manage access to information assets, which relates directly to access control decisions and enforcement.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
AI Justification
The chunk discusses the protection of data against unauthorized access and emphasizes the importance of data integrity and confidentiality, which aligns with the principles of data mining protection.
Document Content
Matched Section
Section: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
AI Justification
The chunk mentions the need to protect information from unauthorized access and highlights the importance of monitoring, which aligns with the monitoring aspect of AU-13.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
AI Justification
The chunk discusses the protection of data against unauthorized access, which aligns with the requirements of a reference monitor enforcing access control policies.
Document Content
Matched Section
Section: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
AI Justification
The mention of protecting information and systems from unauthorized access aligns with the need for established access control policies and procedures.
Document Content
Matched Section
Section: End-user Device Security Policy, Internet Security & Usage Policy, Network and Firewall Security Policy
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The chunk discusses controls for applications and systems that handle sensitive information, which aligns with the definition of access control policies that manage access between users and systems.
Document Content
Matched Section
Section: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The text discusses controls for applications and systems that process or transmit confidential information, which aligns with the principles of information flow control.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The text discusses controls related to safeguarding information and managing access, which aligns with the need to limit unsuccessful logon attempts and take actions when limits are exceeded.
Document Content
Matched Section
Section: VII. Lazard adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls.
Content: Lazard adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls: (a) Acceptable Use – Establishes the acceptable use of information processing assets for all users. Information Security Policy – Communicates management direction and support for information security in accordance with business requirements and relevant laws and regulations and sets expectations for associates. (c) Organization of Information Security – Establishes a management framework to initiate and control the implementation and operation of information security within the organization. (d) Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets. (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: Lazard adopts the NIST CSF and ISO 27001 standards as the foundation for the policies and following minimum policies shall be maintained to instill the baseline controls: (a) Acceptable Use – Establishes the acceptable use of information processing assets for all users. Information Security Policy – Communicates management direction and support for information security in accordance with business requirements and relevant laws and regulations and sets expectations for associates. (c) Organization of Information Security – Establishes a management framework to initiate and control the implementation and operation of information security within the organization. (d) Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets. (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The text discusses the importance of awareness and training policies and procedures in relation to security and privacy assurance, aligning with the AT-1 control.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
AI Justification
The text discusses the provision of literacy training and awareness for system users, which aligns with the requirements of AT-2.
Document Content
Matched Section
Section: Information Security Awareness, Education and Training
Content: Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.
Content: Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.
AI Justification
The mention of role-based training aligns with the requirements of AT-3, which emphasizes the need for training tailored to specific roles within the organization.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training).
Content: Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training).
AI Justification
The text discusses the determination of training content based on roles and responsibilities, which aligns with the requirements of AT-3.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
AI Justification
The chunk discusses the importance of training feedback, which aligns with the need for awareness training results and role-based training results as outlined in AT-6.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
AI Justification
The mention of role-based training in the chunk aligns with the requirements of AT-3, which focuses on the need for training tailored to specific roles.
Document Content
Matched Section
Section: Review of any impacting legal changes to ensure Lazard compliance with local laws
Content: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard.
Content: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard.
AI Justification
The text discusses the importance of reviewing policies for effectiveness, compliance with legal obligations, and alignment with business needs, which aligns with the requirements of AU-1 for audit and accountability policies.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The text discusses the confidentiality of information and the restrictions on its use and disclosure, which aligns with the control's focus on preventing unauthorized disclosure of information.
Document Content
Matched Section
Section: IV. Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard.
Content: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard. The following should be reviewed and evaluated: (a) The policies effectiveness, demonstrated by the nature, number and impact of recorded security incidents.
Content: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard. The following should be reviewed and evaluated: (a) The policies effectiveness, demonstrated by the nature, number and impact of recorded security incidents.
AI Justification
The text discusses the review of policies and practices, including the evaluation of recorded security incidents, which aligns with the requirements for audit record review and analysis.
Document Content
Matched Section
Section: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard.
Content: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard. The following should be reviewed and evaluated: (a) The policies effectiveness, demonstrated by the nature, number and impact of recorded security incidents. (b) Cost and impact of controls on business efficiency. (c) Effects of changes on technology and resulting impacts to the program business case. (d) Coverage of legal and regulatory obligations. (e) Adherence to human resources, privacy and regulatory practices.
Content: Lazard′s Information Security Policies should be periodically reviewed by Internal Audit and the policy owner to ensure regulatory compliance, proper governance and alignment with the business needs of Lazard. The following should be reviewed and evaluated: (a) The policies effectiveness, demonstrated by the nature, number and impact of recorded security incidents. (b) Cost and impact of controls on business efficiency. (c) Effects of changes on technology and resulting impacts to the program business case. (d) Coverage of legal and regulatory obligations. (e) Adherence to human resources, privacy and regulatory practices.
AI Justification
The text discusses the importance of policies and procedures for assessment, authorization, and monitoring, which aligns with the CA-1 control.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: Is responsible for approving information security policies. Information Security Committee (ISC) ● Is responsible for implementing the Information security program or Information security management system (ISMS). ● Is responsible for reviewing the status of Lazard’s information security and set direction for information security within Lazard.
Content: Is responsible for approving information security policies. Information Security Committee (ISC) ● Is responsible for implementing the Information security program or Information security management system (ISMS). ● Is responsible for reviewing the status of Lazard’s information security and set direction for information security within Lazard.
AI Justification
The text discusses the responsibilities of senior executives and the Information Security Committee regarding the approval and implementation of information security policies, which aligns with the authorization responsibilities outlined in CA-6.
Document Content
Matched Section
Section: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information.
AI Justification
The chunk discusses controls for applications and systems that process or transmit confidential information, which relates to the management of internal system connections.
Document Content
Matched Section
Section: Control: CA-8
Content: Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security.
Content: Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security.
AI Justification
The text describes the process and importance of penetration testing, which aligns directly with the control's definition and requirements.
Document Content
Matched Section
Section: Information Security Incident Management and Information Security Aspects of Business Continuity Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text discusses the importance of configuration management policies and procedures in relation to security and privacy assurance, which aligns with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The mention of compliance with legal, statutory, regulatory, and contractual obligations indicates a need for a comprehensive security planning policy.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The text highlights the importance of identifying, evaluating, and managing risks, which aligns with the objectives of a risk assessment policy.
Document Content
Matched Section
Section: Data Security
Content: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The text discusses the handling and processing of personally identifiable information (PII), which aligns with the requirements of control CM-13 regarding data actions and the information life cycle.
Document Content
Matched Section
Section: Configuration Management | Baseline Configuration
Content: Configuration Management | Baseline Configuration
Content: Configuration Management | Baseline Configuration
AI Justification
The chunk discusses various aspects of configuration management, including baseline configurations, which aligns directly with the control's focus on documenting and maintaining baseline configurations.
Document Content
Matched Section
Section: Configuration Management | Configuration Change Control
Content: Configuration Management | Configuration Change Control
Content: Configuration Management | Configuration Change Control
AI Justification
The chunk discusses various aspects of configuration management, including change control processes, which align directly with the control's focus on systematic proposal, justification, implementation, testing, review, and disposition of system changes.
Document Content
Matched Section
Section: Configuration Management | Configuration Change Control
Content: Configuration Management | Configuration Change Control
Content: Configuration Management | Configuration Change Control
AI Justification
The chunk mentions processes for managing configuration changes, which aligns with the control's focus on maintaining the integrity of configuration settings.
Document Content
Matched Section
Section: Review of any impacting legal changes to ensure Lazard compliance with local laws
Content: allow for any requests for changes or reviews of specific sections of the practice such that Security Organization can address requests based upon a risk analysis of the comments and suggestions.
Content: allow for any requests for changes or reviews of specific sections of the practice such that Security Organization can address requests based upon a risk analysis of the comments and suggestions.
AI Justification
The text discusses the review of policies and the impact of changes, which aligns with conducting impact analyses as described in CM-4.
Document Content
Matched Section
Section: End-user Device Security Policy, Internet Security & Usage Policy, Network and Firewall Security Policy
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. (s) End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities. Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information resources available to employees via the Internet.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. (s) End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities. Internet Security & Usage Policy – Establishes controls that address acceptable Internet Usage Policies, and Internet Security Controls that should be implemented and followed in order to protect the confidentiality and integrity of information resources available to employees via the Internet.
AI Justification
The text discusses the establishment of controls and requirements for safeguarding computing devices and information, which aligns with the definition of configuration settings that impact security and privacy.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. (s) End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. (s) End-user Device Security Policy - Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The mention of controls for computing devices used by employees, vendors, and service providers indicates a focus on access control measures for mobile devices.
Document Content
Matched Section
Section: Network and Firewall Security Policy
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. (u) Network and Firewall Security Policy - Establishes the security-related controls and
Content: controls for applications and systems that contain, process, or transmit Company Confidential and Company Restricted information. (u) Network and Firewall Security Policy - Establishes the security-related controls and
AI Justification
The policies mentioned imply a focus on limiting the functionality of devices and systems to only what is necessary for their intended use, which aligns with the least functionality principle.
Document Content
Matched Section
Section: System Component Inventory
Content: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems.
Content: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems.
AI Justification
The text discusses the need for a centralized inventory of system components, including hardware, software, and firmware, which aligns directly with the requirements of CM-8.
Document Content
Matched Section
Section: Configuration Management Plan
Content: Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component.
Content: Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component.
AI Justification
The text emphasizes the importance of unique identifiers for components and the prevention of duplicate accounting, which relates to the overall configuration management strategy outlined in CM-9.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures
Content: Control: CM-9: Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems.
Content: Control: CM-9: Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems.
AI Justification
The text discusses configuration management activities throughout the system development life cycle, including the creation and implementation of configuration management plans.
Document Content
Matched Section
Section: Configuration Management | Configuration Change Control
Content: The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.
Content: The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.
AI Justification
The text mentions processes for advancing changes through change management processes, which aligns with configuration change control.
Document Content
Matched Section
Section: Configuration Management | Configuration Management Plan
Content: Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.
Content: Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.
AI Justification
The text explicitly discusses the generation and content of configuration management plans, which aligns with this control.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text discusses the importance of contingency planning policies and procedures, which aligns directly with control CP-1.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text mentions the management of information security incidents, which aligns with the need for incident response policies and procedures.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The text emphasizes the need for policies and procedures that contribute to security and privacy assurance, which aligns with the establishment of an information security program.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The text discusses the identification, evaluation, and management of risk, which aligns with the need for a risk assessment policy.
Document Content
Matched Section
Section: Maintain business continuity to counteract interruptions to business activities and to protect critical business processes from effects of major failures or disasters.
Content: (f) Maintain business continuity to counteract interruptions to business activities and to protect critical business processes from effects of major failures or disasters.
Content: (f) Maintain business continuity to counteract interruptions to business activities and to protect critical business processes from effects of major failures or disasters.
AI Justification
The chunk discusses maintaining business continuity and mitigating operational risks, which aligns with the use of alternative security mechanisms to ensure continuity of operations.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text discusses the importance of contingency planning for ensuring continuity of operations and addresses system restoration and alternative processes when systems are compromised, which aligns with CP-2.
Document Content
Matched Section
Section: Contingency Training
Content: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
Content: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
AI Justification
The text discusses the importance of contingency training linked to roles and responsibilities, which aligns directly with CP-3.
Document Content
Matched Section
Section: Contingency Plan Testing
Content: Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned).
Content: Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned).
AI Justification
The mention of contingency plan testing and updates to training content based on testing aligns with CP-4.
Document Content
Matched Section
Section: Incident Response Testing
Content: Participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
Content: Participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.
AI Justification
The text implies the need for training related to incident response, which aligns with IR-3.
Document Content
Matched Section
Section: Identification and authentication policy and procedures
Content: Control: IA-1: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: IA-1: Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of identification and authentication policies and procedures, aligning with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Acceptable Use – Establishes the acceptable use of information processing assets for all users.
Content: (a) Acceptable Use – Establishes the acceptable use of information processing assets for all users.
Content: (a) Acceptable Use – Establishes the acceptable use of information processing assets for all users.
AI Justification
The mention of establishing acceptable use and information security policies aligns with the need for access control policies.
Document Content
Matched Section
Section: Information Security Policy – Communicates management direction and support for information security
Content: (b) Information Security Policy – Communicates management direction and support for information security in accordance with business requirements and relevant laws and regulations and sets expectations for associates.
Content: (b) Information Security Policy – Communicates management direction and support for information security in accordance with business requirements and relevant laws and regulations and sets expectations for associates.
AI Justification
The text describes the need for an information security policy that communicates management direction and support, which aligns with the control's focus.
Document Content
Matched Section
Section: Organization of Information Security – Establishes a management framework
Content: (c) Organization of Information Security – Establishes a management framework to initiate and control the implementation and operation of information security within the organization.
Content: (c) Organization of Information Security – Establishes a management framework to initiate and control the implementation and operation of information security within the organization.
AI Justification
The establishment of a management framework for information security aligns with the control's focus on organizing security efforts.
Document Content
Matched Section
Section: Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets.
Content: (d) Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets.
Content: (d) Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets.
AI Justification
The focus on reducing risks related to employee actions aligns with the control's emphasis on human resource security.
Document Content
Matched Section
Section: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: (e) Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The establishment of controls for classifying and handling information assets aligns with the control's focus on data security.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The text discusses controls for devices used by employees and vendors, which aligns with the requirement for unique device identification and authentication.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text discusses the importance of incident response policies and procedures, aligning with the requirements of control IR-1.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The mention of business continuity management aligns with the need for contingency planning policies and procedures.
Document Content
Matched Section
Section: Compliance
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The text emphasizes the need for policies and procedures related to security and privacy, which aligns with security planning.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Information Security Awareness, Education and Training
Content: Information Security Awareness, Education and Training
AI Justification
The chunk mentions 'Information Security Awareness, Education and Training' which aligns with the need for role-based training as outlined in control AT-3.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The chunk discusses incident response management and the need for training related to incident response, which aligns with control IR-2.
Document Content
Matched Section
Section: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan.
Content: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan. Any violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
Content: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan. Any violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
AI Justification
The text discusses the reporting of breaches to the CISO and the importance of adhering to the Cyber Security Incident Response Plan, which aligns with the incident response capabilities outlined in control IR-4.
Document Content
Matched Section
Section: XI. Access should be restricted to the information assets in keeping with business requirements and the associated risk.
Content: XI. Access should be restricted to the information assets in keeping with business requirements and the associated risk.
Content: XI. Access should be restricted to the information assets in keeping with business requirements and the associated risk.
AI Justification
The text mentions that access should be restricted to information assets based on business requirements and associated risk, which aligns with the principles of access control.
Document Content
Matched Section
Section: XII. There may be instances where there is a justifiable business need to perform actions that conflict with 'Information Security Policies and Standards'.
Content: XII. There may be instances where there is a justifiable business need to perform actions that conflict with 'Information Security Policies and Standards'. Lazard recognizes that Information Security policies cannot be created and enforced which address all business issues.
Content: XII. There may be instances where there is a justifiable business need to perform actions that conflict with 'Information Security Policies and Standards'. Lazard recognizes that Information Security policies cannot be created and enforced which address all business issues.
AI Justification
The mention of exceptions to information security policies based on business needs and risk assessment aligns with the need for a structured program management approach.
Document Content
Matched Section
Section: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan.
Content: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan. Any violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
Content: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan. Any violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
AI Justification
The text specifies that all breaches of information security should be reported to the CISO, which aligns with the requirement for reporting incidents and reflects adherence to policies and standards.
Document Content
Matched Section
Section: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan.
Content: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan. Any violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
Content: X. All breaches of information security should be reported to the Chief Information Security Officer, (CISO), in accordance with the firm’s Cyber Security Incident Response Plan. Any violation, non-adherence to this policy shall be viewed seriously and will be liable for disciplinary action that may include termination.
AI Justification
The text discusses the reporting of breaches to the CISO and the adherence to a Cyber Security Incident Response Plan, which aligns with the need for a coordinated approach to incident response.
Document Content
Matched Section
Section: Maintenance policy and procedures
Content: Control: MA-1: Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: MA-1: Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of maintenance policies and procedures in the context of security and privacy assurance, aligning with the MA-1 control.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The section on Information Security Incident Management aligns with the need for policies and procedures to manage information security incidents effectively.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The mention of Information Security Aspects of Business Continuity Management aligns with the need for policies to ensure continuous operations during disruptions.
Document Content
Matched Section
Section: Compliance
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The compliance section emphasizes the need for controls to ensure adherence to legal and regulatory obligations, which aligns with the PL-1 control.
Document Content
Matched Section
Section: Risk Policy
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The Risk Policy section aligns with the need for controls to identify and manage risks, which is a key aspect of the RA-1 control.
Document Content
Matched Section
Section: Media Protection Policy and Procedures
Content: Control: MP-1: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: MP-1: Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of media protection policies and procedures, aligning with the requirements of MP-1.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The section on Information Security Incident Management aligns with the need for a structured approach to incident response.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The section on Information Security Aspects of Business Continuity Management aligns with the need for contingency planning.
Document Content
Matched Section
Section: Compliance and Risk Policy
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any. (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any. (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The Compliance and Risk Policy sections indicate the need for policies that ensure compliance and risk management.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The text discusses controls related to the use of media, including restrictions on portable storage devices, which aligns with the requirements of MP-7.
Document Content
Matched Section
Section: Physical and Environmental Protection Policy and Procedures
Content: Control: PE-1: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: PE-1: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of establishing policies and procedures for physical and environmental protection, aligning with the requirements of PE-1.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The mention of Information Security Incident Management indicates the establishment of controls for managing information security incidents, which aligns with IR-1.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The reference to Information Security Aspects of Business Continuity Management aligns with the need for contingency planning, which is covered under CP-1.
Document Content
Matched Section
Section: Compliance and Risk Policy
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any. (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any. (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of compliance and risk policy indicates the establishment of controls for managing risk and compliance, which aligns with PL-1.
Document Content
Matched Section
Section: Physical and Environmental Security
Content: Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
Content: Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
AI Justification
The chunk discusses controls related to managing access to information assets and preventing unauthorized physical access, which aligns with the requirements for physical access authorizations.
Document Content
Matched Section
Section: Physical and Environmental Security
Content: Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
Content: Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities.
AI Justification
The chunk discusses the establishment of controls to prevent unauthorized physical access, which aligns with the monitoring of physical access as described in PE-6.
Document Content
Matched Section
Section: Information Security Incident Management and Compliance
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The text discusses the establishment of controls for managing information security incidents and ensuring compliance with legal obligations, which aligns with the need for planning policies and procedures.
Document Content
Matched Section
Section: Risk Policy
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of risk policy and the need to identify, evaluate, and manage risks aligns with the requirements of a risk management strategy.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
AI Justification
The text discusses the protection of data and the importance of maintaining its integrity, which aligns with the concept of control baselines that are tailored to address specific protection needs.
Document Content
Matched Section
Section: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
AI Justification
The text emphasizes the need for tailoring controls based on the specific requirements and risks associated with data protection, which aligns with the concept of control tailoring.
Document Content
Matched Section
Section: 1.7 ENFORCEMENT
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The section discusses enforcement of policies and the consequences of non-compliance, which aligns with the establishment of rules of behavior for users.
Document Content
Matched Section
Section: the organization’s cybersecurity program
Content: the organization’s cybersecurity program. ● Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation. ● Is responsible for ensuring that the goals set forth in the cybersecurity program are in line with the business objectives of the organization. ● Is responsible for developing, implementing, and maintaining processes to track cybersecurity related risk across the organization. ● Is responsible for providing progress reports and metrics related to cybersecurity including but not limited to: • Vulnerabilities • Patching • Attack Surface • Incident Response • Logging • Phishing Simulation Results • New Regulation/Legislation • Travel Advisory • Information Security 5 year Strategy Plan ● Is responsible for providing direction for Information
Content: the organization’s cybersecurity program. ● Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation. ● Is responsible for ensuring that the goals set forth in the cybersecurity program are in line with the business objectives of the organization. ● Is responsible for developing, implementing, and maintaining processes to track cybersecurity related risk across the organization. ● Is responsible for providing progress reports and metrics related to cybersecurity including but not limited to: • Vulnerabilities • Patching • Attack Surface • Incident Response • Logging • Phishing Simulation Results • New Regulation/Legislation • Travel Advisory • Information Security 5 year Strategy Plan ● Is responsible for providing direction for Information
AI Justification
The text discusses the responsibilities and oversight of the organization's cybersecurity program, which aligns with the need for a formal information security program plan that outlines security requirements and management controls.
Document Content
Matched Section
Section: Central management refers to organization-wide management and implementation of selected controls and processes.
Content: Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes.
Content: Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes.
AI Justification
The text discusses the organization-wide management and implementation of controls, which aligns with the concept of central management as described in control PL-9.
Document Content
Matched Section
Section: As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities.
Content: As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities.
Content: As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities.
AI Justification
The mention of controls and processes that may be suitable for central management relates to configuration management, which is covered under CM-1.
Document Content
Matched Section
Section: In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level.
Content: In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level.
Content: In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level.
AI Justification
The text discusses managing controls and processes, which includes aspects of change management relevant to CM-3.
Document Content
Matched Section
Section: Information Security Incident Management and Compliance
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The text discusses the importance of establishing controls for information security incidents and compliance, which aligns with the need for technology-independent capabilities to counter threats and protect information.
Document Content
Matched Section
Section: Risk Policy
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of risk policy and the need to identify, evaluate, and manage risks aligns with the concept of determining required controls based on organizational risk management strategies.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Data Protection Security Awareness & Skills Training Incident Response Management
Content: Data Protection Security Awareness & Skills Training Incident Response Management
AI Justification
The chunk discusses the importance of security awareness and skills training, which aligns with the development of workforce capabilities in security and privacy roles.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training Program Management | Security & Privacy Workforce
Content: Awareness & Training | Role-based Training Program Management | Security & Privacy Workforce
AI Justification
The mention of role-based training programs in the control aligns with the focus on training individuals assigned security and privacy roles.
Document Content
Matched Section
Section: the organization’s cybersecurity program
Content: the organization’s cybersecurity program. ● Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation.
Content: the organization’s cybersecurity program. ● Is responsible for oversight and review of all information security policies, standards and best practices to ensure the organization remains compliant with all applicable regulations and legislation.
AI Justification
The chunk discusses oversight and review of information security policies, which aligns with the need for a coordinated approach to security and privacy testing and monitoring.
Document Content
Matched Section
Section: 1.3 MANAGEMENT DIRECTION FOR INFORMATION SECURITY
Content: ● Is responsible for approving information security policies. Information Security Committee (ISC) ● Is responsible for implementing the Information security program or Information security management system (ISMS). ● Is responsible for reviewing the status of Lazard’s information security and set direction for information security within Lazard.
Content: ● Is responsible for approving information security policies. Information Security Committee (ISC) ● Is responsible for implementing the Information security program or Information security management system (ISMS). ● Is responsible for reviewing the status of Lazard’s information security and set direction for information security within Lazard.
AI Justification
The text discusses the responsibilities of senior executives and the Information Security Committee in approving and implementing information security policies, which aligns with the role of a senior agency information security officer.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security. The process of ensuring that data is available and/or accessible to end-users and applications, when and where they need it. The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security. The process of ensuring that data is available and/or accessible to end-users and applications, when and where they need it. The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
AI Justification
The text discusses the importance of data protection, integrity, and availability, which aligns with the responsibilities of a Data Governance Body to manage data effectively and ensure compliance with security and privacy requirements.
Document Content
Matched Section
Section: The accuracy, completeness, and quality of data as it is maintained over time.
Content: The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
Content: The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
AI Justification
The text discusses the importance of data integrity, including its accuracy, completeness, and quality, which aligns with the responsibilities of the Data Integrity Board to oversee matching programs and ensure data integrity.
Document Content
Matched Section
Section: Section (b) and (c) regarding identifying threats and vulnerabilities and providing intelligence information.
Content: (b) Identify high probability and business impacting threats, and vulnerabilities that exist within Lazard. (c) Provide threat and vulnerability intelligence information including probabilities and potential business impacts to Lazard leadership.
Content: (b) Identify high probability and business impacting threats, and vulnerabilities that exist within Lazard. (c) Provide threat and vulnerability intelligence information including probabilities and potential business impacts to Lazard leadership.
AI Justification
The chunk discusses identifying threats and vulnerabilities, which aligns with the prioritization of critical assets and resources as outlined in PM-8.
Document Content
Matched Section
Section: Section (f) regarding maintaining business continuity and protecting critical business processes.
Content: (f) Maintain business continuity to counteract interruptions to business activities and to protect critical business processes from effects of major failures or disasters.
Content: (f) Maintain business continuity to counteract interruptions to business activities and to protect critical business processes from effects of major failures or disasters.
AI Justification
The mention of maintaining business continuity and protecting critical business processes aligns with the need for contingency planning.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The chunk discusses the establishment of controls for managing information security incidents and compliance, which aligns with the need for a comprehensive risk management strategy that includes risk identification and management.
Document Content
Matched Section
Section: Human Resource Security
Content: Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets.
Content: Human Resource Security - Establishes controls to reduce the risk of employee/contractor error, theft, fraud, or misuse of information assets.
AI Justification
The section discusses the establishment of controls related to human resource security, which aligns with the need for personnel screening and rescreening activities.
Document Content
Matched Section
Section: Personnel security policy and procedures
Content: Control: PS-1: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: PS-1: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of establishing policies and procedures for security and privacy assurance, which aligns with the requirements of PS-1.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The mention of Information Security Incident Management indicates the establishment of controls for managing information security incidents, which aligns with IR-1.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The reference to Information Security Aspects of Business Continuity Management aligns with the need for contingency planning, which is covered under CP-1.
Document Content
Matched Section
Section: Compliance
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: (p) Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The mention of compliance with legal, statutory, regulatory, and contractual obligations relates to the need for a security planning policy, which is part of PL-1.
Document Content
Matched Section
Section: Risk Policy
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: (q) Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The reference to risk policy indicates the establishment of controls for risk identification, evaluation, and management, which aligns with RA-1.
Document Content
Matched Section
Section: Application Credential Management Policy
Content: It is the responsibility of all staff including Lazard personnel, third party consultants, contractors, vendors and visitors to adhere to these policies.
Content: It is the responsibility of all staff including Lazard personnel, third party consultants, contractors, vendors and visitors to adhere to these policies.
AI Justification
The text discusses the responsibilities of various personnel, including third-party consultants and contractors, in adhering to security policies, which aligns with the management of external providers.
Document Content
Matched Section
Section: 1.7 ENFORCEMENT
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The section outlines the disciplinary actions that may be taken against users who violate policies, which aligns with the need for organizational sanctions as described in control PS-8.
Document Content
Matched Section
Section: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
Content: Awareness & Training | Role-based Training
AI Justification
The mention of 'Role-based Training' aligns with the specification of security and privacy roles in organizational position descriptions, emphasizing the need for clarity in responsibilities and training requirements.
Document Content
Matched Section
Section: Program Management | Security & Privacy Workforce
Content: Program Management | Security & Privacy Workforce
Content: Program Management | Security & Privacy Workforce
AI Justification
The reference to 'Security & Privacy Workforce' indicates the importance of defining roles and responsibilities related to security and privacy, which is aligned with PS-9.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: The purpose of this policy is to set the direction for information security in Lazard and ensure that a set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
Content: The purpose of this policy is to set the direction for information security in Lazard and ensure that a set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
AI Justification
The text discusses the importance of policies and procedures related to personally identifiable information processing and transparency, aligning with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The text discusses the importance of risk assessment policies and procedures in managing risks and ensuring compliance, which aligns with the RA-1 control.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The text mentions the establishment of controls for managing information security incidents, which aligns with the IR-1 control.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text addresses the need for business continuity management, which aligns with the CP-1 control.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The text emphasizes the need for policies and procedures that contribute to security and privacy assurance, which aligns with the PL-1 control.
Document Content
Matched Section
Section: Security categorization processes facilitate the development of inventories of information assets.
Content: Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted.
Content: Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted.
AI Justification
The text discusses the importance of security categorization and its role in identifying potential adverse impacts on organizational operations and assets.
Document Content
Matched Section
Section: Security categorization processes facilitate the development of inventories of information assets.
Content: Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted.
Content: Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted.
AI Justification
The text mentions the mapping of security categorization to specific system components, which aligns with maintaining an inventory of information system components.
Document Content
Matched Section
Section: Vulnerability Monitoring
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
Content: Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly.
AI Justification
The text discusses the importance of vulnerability monitoring, including the categorization of information and systems, the need for comprehensive monitoring, and the processes involved in identifying and addressing vulnerabilities.
Document Content
Matched Section
Section: Continuous Vulnerability Management
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
Content: Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
AI Justification
The text emphasizes the need for continuous vulnerability monitoring and the processes involved in identifying vulnerabilities, which aligns with the control for vulnerability management.
Document Content
Matched Section
Section: Information Security Incident Management and Risk Policy
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The chunk discusses the establishment of controls for managing information security incidents and ensuring compliance, which relates to the organization's approach to risk management and response.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures, Configuration Management | Baseline Configuration, Configuration Management | Configuration Change Control, Configuration Management | Impact Analyses, Configuration Management | Access restrictions for Change, Configuration Management | Configuration Settings, Configuration Management | Least Functionality, Configuration Management | Configuration Management Plan, System & Services Acquisition | Developer Configuration Management
Content: Control: SA-10: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Content: Control: SA-10: Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
AI Justification
The text discusses the importance of configuration management activities and the need for strict control to maintain the integrity of changes, which aligns with SA-10's focus on configuration management and security controls.
Document Content
Matched Section
Section: Information Security and Service Delivery
Content: Control: SA-1: System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: SA-1: System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, which aligns with the control's focus on establishing such policies and procedures.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The mention of establishing controls for the management of information security incidents aligns with the need for incident response policies and procedures.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text addresses the need for business continuity management, which is a key aspect of contingency planning.
Document Content
Matched Section
Section: Compliance
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
Content: Compliance – Establishes controls to ensure compliance with legal, statutory, regulatory, and contractual obligations related to information security and of any.
AI Justification
The mention of compliance with legal, statutory, regulatory, and contractual obligations indicates the need for a security planning policy.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The text discusses the identification, evaluation, and management of risk, which aligns with the control's focus on risk assessment.
Document Content
Matched Section
Section: Development tools and processes integrity
Content: Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation.
Content: Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation.
AI Justification
The chunk discusses the importance of maintaining the integrity of development tools and processes, which aligns with the control's focus on development tools and maturity models.
Document Content
Matched Section
Section: Configuration control throughout the system development life cycle
Content: Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
Content: Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.
AI Justification
The chunk emphasizes the need for configuration control to track authorized changes and prevent unauthorized changes, which aligns with the change control process.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures
Content: Control: SA-11: Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements.
Content: Control: SA-11: Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements.
AI Justification
The text discusses the importance of developmental testing and evaluation to confirm that controls are implemented correctly and meet security and privacy requirements, which aligns directly with SA-11.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures
Content: Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws.
Content: Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws.
AI Justification
The text emphasizes ongoing assessment during development and the need for various types of testing and evaluation, which aligns with the control's focus on assessments.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures
Content: The frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes.
Content: The frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes.
AI Justification
The mention of ongoing testing and evaluation aligns with the continuous monitoring aspect of CA-7.
Document Content
Matched Section
Section: Configuration Management | Policies & Procedures
Content: Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing.
Content: Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing.
AI Justification
The text refers to penetration testing as part of the evaluation process, which aligns with CA-8.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The chunk discusses the importance of integrating security into the development lifecycle, which aligns with the focus of SA-17 on developer security and privacy architecture.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The mention of ensuring that information security is designed and implemented within the development lifecycle aligns with the objectives of PL-8, which focuses on integrating security architecture with enterprise architecture.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The chunk discusses the importance of integrating information security throughout the system development lifecycle, which aligns with the resource allocation for security measures.
Document Content
Matched Section
Section: Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts.
Content: Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components.
Content: Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components.
AI Justification
The text discusses the need for support for system components, including software patches and maintenance contracts, which aligns directly with the control's focus.
Document Content
Matched Section
Section: Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities.
Content: Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.
Content: Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.
AI Justification
The mention of maintaining support for system components and the risks associated with unsupported components relates to the need for a baseline configuration.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the importance of integrating security and privacy considerations into the system development life cycle, which aligns directly with the principles outlined in SA-3.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text mentions the role of security engineering principles in designing, coding, and testing systems, which aligns with SA-8.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The chunk discusses the establishment of controls to ensure information security is integrated throughout the system development lifecycle, which aligns with the requirements for security and privacy functional requirements.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text discusses the implementation of systems security and privacy engineering principles throughout the system development life cycle, which aligns with the control's focus on integrating security into system development.
Document Content
Matched Section
Section: Communications Security
Content: (k) Communications Security – Establishes controls to ensure the protection of information flowing through all communication channels and its supporting information processing facilities.
Content: (k) Communications Security – Establishes controls to ensure the protection of information flowing through all communication channels and its supporting information processing facilities.
AI Justification
The text discusses the importance of establishing policies and procedures for system and communications protection, which aligns directly with control SC-1.
Document Content
Matched Section
Section: System Acquisition, Development and Maintenance
Content: (l) System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
Content: (l) System Acquisition, Development and Maintenance – Establishes controls to ensure that information security is an integral part of information systems across the entire lifecycle and information security is designed and implemented within the development lifecycle of information systems.
AI Justification
The text emphasizes the need for information security to be integrated into the entire lifecycle of information systems, which aligns with control SA-1.
Document Content
Matched Section
Section: Cryptography
Content: Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The chunk discusses the establishment of controls for the proper and effective use of cryptography, which aligns with the requirements for cryptographic key management and establishment.
Document Content
Matched Section
Section: Cryptography
Content: Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Content: Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
AI Justification
The chunk explicitly mentions the establishment of controls for the proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information, aligning directly with the control's focus on cryptographic solutions.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The chunk discusses the importance of ensuring continuous business operations and availability of information in the event of major failures or disasters, which aligns with the concept of maintaining a known safe state.
Document Content
Matched Section
Section: Asset Management, Access Control, Cryptography, Operations Security
Content: (f) Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets. (g) Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements. (h) Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities. (j) Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of data, and other operational aspects.
Content: (f) Asset Management – Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets. (g) Access Control – Establishes controls to manage access to information assets and information processing facilities via defined business requirements. (h) Cryptography – Establishes controls for proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Physical and Environmental Security – Establishes controls to prevent unauthorized physical access, damage and interference to the organization’s information assets and information processing facilities. (j) Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of data, and other operational aspects.
AI Justification
The chunk discusses the establishment of controls for asset management, access control, cryptography, and operations security, which are relevant to protecting information at rest.
Document Content
Matched Section
Section: Operations Security
Content: Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of data, and other operational aspects.
Content: Operations Security – Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of data, and other operational aspects.
AI Justification
The chunk discusses the establishment of controls for the secure operation of information processing facilities, which aligns with the OPSEC process of protecting information related to organizational activities.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The chunk discusses controls for devices that may include sensors, which aligns with the control's focus on mobile devices and their capabilities.
Document Content
Matched Section
Section: End-user Device Security Policy
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
Content: Establishes controls that define the requirements for safeguards and controls for any computing device used by employees, vendors, and service providers who access information available through Lazard network facilities.
AI Justification
The text discusses controls for applications and systems that handle sensitive information, which aligns with the usage restrictions on system components to ensure authorized use.
Document Content
Matched Section
Section: Network and Firewall Security Policy
Content: Network and Firewall Security Policy - Establishes the security-related controls and
Content: Network and Firewall Security Policy - Establishes the security-related controls and
AI Justification
The text discusses managed interfaces, boundary protection, and restrictions on traffic, which aligns with SC-7's focus on managing interfaces and protecting network boundaries.
Document Content
Matched Section
Section: Communications Security
Content: Communications Security – Establishes controls to ensure the protection of information flowing through all communication channels and its supporting information processing facilities.
Content: Communications Security – Establishes controls to ensure the protection of information flowing through all communication channels and its supporting information processing facilities.
AI Justification
The chunk discusses the establishment of controls to protect information flowing through communication channels, which aligns with the need to protect the confidentiality and integrity of transmitted information.
Document Content
Matched Section
Section: II. Lazard understands that information security is critical for its business and is committed to information security.
Content: Lazard should ensure, via its Information Security Management System (ISMS), that the confidentiality, integrity and availability of all its critical information and information processing facilities are safeguarded.
Content: Lazard should ensure, via its Information Security Management System (ISMS), that the confidentiality, integrity and availability of all its critical information and information processing facilities are safeguarded.
AI Justification
The text discusses the importance of having policies and procedures for information security, which aligns with the requirements of SI-1 for establishing system and information integrity policies.
Document Content
Matched Section
Section: III. Lazard should ensure that applicable regulatory, legislative and contractual requirements for information security are fulfilled.
Content: Lazard should ensure that applicable regulatory, legislative and contractual requirements for information security are fulfilled.
Content: Lazard should ensure that applicable regulatory, legislative and contractual requirements for information security are fulfilled.
AI Justification
The mention of ensuring compliance with regulatory, legislative, and contractual requirements aligns with the need for policies and procedures that address these aspects.
Document Content
Matched Section
Section: IV. Lazard should strive to provide a secure working environment for all Lazard personnel, third party consultants, contractors and vendors.
Content: Lazard should strive to provide a secure working environment for all Lazard personnel, third party consultants, contractors and vendors.
Content: Lazard should strive to provide a secure working environment for all Lazard personnel, third party consultants, contractors and vendors.
AI Justification
The need for a secure working environment and the availability of the Information Security Policy to all personnel reflects the importance of having comprehensive policies and procedures.
Document Content
Matched Section
Section: VI. Lazard should develop a detailed set of policies, on a risk-based approach for addressing all
Content: Lazard should develop a detailed set of policies, on a risk-based approach for addressing all
Content: Lazard should develop a detailed set of policies, on a risk-based approach for addressing all
AI Justification
The development of a detailed set of policies on a risk-based approach is directly related to the establishment of system and information integrity policies.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
AI Justification
The text discusses the protection of data, its integrity, and the need for regulatory compliance, which aligns with the requirements for information management and retention.
Document Content
Matched Section
Section: The accuracy, completeness, and quality of data as it is maintained over time.
Content: The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
Content: The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
AI Justification
The chunk discusses the accuracy, completeness, and quality of data, which aligns with the operations for ensuring the quality of personally identifiable information as described in SI-18.
Document Content
Matched Section
Section: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Content: The practice of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
AI Justification
The chunk mentions protecting information systems from unauthorized access, which aligns with access control measures.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
AI Justification
The text discusses the protection of data against unauthorized access and emphasizes the importance of maintaining data integrity and confidentiality, which aligns with the de-identification process.
Document Content
Matched Section
Section: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
Content: Data Security – Establishes controls and framework for classifying, labelling and handling of information assets.
AI Justification
The section discusses the importance of establishing controls to protect organizational information from various threats, including insider attacks and erroneous procedures, which aligns with the intent of SI-20.
Document Content
Matched Section
Section: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft. The accuracy, completeness, and quality of data as it is maintained over time. Data Integrity also refers to the safety of data regarding regulatory compliance and security.
AI Justification
The chunk discusses the protection of data against unauthorized access and the importance of maintaining data integrity, which aligns with the control's focus on protecting systems from malicious code.
Document Content
Matched Section
Section: Supply chain risk management policy and procedures
Content: Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations.
Content: Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations.
AI Justification
The text discusses the importance of policies and procedures in managing supply chain risks, aligning with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Information Security Incident Management
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Content: Information Security Incident Management – Establishes controls to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
AI Justification
The chunk mentions establishing controls for managing information security incidents, which aligns with the incident management control.
Document Content
Matched Section
Section: Information Security Aspects of Business Continuity Management
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
Content: Information Security Aspects of Business Continuity Management – Establishes controls to ensure continuous business operations and availability of information in the event of major failures or disasters.
AI Justification
The text refers to controls for ensuring continuous business operations and availability of information, which aligns with business continuity management.
Document Content
Matched Section
Section: Risk Policy
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
Content: Risk Policy - Establishes controls to ensure identification, evaluation and management of risk to secure business assets and support achievement of corporate objectives.
AI Justification
The mention of controls to ensure identification, evaluation, and management of risk aligns with the risk policy control.
Document Content
Matched Section
Section: Operations Security
Content: Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of data, and other operational aspects.
Content: Establishes controls to ensure the secure operation of information processing facilities, protection from malwares, protection from loss of data, and other operational aspects.
AI Justification
The text discusses the importance of establishing controls for asset management and access control, which are relevant to supply chain OPSEC as they involve protecting critical information and managing access to information assets.
Document Content
Matched Section
Section: Access Control
Content: Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
Content: Establishes controls to manage access to information assets and information processing facilities via defined business requirements.
AI Justification
The section on Access Control aligns with the need to manage access to information assets, which is a critical aspect of supply chain OPSEC.
Document Content
Matched Section
Section: Asset Management
Content: Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
Content: Establishes controls for asset identification, inventory, ownership and handling. Defines appropriate level of protection requirement and accountabilities for information assets.
AI Justification
The Asset Management section relates to the identification and protection of information assets, which is essential for maintaining supply chain security.
Document Content
Matched Section
Section: Protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
Content: The protection of data against unintentional, unlawful, or unauthorized access, disclosure, or theft.
AI Justification
The chunk discusses the protection of data against unauthorized access and modification, which aligns with the need for anti-tamper technologies to ensure data integrity.
Document Content
Matched Section
Section: The accuracy, completeness, and quality of data as it is maintained over time.
Content: The accuracy, completeness, and quality of data as it is maintained over time.
Content: The accuracy, completeness, and quality of data as it is maintained over time.
AI Justification
The chunk emphasizes the importance of protecting data integrity and confidentiality, which aligns with the Data Protection control.
20.0_IS_Risk_Management_Policy_2.pdf NIST
66 matches foundDocument Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY and 1.2 APPLICABILITY
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization. This policy is applicable for all Lazard information, infrastructure, network segments and devices.
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization. This policy is applicable for all Lazard information, infrastructure, network segments and devices.
AI Justification
The text discusses the importance of access control policies and procedures, their applicability to the organization, and the audience that these policies cover.
Document Content
Matched Section
Section: PURPOSE
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
AI Justification
The chunk discusses the importance of protecting sensitive information and outlines the need for compliance with laws and regulations, which aligns with the control's focus on information sharing and restrictions.
Document Content
Matched Section
Section: PURPOSE
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
AI Justification
The chunk discusses the importance of protecting nonpublic information and outlines the need for compliance with applicable laws and regulations, which aligns with the control's focus on access control and information protection.
Document Content
Matched Section
Section: Section 1.8 - Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the approval process for exceptions to security policies, which aligns with the concept of access control policies that govern how access is managed and enforced.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY and 1.2 APPLICABILITY
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
AI Justification
The text discusses the importance of awareness and training policies and procedures in relation to security and privacy assurance, aligning with the control's focus on establishing such policies.
Document Content
Matched Section
Section: Audit and Accountability Policy and Procedures
Content: Control: AU-1: Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
Content: Control: AU-1: Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
AI Justification
The text discusses the importance of audit and accountability policies and procedures, which aligns with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The section discusses the unauthorized use and disclosure of information, aligning with the control's focus on preventing data leakage.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The chunk discusses the investigation and analysis of information security incidents, which aligns with the requirements for audit record review and reporting.
Document Content
Matched Section
Section: Roles & Responsibilities
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The text discusses the importance of assessing and responding to information security incidents, which aligns with the need for policies and procedures for assessment and authorization.
Document Content
Matched Section
Section: Risk Mitigator/Responder
Content: Is responsible for creating a mitigate plan and timelines Is responsible for timely completion of the risk mitigation Is responsible for execution and completion of risk mitigation
Content: Is responsible for creating a mitigate plan and timelines Is responsible for timely completion of the risk mitigation Is responsible for execution and completion of risk mitigation
AI Justification
The text discusses the creation of a mitigation plan and timelines, which aligns with the requirements for plans of action and milestones.
Document Content
Matched Section
Section: Maintaining processes to track cybersecurity related risk across the organization.
Content: maintaining processes to track cybersecurity related risk across the organization.
Content: maintaining processes to track cybersecurity related risk across the organization.
AI Justification
The text discusses maintaining processes to track cybersecurity-related risks and the responsibilities of various roles in providing metrics and conducting risk assessments, which aligns with the continuous monitoring of security and privacy posture.
Document Content
Matched Section
Section: Incident Response
Content: Incident Response
Content: Incident Response
AI Justification
The mention of incident response as part of the responsibilities indicates a focus on monitoring and responding to cybersecurity incidents, which aligns with the need for continuous monitoring.
Document Content
Matched Section
Section: Develops policy, standards and guidelines and approves solutions to mitigate identified risk to an acceptable level.
Content: Develops policy, standards and guidelines and approves solutions to mitigate identified risk to an acceptable level.
Content: Develops policy, standards and guidelines and approves solutions to mitigate identified risk to an acceptable level.
AI Justification
The development of policies, standards, and guidelines to mitigate identified risks indicates a structured approach to managing cybersecurity risks, which aligns with the principles of continuous monitoring.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
AI Justification
The text discusses the importance of configuration management policies and procedures, aligning with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: Definition
Content: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Content: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
AI Justification
The chunk discusses the definition of risk and its implications on organizational operations, which aligns with the need for conducting impact analyses to understand potential adverse impacts.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The chunk discusses the investigation and analysis of information security incidents, which aligns with the documentation and evaluation of incidents as described in IR-5.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The chunk discusses the investigation and analysis of information security incidents, which aligns with the requirements for reporting incidents and their impact on risk assessments.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
AI Justification
The text discusses the importance of media protection policies and procedures, aligning with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The chunk discusses the classification and handling of documents, which aligns with the need for security markings on various types of media.
Document Content
Matched Section
Section: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse
Content: Control: MP-6: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal.
Content: Control: MP-6: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal.
AI Justification
The text discusses the sanitization of both digital and non-digital media, aligning with the requirements for media sanitization outlined in control MP-6.
Document Content
Matched Section
Section: Physical and Environmental Protection Policy and Procedures
Content: Control: PE-1: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: PE-1: Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of policies and procedures in addressing physical and environmental protection, which aligns with the control's focus on establishing such policies and procedures.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
AI Justification
The text discusses the importance of planning policies and procedures for security and privacy programs, which aligns directly with the control's focus on establishing such policies and procedures.
Document Content
Matched Section
Section: Clause 8.3 Design & Development
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success.
AI Justification
The text discusses the concept of tailoring controls to meet specific organizational needs, which aligns with the definition and purpose of control PL-11.
Document Content
Matched Section
Section: Section 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
AI Justification
The text discusses the development and maintenance of an Information Security Risk Management Process, which aligns with the need for security and privacy plans that frame, assess, and monitor risk.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The text discusses the importance of an information security program plan, detailing roles and responsibilities related to risk management and incident response, which aligns with the requirements of PM-1.
Document Content
Matched Section
Section: 1.5 ROLES & RESPONSIBILITIES
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level
AI Justification
The text discusses the roles and responsibilities related to risk management processes, including the need for risk assessments and communication of risks to leadership, which aligns with the requirements for authorization processes.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
AI Justification
The text discusses the need for an Information Security Risk Management Process that aligns with the protection needs and risk management strategies outlined in control PM-11.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The text discusses the safeguarding and dissemination requirements for controlled unclassified information, aligning with the definition and requirements set forth by the National Archives and Records Administration.
Document Content
Matched Section
Section: 1.5 ROLES & RESPONSIBILITIES
Content: CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects
Content: CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects
AI Justification
The text discusses the roles and responsibilities of the CISO or appointed representative, which aligns with the definition of the senior agency information security officer.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The chunk discusses the investigation and analysis of information security incidents for risk management, aligning with the need for risk framing at the organizational level.
Document Content
Matched Section
Section: 1.5 ROLES & RESPONSIBILITIES
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level
AI Justification
The text discusses the roles and responsibilities of senior officials in managing information security risks, aligning with the control's focus on leadership in risk management activities.
Document Content
Matched Section
Section: 1.5 ROLES & RESPONSIBILITIES
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level
AI Justification
The text discusses the roles and responsibilities of various committees and individuals in managing information security risks, which aligns with the establishment of champions for information security and privacy.
Document Content
Matched Section
Section: Risk Management Performance
Content: The appropriate organization response will be based upon identified risk tolerance levels – remediate, mitigate, transfer, accept, or avoid. These organizational risk tolerance levels should be periodically reviewed and aligned with that of Lazard industry peers. Please see Lazard Risk Management Policy for detailed information regarding Risk Tolerance levels. (3) Plans will be developed and response to the risk will be assigned to the department or teams to take the steps to reduce risk to an acceptable level. Cooperation from all departments will be required to reduce risk in the Lazard environment. These steps will be monitored, tracked in the risk register, tested, and reported to senior leadership.
Content: The appropriate organization response will be based upon identified risk tolerance levels – remediate, mitigate, transfer, accept, or avoid. These organizational risk tolerance levels should be periodically reviewed and aligned with that of Lazard industry peers. Please see Lazard Risk Management Policy for detailed information regarding Risk Tolerance levels. (3) Plans will be developed and response to the risk will be assigned to the department or teams to take the steps to reduce risk to an acceptable level. Cooperation from all departments will be required to reduce risk in the Lazard environment. These steps will be monitored, tracked in the risk register, tested, and reported to senior leadership.
AI Justification
The text discusses organizational risk tolerance levels and the need for cooperation across departments to manage risks, which aligns with the elements of a supply chain risk management strategy.
Document Content
Matched Section
Section: Maintaining processes to track cybersecurity related risk across the organization.
Content: maintaining processes to track cybersecurity related risk across the organization.
Content: maintaining processes to track cybersecurity related risk across the organization.
AI Justification
The text discusses maintaining processes to track cybersecurity-related risks and the responsibilities of various teams in providing metrics and reports related to cybersecurity, which aligns with the concept of continuous monitoring.
Document Content
Matched Section
Section: Responsible for conducting technology and cyber risk assessments, documenting the identified threats and the likelihood of occurrence.
Content: Responsible for conducting technology and cyber risk assessments, documenting the identified threats and the likelihood of occurrence.
Content: Responsible for conducting technology and cyber risk assessments, documenting the identified threats and the likelihood of occurrence.
AI Justification
The responsibilities outlined for the Information Security Team and Risk Owners regarding conducting assessments and documenting identified threats align with the continuous monitoring requirements.
Document Content
Matched Section
Section: Risk Mitigator/Responder
Content: Is responsible for creating a mitigate plan and timelines. Is responsible for timely completion of the risk mitigation. Is responsible for execution and completion of risk mitigation.
Content: Is responsible for creating a mitigate plan and timelines. Is responsible for timely completion of the risk mitigation. Is responsible for execution and completion of risk mitigation.
AI Justification
The text discusses the creation of a mitigation plan and timelines, which aligns with the requirements for developing plans of action and milestones as stated in PM-4.
Document Content
Matched Section
Section: 1.4.4 Risk Management Performance
Content: Performance will be identified and measured by: • The reduction or risks reported quarterly. • Completion and reporting of reviews. • Compliance with regulation
Content: Performance will be identified and measured by: • The reduction or risks reported quarterly. • Completion and reporting of reviews. • Compliance with regulation
AI Justification
The text discusses the identification and measurement of performance related to risk management, which aligns with the outcome-based metrics described in PM-6.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
AI Justification
The text discusses the development and maintenance of an Information Security Risk Management Process, which aligns with the integration of security and privacy requirements into the enterprise architecture.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
AI Justification
The mention of compliance with regulatory requirements and the structured risk management process indicates a level of architecture development that aligns with the control's focus on security and privacy architectures.
Document Content
Matched Section
Section: Risk Assessment
Content: Risk Assessment Policy/Plan? Vulnerability, Patch Management Standards Risk Assessment Process/Plan that contains Risk Tolerance details
Content: Risk Assessment Policy/Plan? Vulnerability, Patch Management Standards Risk Assessment Process/Plan that contains Risk Tolerance details
AI Justification
The chunk discusses risk assessment processes and prioritization of critical assets, which aligns with the control's focus on protection strategies based on critical asset prioritization.
Document Content
Matched Section
Section: Risk Assessment
Content: Risk Assessment Policy/Plan? Vulnerability, Patch Management Standards Risk Assessment Process/Plan that contains Risk Tolerance details
Content: Risk Assessment Policy/Plan? Vulnerability, Patch Management Standards Risk Assessment Process/Plan that contains Risk Tolerance details
AI Justification
The mention of risk assessment processes and plans indicates alignment with the control focused on conducting risk assessments.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The text discusses the investigation and analysis of information security incidents for risk management, aligning with the organization's risk management strategy.
Document Content
Matched Section
Section: Personnel Security Policy and Procedures
Content: Control: PS-1: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
Content: Control: PS-1: Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures.
AI Justification
The text discusses the importance of personnel security policies and procedures in relation to risk management and organizational security, aligning with the control's focus on establishing such policies.
Document Content
Matched Section
Section: 20.5.2 Non-Compliance
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
Content: Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment.
AI Justification
The text discusses disciplinary actions for policy violations, which aligns with the accountability aspect of system property management and exit procedures.
Document Content
Matched Section
Section: 1.5 ROLES & RESPONSIBILITIES
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level ● Is responsible for developing, implementing, and
Content: Board of Directors Audit Committee Executive Leadership, Risk Committee CIO CISO or appointed representative • Presented annual risk update • Approves Capital Expenditures for Information Security • Communication Path to Senior Management • Sponsors the Information Security Team to ensure the information security risk process is followed for organization activities, processes and projects • Will maintain the risk register • Communicate information security risks to Executive Leadership • Will report monthly or quarterly to organization leadership on risks that need to be addressed to bring risk to acceptable level ● Is responsible for developing, implementing, and
AI Justification
The section outlines the roles and responsibilities of various organizational positions in relation to information security, indicating clarity in understanding security responsibilities.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The text discusses the importance of policies and procedures in managing personally identifiable information, which aligns with the control's focus on processing and transparency.
Document Content
Matched Section
Section: Risk assessments completed for all organization events and projects.
Content: Risk assessments completed for all organization events and projects.
Content: Risk assessments completed for all organization events and projects.
AI Justification
The mention of risk assessments completed for all organization events and projects aligns with the need for conducting risk assessments as part of the risk management strategy.
Document Content
Matched Section
Section: 1.4.1 RISK REGISTER
Content: The Risk Register is held currently in a spreadsheet across a combination of administrative and operational units and risk types. The purpose of the risk register is to consolidate all information about risk into a central repository. This allows risk management participants to use a single resource to obtain the status of the risk management process. The Chief Information Security Officer (CISO) or their appointed representative is responsible for maintaining the risk register.
Content: The Risk Register is held currently in a spreadsheet across a combination of administrative and operational units and risk types. The purpose of the risk register is to consolidate all information about risk into a central repository. This allows risk management participants to use a single resource to obtain the status of the risk management process. The Chief Information Security Officer (CISO) or their appointed representative is responsible for maintaining the risk register.
AI Justification
The text discusses the importance of risk assessment policies and procedures, which aligns directly with the RA-1 control.
Document Content
Matched Section
Section: maintaining processes to track cybersecurity related risk across the organization.
Content: maintaining processes to track cybersecurity related risk across the organization.
Content: maintaining processes to track cybersecurity related risk across the organization.
AI Justification
The text discusses maintaining processes to track cybersecurity-related risks, which aligns with the proactive nature of threat hunting as described in control RA-10.
Document Content
Matched Section
Section: Risk Assessment and Reporting
Content: The person who has the responsibility for the risk, manages the risk mitigation efforts and the risk response if the risk occurs A brief description of the controls that are currently in place for the risk A priority list which is determined by the relative ranking of the risks by their qualitative risk score after considering a Security Control The consequence (severity or impact) for the risk The action which is to be taken to reduce the risk Date when Risk Mitigation will be implemented Risk Mitigation Owner Owner of the task to mitigate the risk Status of the Risk Identified, in mitigation, Mitigated, in Review, Accepted, Insurance coverage The Information Security Team will use risk register to assist with documenting the identified risks and their status.
Content: The person who has the responsibility for the risk, manages the risk mitigation efforts and the risk response if the risk occurs A brief description of the controls that are currently in place for the risk A priority list which is determined by the relative ranking of the risks by their qualitative risk score after considering a Security Control The consequence (severity or impact) for the risk The action which is to be taken to reduce the risk Date when Risk Mitigation will be implemented Risk Mitigation Owner Owner of the task to mitigate the risk Status of the Risk Identified, in mitigation, Mitigated, in Review, Accepted, Insurance coverage The Information Security Team will use risk register to assist with documenting the identified risks and their status.
AI Justification
The text discusses risk management activities, including risk mitigation efforts, risk response, and the use of a risk register, which aligns with the requirements of conducting risk assessments.
Document Content
Matched Section
Section: Risk Assessment
Content: Control: RA-5: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities are not overlooked.
Content: Control: RA-5: Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities are not overlooked.
AI Justification
The text discusses the importance of security categorization in guiding vulnerability monitoring processes, ensuring that potential vulnerabilities are identified and addressed effectively.
Document Content
Matched Section
Section: Risk Assessment
Content: Vulnerability monitoring includes continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
Content: Vulnerability monitoring includes continuous vulnerability monitoring tools that use instrumentation to continuously analyze components.
AI Justification
The text emphasizes the need for continuous monitoring and updating of vulnerability tools, aligning with the concept of continuous vulnerability management.
Document Content
Matched Section
Section: Risk Management Performance
Content: The appropriate organization response will be based upon identified risk tolerance levels – remediate, mitigate, transfer, accept, or avoid. These organizational risk tolerance levels should be periodically reviewed and aligned with that of Lazard industry peers. Please see Lazard Risk Management Policy for detailed information regarding Risk Tolerance levels. (3) Plans will be developed and response to the risk will be assigned to the department or teams to take the steps to reduce risk to an acceptable level. Cooperation from all departments will be required to reduce risk in the Lazard environment. These steps will be monitored, tracked in the risk register, tested, and reported to senior leadership.
Content: The appropriate organization response will be based upon identified risk tolerance levels – remediate, mitigate, transfer, accept, or avoid. These organizational risk tolerance levels should be periodically reviewed and aligned with that of Lazard industry peers. Please see Lazard Risk Management Policy for detailed information regarding Risk Tolerance levels. (3) Plans will be developed and response to the risk will be assigned to the department or teams to take the steps to reduce risk to an acceptable level. Cooperation from all departments will be required to reduce risk in the Lazard environment. These steps will be monitored, tracked in the risk register, tested, and reported to senior leadership.
AI Justification
The text discusses various organizational responses to risk, including remediation, mitigation, transfer, acceptance, and avoidance, which aligns with the control's focus on risk response options.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
Content: The policy and associated guidance provide a common methodology and organized approach to Information Security Risk Management whether based on regulatory compliance requirement or a threat to the organization.
AI Justification
The text discusses the importance of policies and procedures related to system and services acquisition, emphasizing the need for collaboration between security and privacy programs.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
AI Justification
The text discusses the development and maintenance of an Information Security Risk Management Process, which aligns with the principles of integrating security and privacy considerations into the system development life cycle.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
AI Justification
The mention of assessing and monitoring risk aligns with the requirements for conducting risk assessments as part of the risk management process.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk. Guidance for this process will be based on the National Institute of Standards and Technology Cyber Risk Framework (NIST CRF) and specific security regulations e.g. HIPAA, FERPA, etc. if applicable. The risk management process will be designed to assist Lazard to maintain compliance with regulatory requirements, federal and state and local laws.
AI Justification
The text discusses the development and maintenance of an Information Security Risk Management Process, which aligns with the need for derived security and privacy requirements as outlined in SA-4.
Document Content
Matched Section
Section: 1.4 REQUIREMENT
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
Content: The Information Security Team (InfoSec) will develop and maintain an Information Security Risk Management Process to frame, assess, respond, and monitor risk.
AI Justification
The text discusses the application of systems security and privacy engineering principles throughout the system development life cycle, which aligns with the control's focus on integrating these principles into system development.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The text discusses the importance of policies and procedures in addressing security and privacy assurance, which aligns with the need for a system and communications protection policy.
Document Content
Matched Section
Section: Risk assessments completed for all organization events and projects.
Content: Risk assessments completed for all organization events and projects.
Content: Risk assessments completed for all organization events and projects.
AI Justification
The mention of risk assessments completed for all organization events and projects aligns with the need for conducting risk assessments as part of the risk management strategy.
Document Content
Matched Section
Section: PURPOSE
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
AI Justification
The chunk discusses the protection of electronic information systems and related equipment, which aligns with the need to protect information at rest, ensuring confidentiality and integrity.
Document Content
Matched Section
Section: IS Risk Management Policy
Content: Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Content: Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
AI Justification
The text discusses the protection of information contained within shared system resources, aligning with the control's focus on preventing unauthorized access to such information.
Document Content
Matched Section
Section: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
Content: Information Security incidents that are investigated and analyzed for risk resulting in the appropriate response or controls implemented.
AI Justification
The text discusses the importance of policies and procedures for system and information integrity, including the need for risk assessments and the roles and responsibilities of various stakeholders in managing information security risks.
Document Content
Matched Section
Section: 1.0 PURPOSE
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
Content: Lazard is committed to conducting all firm’s activities in compliance with all applicable laws, regulations, and Information Security policies. Lazard has adopted this policy to outline the security measures required to protect electronic information systems and related equipment from unauthorized use.
AI Justification
The text discusses the importance of managing and retaining information, including policies and procedures, which aligns with the requirements of SI-12.
Document Content
Matched Section
Section: Risk Management Engagement
Content: Risk management will involve the entire Lazard community. The Information Security Team will engage with Lazard stakeholders, departments, and teams to increase awareness, buy in, and communication of risk and its’ associated processes in order to identify methods to integrate risk management in organization culture, events, projects, processes, strategic and operational planning.
Content: Risk management will involve the entire Lazard community. The Information Security Team will engage with Lazard stakeholders, departments, and teams to increase awareness, buy in, and communication of risk and its’ associated processes in order to identify methods to integrate risk management in organization culture, events, projects, processes, strategic and operational planning.
AI Justification
The text discusses the engagement of the Information Security Team with various stakeholders to integrate risk management into the organizational culture, which aligns with the need for a supply chain risk management policy and procedures.
Document Content
Matched Section
Section: Risk Management
Content: Risk management will involve the entire Lazard community. The Information Security Team will engage with Lazard stakeholders, departments, and teams to increase awareness, buy in, and communication of risk and its’ associated processes in order to identify methods to integrate risk management in organization culture, events, projects, processes, strategic and operational planning.
Content: Risk management will involve the entire Lazard community. The Information Security Team will engage with Lazard stakeholders, departments, and teams to increase awareness, buy in, and communication of risk and its’ associated processes in order to identify methods to integrate risk management in organization culture, events, projects, processes, strategic and operational planning.
AI Justification
The text discusses the importance of engaging stakeholders and departments in risk management, which aligns with the need for coordinated efforts across an organization to manage supply chain risks.
7.0_IS_Asset_Management_Policy.pdf NIST
114 matches foundDocument Content
Matched Section
Section: Policy Exceptions and Implementation
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the ability of divisions to define and implement security requirements that may deviate from the established policy, which aligns with the need for access control policies and procedures to address organizational security needs.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled.
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled.
AI Justification
The text discusses the classification and management of information assets, which aligns with the concept of binding attributes to subjects and objects for access control and information flow control.
Document Content
Matched Section
Section: Remote Access
Content: Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections.
Content: Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections.
AI Justification
The text discusses remote access to organizational systems and the use of encrypted VPNs, which aligns directly with the definition and requirements of AC-17.
Document Content
Matched Section
Section: Access Enforcement
Content: Enforcing access restrictions for remote access is addressed via AC-3.
Content: Enforcing access restrictions for remote access is addressed via AC-3.
AI Justification
The text mentions enforcing access restrictions for remote access, which aligns with the requirements of AC-3.
Document Content
Matched Section
Section: 1.2. Hardware, Software, Applications and Data - Inventory of Assets
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
AI Justification
The section discusses the identification and inventory of mobile devices, which aligns with the control's focus on the protection and management of mobile devices.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
AI Justification
The text discusses the identification and management of various types of system accounts, including the specification of access privileges and the review of access entitlements, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The text mentions defining and reviewing access restrictions and classification of important assets, which aligns with the requirements of AC-3.
Document Content
Matched Section
Section: Defining and periodically reviewing access restrictions and classification of important Assets
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The chunk discusses defining and reviewing access restrictions and classification of important assets, which aligns with the principles of information sharing and access control.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
AI Justification
The text discusses authorizing and reviewing access entitlements, which aligns with the concept of access control decisions.
Document Content
Matched Section
Section: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The mention of defining and reviewing access restrictions relates to the application of authorization information to specific accesses.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
AI Justification
The chunk discusses authorizing and reviewing access entitlements, which aligns with the enforcement of access control policies as described in AC-25.
Document Content
Matched Section
Section: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The mention of defining and reviewing access restrictions relates to the enforcement of access control policies.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements; ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: vi. Authorizing and periodically reviewing access entitlements. ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: vi. Authorizing and periodically reviewing access entitlements. ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The chunk discusses authorizing and reviewing access entitlements, defining access restrictions, and ensuring proper handling of assets, which aligns with the principles of access control policies.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements, viii. Delegating authority as required within their business area to complete tasks.
Content: vi. Authorizing and periodically reviewing access entitlements. vii. Ensuring the resolution of information security-related audit issues. viii. Delegating authority as required within their business area to complete tasks.
Content: vi. Authorizing and periodically reviewing access entitlements. vii. Ensuring the resolution of information security-related audit issues. viii. Delegating authority as required within their business area to complete tasks.
AI Justification
The chunk discusses the delegation of authority and the operational roles and responsibilities of Asset Owners and Custodians, which relates to the concept of separation of duties to mitigate risks.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
AI Justification
The chunk discusses the delegation of authority and the review of access entitlements, which aligns with the principle of least privilege by ensuring that access is limited to what is necessary for specific duties.
Document Content
Matched Section
Section: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The chunk mentions defining and reviewing access restrictions and the delegation of roles, which relates to managing user accounts and their access rights.
Document Content
Matched Section
Section: Awareness and Training
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
AI Justification
The text discusses the provision of literacy training and awareness for system users, which aligns with the requirements of AT-2.
Document Content
Matched Section
Section: Personnel Security | Policy & Procedures
Content: Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs.
Content: Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs.
AI Justification
The text discusses the importance of role-based training tailored to the responsibilities and security requirements of personnel, which aligns directly with the control's focus on determining training content based on roles.
Document Content
Matched Section
Section: Policy Exception Process
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the implementation of security requirements and mechanisms, as well as the process for requesting exceptions to the policy, which aligns with the need for audit and accountability policies and procedures.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled. Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled. Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
AI Justification
The section discusses the classification and secure disposal of sensitive information, which aligns with the control's focus on preventing unauthorized disclosure of information.
Document Content
Matched Section
Section: Divisions & Functions Policy Implementation
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions and functions to define and implement security requirements, which relates to the assessment and authorization processes outlined in CA-1.
Document Content
Matched Section
Section: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems.
Content: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications.
Content: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications.
AI Justification
The text discusses the requirements and considerations for system information exchanges, including risk assessment and agreements between systems, which aligns directly with the CA-3 control.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
AI Justification
The text discusses the authorization process and responsibilities of officials, which aligns with the CA-6 control regarding authorizations by senior officials.
Document Content
Matched Section
Section: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The text mentions defining and reviewing access restrictions and classification of important assets, which aligns with access control policies.
Document Content
Matched Section
Section: 1.2. Hardware, Software, Applications and Data - Inventory of Assets
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
AI Justification
The text discusses the inventory of various assets, including mobile devices and printers, which are relevant to internal system connections as described in CA-9.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement security requirements and mechanisms, which aligns with the need for configuration management policies and procedures that address security and privacy assurance.
Document Content
Matched Section
Section: 1.2. Hardware, Software, Applications and Data - Inventory of Assets
Content: Relevant information regarding assets should include but is not limited to: ... Software/Application used during business at Lazard (i.e., Purchased or licensed software – Commercial Off The Shelf (COTS)
Content: Relevant information regarding assets should include but is not limited to: ... Software/Application used during business at Lazard (i.e., Purchased or licensed software – Commercial Off The Shelf (COTS)
AI Justification
The section discusses the inventory of software and applications, which aligns with the need for tracking software licenses.
Document Content
Matched Section
Section: Software/Applications
Content: • Listing of applications that reside on the system. • Listing of updates, patches and fixes that have been installed.
Content: • Listing of applications that reside on the system. • Listing of updates, patches and fixes that have been installed.
AI Justification
The chunk discusses the listing of applications, updates, patches, and security controls, which aligns with the control's focus on managing software installations and updates.
Document Content
Matched Section
Section: Information Location
Content: • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset.
Content: • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset.
AI Justification
The chunk provides details about the information and technologies residing on the system, including version numbers, licensing information, and security controls applied, which aligns with the need to understand where information is processed and stored.
Document Content
Matched Section
Section: Software/Applications
Content: • Listing of updates, patches and fixes that have been installed.
Content: • Listing of updates, patches and fixes that have been installed.
AI Justification
The chunk discusses the listing of updates, patches, and fixes that have been installed, which aligns with the requirement to manage software and firmware components and ensure they are properly authenticated.
Document Content
Matched Section
Section: Baseline configurations for systems and system components
Content: • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed. • Current version/release of the software.
Content: • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed. • Current version/release of the software.
AI Justification
The chunk provides detailed information about the components and configurations of systems, including version numbers, licensing information, and security controls, which aligns with the requirements for baseline configurations.
Document Content
Matched Section
Section: Configuration Change Control
Content: Version number. • Licensing information. • Other key contacts including any third parties that support or maintain the resource. • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed Host name of the system. • Primary and secondary IP address of the system. • Listing of applications that reside on the system. ii. Software/Applications: • Name of the application. • Description of the application′s function. • Description of the application′s technical architecture. • Name of the Asset Owner. • Current version/release of the software. • Licensing information. • Listing of security controls that have been applied to secure the Assets. • Listing of updates, patches and fixes that have been installed. • Other key contacts including any third parties that support or maintain the.
Content: Version number. • Licensing information. • Other key contacts including any third parties that support or maintain the resource. • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed Host name of the system. • Primary and secondary IP address of the system. • Listing of applications that reside on the system. ii. Software/Applications: • Name of the application. • Description of the application′s function. • Description of the application′s technical architecture. • Name of the Asset Owner. • Current version/release of the software. • Licensing information. • Listing of security controls that have been applied to secure the Assets. • Listing of updates, patches and fixes that have been installed. • Other key contacts including any third parties that support or maintain the.
AI Justification
The chunk provides detailed information about the versioning, licensing, and security controls applied to the assets, which aligns with the systematic proposal and justification aspects of configuration change control.
Document Content
Matched Section
Section: Configuration Management | System Component Inventory
Content: Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system.
Content: Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system.
AI Justification
The text discusses the importance of configuration settings in maintaining the security and privacy posture of systems, which aligns directly with control CM-6.
Document Content
Matched Section
Section: Configuration Management | System Component Inventory
Content: Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions.
Content: Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions.
AI Justification
The mention of access controls as part of the configuration settings aligns with control AC-19, which focuses on access control policies.
Document Content
Matched Section
Section: 1.2. Hardware, Software, Applications and Data - Inventory of Assets
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
Content: All relevant Lazard information and information processing Assets should be identified, and an inventory of these assets maintained to ensure effective protection through creation, processing, storage, transmission, deletion, and eventual destruction. The asset inventory should be maintained within a centralized repository and official system of record (SOR).
AI Justification
The text discusses the need for an inventory of assets, including hardware and software, which aligns with the requirements for maintaining a centralized system component inventory as outlined in CM-8.
Document Content
Matched Section
Section: Contingency Planning Policy and Procedures
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement security requirements, which aligns with the need for contingency planning policies and procedures that address security and privacy assurance.
Document Content
Matched Section
Section: Identification and Authentication Requirements
Content: Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.
Content: Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication.
AI Justification
The text discusses the identification and authentication requirements for organizational users, including the use of passwords, physical authenticators, and biometrics.
Document Content
Matched Section
Section: Identification and Authentication Requirements for Non-Organizational Users
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
Content: Identification and authentication requirements for non-organizational users are described in IA-8.
AI Justification
The text mentions identification and authentication requirements for non-organizational users, indicating a need for controls in this area.
Document Content
Matched Section
Section: A.13.1.1 Network Controls
Content: A.13.1.1 Network Controls
Content: A.13.1.1 Network Controls
AI Justification
The chunk discusses the need for unique device identification and authentication, which aligns directly with the requirements outlined in IA-3.
Document Content
Matched Section
Section: Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.
Content: Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.
Content: Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.
AI Justification
The text discusses various types of authenticators, their management, and the importance of safeguarding them, which aligns with the requirements of IA-5.
Document Content
Matched Section
Section: Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others.
Content: Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others.
Content: Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others.
AI Justification
The text mentions safeguarding individual authenticators and not sharing them, which relates to the principle of least privilege.
Document Content
Matched Section
Section: The requirement to protect individual authenticators may be implemented via control PL-4.
Content: The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals.
Content: The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals.
AI Justification
The mention of requirements for authenticator content and the need to protect them aligns with the control for establishing rules of behavior.
Document Content
Matched Section
Section: The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals.
Content: The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals.
Content: The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals.
AI Justification
The text refers to protecting authenticators in the possession of individuals, which relates to personnel security.
Document Content
Matched Section
Section: Identification and authentication of non-organizational users accessing federal systems
Content: Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14.
Content: Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14.
AI Justification
The chunk discusses the identification and authentication of non-organizational users, which aligns directly with the requirements outlined in IA-8.
Document Content
Matched Section
Section: accessing federal systems may be required to protect federal, proprietary, or privacy-related information
Content: Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems).
Content: Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems).
AI Justification
The mention of exceptions for national security systems relates to the permitted actions based on roles and responsibilities outlined in AC-14.
Document Content
Matched Section
Section: System Maintenance Information
Content: • Listing of updates, patches and fixes that have been installed. • Other key contacts including any third parties that support or maintain the resource.
Content: • Listing of updates, patches and fixes that have been installed. • Other key contacts including any third parties that support or maintain the resource.
AI Justification
The chunk discusses various aspects of system maintenance, including versioning, updates, and third-party support, which aligns with the requirements of controlling system maintenance.
Document Content
Matched Section
Section: Personnel Security | Policy & Procedures
Content: Control: MA-5: Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems.
Content: Control: MA-5: Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems.
AI Justification
The text discusses the role of maintenance personnel and their access requirements, which aligns with the control's focus on maintenance activities and access authorizations.
Document Content
Matched Section
Section: Personnel Security | Policy & Procedures
Content: Control: MA-5: Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems.
Content: Control: MA-5: Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems.
AI Justification
The text mentions physical access for maintenance personnel, which aligns with the control's focus on physical access management.
Document Content
Matched Section
Section: Policy Exception Process
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the establishment of security requirements and mechanisms, as well as the process for requesting exceptions to the policy, which aligns with the need for a media protection policy and procedures.
Document Content
Matched Section
Section: Personnel Security | Policy & Procedures
Content: Personnel Security | Policy & Procedures Personnel Security | Position Risk Designation Personnel Security |Personnel Screening Personnel Security |Personnel Termination Personnel Security |Personnel Transfer Personnel Security |Access Agreements Personnel Security |External Personnel Security Personnel Security |Personnel Sanctions Personnel Security |Position Descriptions System & Services Acquisition | Developer Screening
Content: Personnel Security | Policy & Procedures Personnel Security | Position Risk Designation Personnel Security |Personnel Screening Personnel Security |Personnel Termination Personnel Security |Personnel Transfer Personnel Security |Access Agreements Personnel Security |External Personnel Security Personnel Security |Personnel Sanctions Personnel Security |Position Descriptions System & Services Acquisition | Developer Screening
AI Justification
The chunk discusses various aspects of personnel security and mentions the importance of security markings for different types of media, which aligns with the definition and application of security marking as per control MP-3.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse.
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse.
AI Justification
The text discusses the secure disposal of assets containing sensitive data and the need for formal procedures, which aligns with the media sanitization requirements outlined in control MP-6.
Document Content
Matched Section
Section: Media Protection | Media Downgrading
Content: Media Protection | Media Downgrading
Content: Media Protection | Media Downgrading
AI Justification
The section explicitly mentions 'Media Downgrading' and aligns with the control's focus on the process of downgrading media to ensure information cannot be retrieved or reconstructed.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement security requirements, which aligns with the need for policies and procedures regarding physical and environmental protection.
Document Content
Matched Section
Section: Physical & Environmental Protection | Delivery & Removal
Content: Physical & Environmental Protection | Delivery & Removal
Content: Physical & Environmental Protection | Delivery & Removal
AI Justification
The text discusses the importance of environmental controls in organizational facilities, which aligns with the control's focus on protecting system resources in harsh environments.
Document Content
Matched Section
Section: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
Content: vi. Authorizing and periodically reviewing access entitlements.
AI Justification
The section discusses defining and reviewing access restrictions, which aligns with the need to enforce authorizations for entry and exit of system components.
Document Content
Matched Section
Section: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
Content: ix. Defining and periodically reviewing access restrictions and classification of important Assets, considering applicable access control policies.
AI Justification
The mention of defining and reviewing access restrictions and classification of important assets indicates a need for an access control policy.
Document Content
Matched Section
Section: c) The Asset inventory should be kept accurate, and it should be reviewed at least annually or whenever there is a major change.
Content: Relevant information about the Assets including their location, backup, and criticality should be maintained in the Asset inventory, including: i. All Assets except software/applications: • Asset ID: Name and unique identification number. • Location: Current location of the Asset.
Content: Relevant information about the Assets including their location, backup, and criticality should be maintained in the Asset inventory, including: i. All Assets except software/applications: • Asset ID: Name and unique identification number. • Location: Current location of the Asset.
AI Justification
The section discusses maintaining accurate asset inventory, including the current location of assets, which aligns with the purpose of asset location technologies.
Document Content
Matched Section
Section: Physical & Environmental Protection | Delivery & Removal
Content: Physical & Environmental Protection | Delivery & Removal
Content: Physical & Environmental Protection | Delivery & Removal
AI Justification
The chunk discusses physical and environmental protection measures, which align with the control's focus on preventing damage and tampering of system distribution and transmission lines.
Document Content
Matched Section
Section: Physical & Environmental Protection | Asset Monitoring & Tracking
Content: Physical & Environmental Protection | Asset Monitoring & Tracking
Content: Physical & Environmental Protection | Asset Monitoring & Tracking
AI Justification
The mention of asset monitoring and tracking suggests a need for controls that ensure proper handling and segregation of duties related to physical assets.
Document Content
Matched Section
Section: Policy exception process and implementation of security requirements
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement security requirements, which aligns with the need for planning policies and procedures for controls.
Document Content
Matched Section
Section: Control: PL-11
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions.
Content: The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions.
AI Justification
The text discusses the concept of tailoring controls to meet specific organizational needs, which aligns with the control's focus on customizing baseline controls.
Document Content
Matched Section
Section: Rules of behavior represent a type of access agreement for organizational users.
Content: Control: PL-4: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.
Content: Control: PL-4: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.
AI Justification
The text discusses the establishment of rules of behavior for organizational users and the acknowledgment of these rules, which directly aligns with control PL-4.
Document Content
Matched Section
Section: Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6).
Content: Control: PL-4: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6).
Content: Control: PL-4: Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6).
AI Justification
The mention of nondisclosure agreements as a type of access agreement relates to personnel security and the need for agreements to protect sensitive information.
Document Content
Matched Section
Section: Control: PM-1
Content: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
Content: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
AI Justification
The text discusses the importance of an information security program plan, detailing its purpose, implementation, and updates, which aligns directly with control PM-1.
Document Content
Matched Section
Section: Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information.
Content: Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy).
Content: Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy).
AI Justification
The text discusses the need for protection of personally identifiable information and the processes to assess privacy risks, which aligns with the control's focus on technology-independent capabilities to counter threats to information.
Document Content
Matched Section
Section: Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information.
Content: Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information.
Content: Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information.
AI Justification
The text emphasizes the importance of risk assessments and the categorization process to determine the potential impact of information compromise, which aligns with the control's focus on risk management.
Document Content
Matched Section
Section: Personnel Security | Policy & Procedures
Content: Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs.
Content: Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs.
AI Justification
The text discusses the establishment and requirements of insider threat programs, which aligns directly with control PM-12.
Document Content
Matched Section
Section: Assets ownership and responsibilities
Content: Ownership should be assigned for all assets maintained in the inventory. An Asset Owner should be assigned whenever Assets are acquired by or transferred by the organization.
Content: Ownership should be assigned for all assets maintained in the inventory. An Asset Owner should be assigned whenever Assets are acquired by or transferred by the organization.
AI Justification
The text discusses the assignment of ownership and responsibilities for assets, which aligns with the risk framing process by identifying stakeholders and their roles in managing risks associated with those assets.
Document Content
Matched Section
Section: Assets ownership and responsibilities
Content: Ensuring that a risk assessment is performed for all Assets under their control.
Content: Ensuring that a risk assessment is performed for all Assets under their control.
AI Justification
The mention of ensuring that a risk assessment is performed for all assets under their control aligns with the need for a risk management strategy that informs risk assessments.
Document Content
Matched Section
Section: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
AI Justification
The text discusses the inventory and control of enterprise assets, which aligns with the guidance provided in PM-5 regarding system inventories.
Document Content
Matched Section
Section: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
Content: Inventory & Control of Enterprise Assets
AI Justification
The mention of system component inventory relates to CM-8, which focuses on the inventory of system components.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the ability of divisions to define and implement security requirements, which aligns with the need for personnel security policies and procedures that can adapt to specific organizational needs and risks.
Document Content
Matched Section
Section: Personnel Security | Position Risk Designation
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
AI Justification
The text discusses the importance of position risk designations and their alignment with OPM policy, which is directly related to the control PS-2.
Document Content
Matched Section
Section: Personnel Security | Personnel Screening
Content: Personnel Security | Personnel Screening
Content: Personnel Security | Personnel Screening
AI Justification
The chunk discusses various aspects of personnel security, including screening, which aligns with the requirements of PS-3.
Document Content
Matched Section
Section: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement.
Content: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement.
Content: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement.
AI Justification
The text discusses the return of company assets and the documentation of important information during exit interviews, aligning with the control's focus on accountability and security constraints for terminated individuals.
Document Content
Matched Section
Section: c) In cases where an employee or external party User has knowledge that is important to the ongoing operation of the company, that information should be documented during the exit interview.
Content: c) In cases where an employee or external party User has knowledge that is important to the ongoing operation of the company, that information should be documented during the exit interview.
Content: c) In cases where an employee or external party User has knowledge that is important to the ongoing operation of the company, that information should be documented during the exit interview.
AI Justification
The mention of documenting important information during exit interviews aligns with the control's emphasis on ensuring accountability and understanding of security constraints.
Document Content
Matched Section
Section: Acceptable Use of Assets
Content: Policies for the acceptable use of information and of Assets associated with information and information processing facilities should be identified, documented, and implemented.
Content: Policies for the acceptable use of information and of Assets associated with information and information processing facilities should be identified, documented, and implemented.
AI Justification
The text discusses the establishment and implementation of policies for acceptable use of assets, which aligns with the need for access agreements that include rules of behavior and acceptable use.
Document Content
Matched Section
Section: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement.
Content: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement.
Content: a) Managers / HR should ensure that all Lazard employees and external Users (third party workers) return all of Lazard Assets, within their possession, upon termination of their employment, contract or agreement.
AI Justification
The text discusses the return of assets and the management of external users, which aligns with the requirements for managing external providers and their access to organizational resources.
Document Content
Matched Section
Section: Section 1.4 - Consequences for Violations
Content: Lazard Senior Management should define consequences for violations of all information security related policies, procedures, processes, or standards. Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
Content: Lazard Senior Management should define consequences for violations of all information security related policies, procedures, processes, or standards. Any User found to have violated any of these policies may be subject to disciplinary action, if such User is an employee, up to and including dismissal or termination of employment. Further, Users could be held individually liable for illegal activity which could also lead to criminal prosecution. Violation of these policies by anyone other than an employee performing services for Lazard, including anyone performing services pursuant to a contract, will be grounds for immediate termination. Lazard may also pursue any other additional rights and remedies it may have against anyone found to be in violation of these policies.
AI Justification
The text outlines the consequences for violations of information security policies, which aligns with the requirement for organizational sanctions reflecting applicable laws and policies.
Document Content
Matched Section
Section: Personnel Security | Position Descriptions
Content: Personnel Security | Position Descriptions
Content: Personnel Security | Position Descriptions
AI Justification
The section discusses personnel security and position descriptions, which directly relates to the specification of security and privacy roles.
Document Content
Matched Section
Section: Network Monitoring & Defense
Content: Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems.
Content: Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems.
AI Justification
The text discusses proactive measures for identifying and mitigating threats, which aligns with the objectives of RA-10.
Document Content
Matched Section
Section: Network Monitoring & Defense
Content: Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats.
Content: Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats.
AI Justification
The proactive searching for advanced threats and indications of compromise aligns with the objectives of RA-2.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary...
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the ability of divisions to define and implement security requirements based on risk, which aligns with the need for risk assessment policies and procedures.
Document Content
Matched Section
Section: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
AI Justification
The chunk discusses risk assessments and their importance in evaluating threats, vulnerabilities, and impacts, which aligns with the purpose of RA-2.
Document Content
Matched Section
Section: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
AI Justification
The chunk emphasizes the ongoing nature of risk assessments and their role in the risk management framework, aligning with RA-9.
Document Content
Matched Section
Section: Criticality Analysis
Content: Control: RA-9: Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies.
Content: Control: RA-9: Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies.
AI Justification
The text discusses the importance of criticality analysis in identifying and prioritizing system components and functions that require protection.
Document Content
Matched Section
Section: Security Categorization
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
Content: Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.
AI Justification
The text mentions that criticality analysis can influence the protection measures required by development contractors and is part of security categorization.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement security requirements and mechanisms, which aligns with the need for policies and procedures in system and services acquisition.
Document Content
Matched Section
Section: Configuration Management Activities
Content: Version number. • Licensing information. • Other key contacts including any third parties that support or maintain the resource. • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed Host name of the system. • Primary and secondary IP address of the system. • Listing of applications that reside on the system. ii. Software/Applications: • Name of the application. • Description of the application′s function. • Description of the application′s technical architecture. • Name of the Asset Owner. • Current version/release of the software. • Licensing information. • Listing of security controls that have been applied to secure the Assets. • Listing of updates, patches and fixes that have been installed. • Other key contacts including any third parties that support or maintain the
Content: Version number. • Licensing information. • Other key contacts including any third parties that support or maintain the resource. • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed Host name of the system. • Primary and secondary IP address of the system. • Listing of applications that reside on the system. ii. Software/Applications: • Name of the application. • Description of the application′s function. • Description of the application′s technical architecture. • Name of the Asset Owner. • Current version/release of the software. • Licensing information. • Listing of security controls that have been applied to secure the Assets. • Listing of updates, patches and fixes that have been installed. • Other key contacts including any third parties that support or maintain the
AI Justification
The chunk discusses various aspects of configuration management, including versioning, licensing information, and security controls applied to the assets, which aligns with the requirements of SA-10.
Document Content
Matched Section
Section: System Development Life Cycle
Content: A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering.
Content: A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering.
AI Justification
The text discusses the importance of integrating security and privacy considerations into the system development life cycle, which aligns with the principles outlined in SA-3.
Document Content
Matched Section
Section: Security Engineering Principles
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
AI Justification
The text mentions the role of security engineering principles in the design, coding, and testing of systems, which aligns with SA-8.
Document Content
Matched Section
Section: Qualified Personnel in System Development
Content: Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems.
Content: Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems.
AI Justification
The text implies the need for qualified personnel in system development life cycle processes, which relates to the segregation of duties.
Document Content
Matched Section
Section: Control: SA-4
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
Content: Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2. The derived requirements include security and privacy capabilities, functions, and mechanisms.
AI Justification
The text discusses the derivation of security and privacy requirements, which aligns with the control's focus on functional requirements derived from high-level security and privacy objectives.
Document Content
Matched Section
Section: Access Control Policy
Content: Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders.
Content: Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders.
AI Justification
The text mentions access control and the need for documentation and implementation guidance, which aligns with the control's focus on access control policies.
Document Content
Matched Section
Section: System Documentation
Content: Version number. • Licensing information. • Other key contacts including any third parties that support or maintain the resource. • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed Host name of the system. • Primary and secondary IP address of the system. • Listing of applications that reside on the system.
Content: Version number. • Licensing information. • Other key contacts including any third parties that support or maintain the resource. • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed Host name of the system. • Primary and secondary IP address of the system. • Listing of applications that reside on the system.
AI Justification
The chunk provides detailed information about system documentation, including version numbers, licensing information, security controls applied, and updates, which aligns with the requirements for system documentation.
Document Content
Matched Section
Section: Control: SA-8: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle.
Content: Control: SA-8: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades.
Content: Control: SA-8: Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades.
AI Justification
The text discusses the implementation of systems security and privacy engineering principles throughout the system development life cycle, which aligns with the control's focus on applying these principles to develop secure systems.
Document Content
Matched Section
Section: Policy Exceptions and Implementation
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the ability of divisions to define and implement security requirements, which aligns with the need for policies and procedures addressing system and communications protection.
Document Content
Matched Section
Section: Cryptography can be employed to support a variety of security solutions
Content: Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals.
Content: Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals.
AI Justification
The text discusses the use of cryptography to protect classified and controlled unclassified information, as well as the implementation of digital signatures, which aligns directly with control SC-13.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement stronger security requirements and mechanisms, which aligns with the concept of requiring additional strength of mechanism for domain separation and policy enforcement.
Document Content
Matched Section
Section: Network Controls
Content: A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks.
Content: A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks.
AI Justification
The text discusses the use of boundary protection devices to filter packets and protect internal networks from denial-of-service attacks, which aligns with the control's focus on boundary protection measures.
Document Content
Matched Section
Section: Network Controls
Content: Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.
Content: Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.
AI Justification
The mention of employing increased network capacity and bandwidth combined with service redundancy to reduce susceptibility to denial-of-service events relates to monitoring and managing system integrity.
Document Content
Matched Section
Section: Divisions & Functions may implement stronger security requirements and mechanisms
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the ability of divisions to define and implement stronger security requirements, which aligns with the need for additional strength of mechanism for domain separation and policy enforcement as outlined in SC-50.
Document Content
Matched Section
Section: Segregation in Networks
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
Content: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
AI Justification
The text discusses managed interfaces and boundary protection within a security architecture, which aligns directly with the SC-7 control.
Document Content
Matched Section
Section: Control: SC-8: Protecting the confidentiality and integrity of transmitted information
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.
AI Justification
The text discusses protecting the confidentiality and integrity of transmitted information, which aligns directly with SC-8.
Document Content
Matched Section
Section: Control: SC-8: Protecting the confidentiality and integrity of transmitted information
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios.
Content: Control: SC-8: Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios.
AI Justification
The text mentions protecting communication paths, which relates to boundary protection measures.
Document Content
Matched Section
Section: Divisions & Functions are free to define and implement stronger security requirements and mechanisms
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the establishment of security requirements and mechanisms, including the process for requesting exceptions to the policy, which aligns with the need for a comprehensive system and information integrity policy.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
Content: Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
AI Justification
The section discusses the secure disposal of assets and the need for documentation and evidence of disposal practices, which aligns with information management and retention requirements.
Document Content
Matched Section
Section: Software/Applications
Content: • Listing of updates, patches and fixes that have been installed.
Content: • Listing of updates, patches and fixes that have been installed.
AI Justification
The chunk provides detailed information about the listing of updates, patches, and fixes that have been installed, which aligns with the need to remediate system flaws and report on security-relevant updates.
Document Content
Matched Section
Section: Network Monitoring & Defense
Content: Network Monitoring & Defense
Content: Network Monitoring & Defense
AI Justification
The chunk discusses various aspects of network monitoring and defense, which aligns with the control's focus on system monitoring, including external and internal monitoring.
Document Content
Matched Section
Section: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
Content: Risk Assessment | Risk Categorization
AI Justification
The mention of risk assessment in the context of network monitoring aligns with the need to assess risks associated with monitoring activities.
Document Content
Matched Section
Section: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
Content: Risk Assessment | Criticality Analysis
AI Justification
The control relates to the continuous monitoring aspect mentioned in the chunk, which is integral to risk assessment.
Document Content
Matched Section
Section: System & Communications Protection
Content: System & Communications Protection
Content: System & Communications Protection
AI Justification
The control aligns with the discussion of network monitoring and the protection of communications within the system.
Document Content
Matched Section
Section: Software/Applications
Content: • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed.
Content: • Listing of technologies that reside on the system (including version and service pack). • Listing of security controls that have been applied to secure the Asset. • Listing of updates, patches and fixes that have been installed.
AI Justification
The chunk discusses the listing of technologies, applications, and security controls applied to secure the asset, which relates to monitoring and maintaining the integrity of software and systems.
Document Content
Matched Section
Section: 1.2.2 Asset Disposal & Re-Use
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled. Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
Content: All Lazard information should be classified to ensure that the information receives an appropriate level of protection in accordance with its importance to Lazard. The classification scheme should be consistent across the whole organization so that all information Assets are consistently classified and controlled. Assets should be securely disposed of when no longer required, using formal procedures. The procedures for secure disposal of Assets containing sensitive data can be found in IS Global Policies and Standards, Data Security Policy. Assets that contain sensitive or internal information should be adequately obscured, erased, destroyed, or otherwise rendered unusable prior to disposal or reuse. Assets reuse and destruction practices should be tracked, documented, and evidenced.
AI Justification
The text discusses the secure disposal of assets containing sensitive data and the need for formal procedures, which aligns with the control's emphasis on proper disposal methods throughout the system development life cycle.
27.0_IS_Lazard_Reference_Timeout_Standard.pdf NIST
24 matches foundDocument Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the need for an access control policy, procedures for exceptions, and the approval process, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: Working Sessions and INFORMATION SECURITY GOALS
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point. INFORMATION SECURITY GOALS Information Security Risk from extending timeout is minimal because the screen lock of 15 minutes is still active for all workstations and enforced at the AD Level.
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point. INFORMATION SECURITY GOALS Information Security Risk from extending timeout is minimal because the screen lock of 15 minutes is still active for all workstations and enforced at the AD Level.
AI Justification
The text discusses the importance of maintaining session state and the use of screen locks to prevent unauthorized access when users are away from their workstations, which aligns with the concept of device locks as a temporary measure to secure systems.
Document Content
Matched Section
Section: Use case #4
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
AI Justification
The text discusses session timeouts and the implications of user-initiated session terminations, which aligns with the control's focus on managing logical sessions.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses exceptions to access control policies and the approval process for such exceptions, which aligns with the control's focus on enforcing authorized access and defining security requirements.
Document Content
Matched Section
Section: Use case #4
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
AI Justification
The text discusses the implications of session timeouts and the need for users to reestablish their work state, which relates to managing logon attempts and session security.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the requirements for audit and accountability.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the requirements for assessment and authorization processes.
Document Content
Matched Section
Section: Detailed explanation of why the exception is necessary.
Content: Detailed explanation of why the exception is necessary. Detailed mitigation information, if available. A record of all approved requests should be maintained by the CISO or his/her designee and be available on request.
Content: Detailed explanation of why the exception is necessary. Detailed mitigation information, if available. A record of all approved requests should be maintained by the CISO or his/her designee and be available on request.
AI Justification
The text discusses the authorization process for exceptions to policies, which aligns with the need for official management decisions and oversight as outlined in CA-6.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the overall theme of configuration management.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the importance of having policies and procedures for contingency planning, including the need for approval for exceptions and the process for handling them.
Document Content
Matched Section
Section: Use case #4
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
AI Justification
The text discusses the need for maintaining session states and preventing loss of progress, which aligns with the concept of using alternative mechanisms to enhance operational continuity.
Document Content
Matched Section
Section: Use case #4
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
Content: Working Sessions are often lost due to timeouts. Users need to reestablish state on work every time they are logged out of systems, losing all progress to that point.
AI Justification
The text discusses the need for users to re-establish state after timeouts and emphasizes the importance of security measures like MFA and screen lock, which aligns with re-authentication requirements.
Document Content
Matched Section
Section: INFORMATION SECURITY GOALS
Content: In order to access any system, a user still needs to go through Cyberark with MFA, and connect via VPN with MFA.
Content: In order to access any system, a user still needs to go through Cyberark with MFA, and connect via VPN with MFA.
AI Justification
The text discusses the requirement for users to go through Cyberark with Multi-Factor Authentication (MFA) to access systems, which aligns with the identification and authentication requirements.
Document Content
Matched Section
Section: INFORMATION SECURITY GOALS
Content: In order to access any system, a user still needs to go through Cyberark with MFA, and connect via VPN with MFA.
Content: In order to access any system, a user still needs to go through Cyberark with MFA, and connect via VPN with MFA.
AI Justification
The mention of MFA and the requirement for secure access aligns with the control's focus on strong authentication for nonlocal maintenance activities.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures related to physical and environmental protection, including exceptions to these policies.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the planning and implementation of controls.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The text discusses the need for personnel security policies and procedures, including the process for requesting exceptions to these policies, which aligns with the control's focus on establishing and managing personnel security policies.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of policies and procedures regarding exceptions to security policies, which aligns with the need for transparency and processing of personally identifiable information.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the necessity of having a risk assessment policy and procedures, including the process for handling exceptions to the policy, which aligns with the requirements of RA-1.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security requirements, which aligns with the control's focus on acquisition policies and procedures.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the process of defining and implementing security requirements and exceptions, which aligns with the concept of deriving security and privacy functional requirements.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security measures, which aligns with the requirements for system and communications protection policies.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses exceptions to policy and the ability of divisions to implement stronger or lower security requirements based on specific needs, which aligns with the need for additional strength of mechanism for domain separation and policy enforcement.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the process for exceptions to these policies.
15.1_IS_Lazard_CSIRT-CSIRP_Framework_Standard.pdf NIST
44 matches foundDocument Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the need for an access control policy and procedures, including the process for exceptions, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: Audit and accountability policy and procedures
Content: Control: AU-1: Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: AU-1: Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of audit and accountability policies and procedures, emphasizing their role in security and privacy assurance, which aligns with AU-1.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The document emphasizes the confidentiality of the information contained within it and restricts its copying, use, or disclosure, aligning with the control's focus on preventing unauthorized disclosure.
Document Content
Matched Section
Section: Incident Verification
Content: Cybersecurity events are detected and reported through many different channels. Some are reported by end-users to the global help desk or by IT technicians and engineers, while others are reported by automated monitoring tools. The first step in any incident response plan is to assess the event and determine if it is an actionable event.
Content: Cybersecurity events are detected and reported through many different channels. Some are reported by end-users to the global help desk or by IT technicians and engineers, while others are reported by automated monitoring tools. The first step in any incident response plan is to assess the event and determine if it is an actionable event.
AI Justification
The text discusses the importance of detecting and reporting cybersecurity events, which aligns with the need for logging significant events for security and privacy.
Document Content
Matched Section
Section: Evidence Gathering and Documentation
Content: Evidence should be accounted for at all times; whenever evidence is transferred from person to person, the chain of custody should be documented in writing and detail the transfer including each party’s signature. A detailed log should be kept for all evidence, including the following: Identifying information (e.g., the location, serial number, model number, hostname, media access control (MAC) addresses, and IP addresses of a computer), Name, title, and phone number of each individual who collected or handled the evidence during the investigation, Time and date (including time zone) of each occurrence of evidence handling, Locations where the evidence was stored.
Content: Evidence should be accounted for at all times; whenever evidence is transferred from person to person, the chain of custody should be documented in writing and detail the transfer including each party’s signature. A detailed log should be kept for all evidence, including the following: Identifying information (e.g., the location, serial number, model number, hostname, media access control (MAC) addresses, and IP addresses of a computer), Name, title, and phone number of each individual who collected or handled the evidence during the investigation, Time and date (including time zone) of each occurrence of evidence handling, Locations where the evidence was stored.
AI Justification
The chunk discusses the importance of documenting evidence handling, including timestamps and identifying information, which aligns with the requirements for audit record content.
Document Content
Matched Section
Section: EXCEPTION
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the assessment and authorization processes outlined in CA-1.
Document Content
Matched Section
Section: Incident Response Recovery and Post Incident Activity
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
AI Justification
The chunk discusses the importance of reviewing documentation and procedures after an incident, which aligns with the need for plans of action and milestones to track remedial actions.
Document Content
Matched Section
Section: Impact assessment(s) related to the incident.
Content: Impact assessment(s) related to the incident. See Sensitivity section above. • A list of evidence gathered during the incident investigation. • Comments from incident responders.
Content: Impact assessment(s) related to the incident. See Sensitivity section above. • A list of evidence gathered during the incident investigation. • Comments from incident responders.
AI Justification
The chunk discusses impact assessments related to incidents, which aligns with the requirement for conducting impact analyses as outlined in control CM-4.
Document Content
Matched Section
Section: Containment Phase of Incident Response
Content: The containment phase begins with Information Security holding an initial analysis meeting (as required, could be face-to-face or over the phone). Information Security will review playbooks and consult with IT Service Owners and Business Owners as required. Based on the initial interactions from step C1, Information Security determines the containment plan of action in order to constrain the incident.
Content: The containment phase begins with Information Security holding an initial analysis meeting (as required, could be face-to-face or over the phone). Information Security will review playbooks and consult with IT Service Owners and Business Owners as required. Based on the initial interactions from step C1, Information Security determines the containment plan of action in order to constrain the incident.
AI Justification
The text discusses the containment phase of incident response, which aligns with the need for contingency planning policies and procedures to address incidents and ensure proper actions are taken.
Document Content
Matched Section
Section: Recovery
Content: In recovery, system administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery efforts, generally carried out by IT personnel, should not commence until approved by the Information Security team and a full backup of the impact systems have been taken for archival and evidential purposes.
Content: In recovery, system administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery efforts, generally carried out by IT personnel, should not commence until approved by the Information Security team and a full backup of the impact systems have been taken for archival and evidential purposes.
AI Justification
The text discusses recovery activities and the importance of restoring systems to normal operation, which aligns with the objectives of CP-10 regarding recovery and reconstitution.
Document Content
Matched Section
Section: Contingency Planning for Systems
Content: The Cyber Security Specialist determines the recovery plan of action in order to best return service from the incident that has occurred. Individuals providing inputs to the recovery plan of action are determined during the assessment phase. The playbook input and escalation processes are used as input to establish the recovery plan of action.
Content: The Cyber Security Specialist determines the recovery plan of action in order to best return service from the incident that has occurred. Individuals providing inputs to the recovery plan of action are determined during the assessment phase. The playbook input and escalation processes are used as input to establish the recovery plan of action.
AI Justification
The text discusses the recovery plan of action and the involvement of stakeholders, which aligns with the principles of contingency planning.
Document Content
Matched Section
Section: Preparation
Content: Preparation can also be called the pre-incident phase. It involves the steps that are taken before an incident occurs. In other words, this is the time in which the incident responders prepare for the incident. This can include training, defining policies and procedures, gathering tools and necessary software, procuring necessary hardware equipment, etc. This phase includes everything that can aid in faster resolution of an incident including tabletop practice exercises designed to condition the responders react in an orderly, controlled and systematic approach to the onset of an incident. A key part of this preparation process is developing predetermined levels of acceptable risk for specified incident categories, severities and sensitivities.
Content: Preparation can also be called the pre-incident phase. It involves the steps that are taken before an incident occurs. In other words, this is the time in which the incident responders prepare for the incident. This can include training, defining policies and procedures, gathering tools and necessary software, procuring necessary hardware equipment, etc. This phase includes everything that can aid in faster resolution of an incident including tabletop practice exercises designed to condition the responders react in an orderly, controlled and systematic approach to the onset of an incident. A key part of this preparation process is developing predetermined levels of acceptable risk for specified incident categories, severities and sensitivities.
AI Justification
The chunk discusses the importance of preparation and training for incident responders, which aligns with the need for contingency training linked to roles and responsibilities.
Document Content
Matched Section
Section: Preparation
Content: Preparation can also be called the pre-incident phase. It involves the steps that are taken before an incident occurs. In other words, this is the time in which the incident responders prepare for the incident. This can include training, defining policies and procedures, gathering tools and necessary software, procuring necessary hardware equipment, etc. This phase includes everything that can aid in faster resolution of an incident including tabletop practice exercises designed to condition the responders react in an orderly, controlled and systematic approach to the onset of an incident.
Content: Preparation can also be called the pre-incident phase. It involves the steps that are taken before an incident occurs. In other words, this is the time in which the incident responders prepare for the incident. This can include training, defining policies and procedures, gathering tools and necessary software, procuring necessary hardware equipment, etc. This phase includes everything that can aid in faster resolution of an incident including tabletop practice exercises designed to condition the responders react in an orderly, controlled and systematic approach to the onset of an incident.
AI Justification
The chunk discusses preparation activities, including tabletop practice exercises, which align with the methods for testing contingency plans as outlined in CP-4.
Document Content
Matched Section
Section: CSIRP Scope
Content: Lazard adverse events may lead to a business disruption or a crisis situation if not handled properly in the early stages. Therefore, a robust and well-rehearsed incident response plan is mandatory for Lazard to deal with Lazard events and incidents in a timely and consistent manner. For the purposes of this document, the focus will be on those Lazard adverse events and incidents that are cybersecurity related. This section of the document outlines the process to be followed for cybersecurity event and incident management.
Content: Lazard adverse events may lead to a business disruption or a crisis situation if not handled properly in the early stages. Therefore, a robust and well-rehearsed incident response plan is mandatory for Lazard to deal with Lazard events and incidents in a timely and consistent manner. For the purposes of this document, the focus will be on those Lazard adverse events and incidents that are cybersecurity related. This section of the document outlines the process to be followed for cybersecurity event and incident management.
AI Justification
The text discusses the importance of a robust incident response plan and outlines the processes for managing cybersecurity events and incidents, which aligns with the requirements of IR-1.
Document Content
Matched Section
Section: Incident Response Recovery and Post Incident Activity
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
AI Justification
The text discusses the need for reviewing documentation and procedures related to incident handling, which aligns with the training and preparedness aspects of incident response.
Document Content
Matched Section
Section: Incident Response Recovery and Post Incident Activity
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
AI Justification
The text discusses the importance of reviewing documentation and procedures after an incident, which aligns with testing incident response capabilities to identify weaknesses.
Document Content
Matched Section
Section: Detection and Analysis
Content: The most challenging part of the incident response process is accurately detecting and assessing adverse events as possible incidents. Determining whether an event is truly an incident or simply inadvertent non-incident.
Content: The most challenging part of the incident response process is accurately detecting and assessing adverse events as possible incidents. Determining whether an event is truly an incident or simply inadvertent non-incident.
AI Justification
The text discusses the importance of accurately detecting and assessing adverse events as incidents, which aligns with the incident response capabilities outlined in control IR-4.
Document Content
Matched Section
Section: Incident Classification section
Content: Once the adverse event has been analyzed, verified and declared an incident it is time to classify and categorize the incident. Please see the Incident Classification section for more detailed information on classifying an incident. As part of the classification effort, the incident should be documented in the Incident Tracking System (ITS). The ITS documentation should contain the following information: The incident tracking system should contain information on the following: • The incident Severity, Category and Sensitivity as described above. • The current status of the incident (new, in progress, forwarded for investigation, resolved, etc.). • A summary of the incident. • Indicators related to the incident. • Other incidents related to this incident. • Actions taken by all incident responders on this incident. • Contact information for other involved parties (e.g., system owners, system administrators).
Content: Once the adverse event has been analyzed, verified and declared an incident it is time to classify and categorize the incident. Please see the Incident Classification section for more detailed information on classifying an incident. As part of the classification effort, the incident should be documented in the Incident Tracking System (ITS). The ITS documentation should contain the following information: The incident tracking system should contain information on the following: • The incident Severity, Category and Sensitivity as described above. • The current status of the incident (new, in progress, forwarded for investigation, resolved, etc.). • A summary of the incident. • Indicators related to the incident. • Other incidents related to this incident. • Actions taken by all incident responders on this incident. • Contact information for other involved parties (e.g., system owners, system administrators).
AI Justification
The text discusses the documentation of incidents, including details such as severity, status, summary, indicators, related incidents, actions taken, and contact information, which aligns with the requirements of control IR-5.
Document Content
Matched Section
Section: Incident Prioritization (Severity)
Content: When an actionable security incident occurs the CSIRT is responsible for obtaining the most current information regarding the possible impact of the incident and assign a severity to the incident.
Content: When an actionable security incident occurs the CSIRT is responsible for obtaining the most current information regarding the possible impact of the incident and assign a severity to the incident.
AI Justification
The section discusses the responsibility of the CSIRT in obtaining information regarding the impact of incidents and assigning severity levels, which aligns with the requirements for reporting incidents and reflecting applicable laws and policies.
Document Content
Matched Section
Section: Incident Response Recovery and Post Incident Activity
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
AI Justification
The chunk discusses the review of incident handling procedures and documentation, which aligns with the need for support resources in incident response.
Document Content
Matched Section
Section: Incident Response Recovery and Post Incident Activity
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
Content: Post-mortem analysis of the way an incident was handled will often reveal a missing step or an inaccuracy in a procedure, providing impetus for change. Because of the changing nature of information technology and changes in personnel, the incident response team should review all related documentation and procedures for handling incidents at designated intervals.
AI Justification
The chunk discusses the importance of reviewing documentation and procedures related to incident handling, which aligns with the need for a coordinated approach to incident response as outlined in control IR-8.
Document Content
Matched Section
Section: Containment Phase
Content: The containment phase begins with Information Security holding an initial analysis meeting (as required, could be face-to-face or over the phone). Information Security will review playbooks and consult with IT Service Owners and Business Owners as required. Based on the initial interactions from step C1, Information Security determines the containment plan of action in order to constrain the incident.
Content: The containment phase begins with Information Security holding an initial analysis meeting (as required, could be face-to-face or over the phone). Information Security will review playbooks and consult with IT Service Owners and Business Owners as required. Based on the initial interactions from step C1, Information Security determines the containment plan of action in order to constrain the incident.
AI Justification
The containment phase involves assessing the situation and determining a plan of action to address potential information spillage, which aligns with the requirements of IR-9.
Document Content
Matched Section
Section: Incident Lifecycle
Content: The incident lifecycle process has several phases to it. The most important phase is the preparation phase. This phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
Content: The incident lifecycle process has several phases to it. The most important phase is the preparation phase. This phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
AI Justification
The text discusses the organization-wide management and implementation of controls, which aligns with the concept of central management as outlined in control PL-9.
Document Content
Matched Section
Section: Incident Lifecycle
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
AI Justification
The text mentions the assessment of controls as part of the central management process, which aligns with the need for control assessments.
Document Content
Matched Section
Section: Information Security Program Plan Overview
Content: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
Content: An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.
AI Justification
The text discusses the importance of an information security program plan, detailing its purpose, implementation, and updates, which aligns directly with the control's focus on documenting security requirements and management controls.
Document Content
Matched Section
Section: Risk Framing
Content: Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners.
Content: Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners.
AI Justification
The text discusses the importance of including various stakeholders in the risk framing process, which aligns with the control's emphasis on organizational-level risk framing and stakeholder consultation.
Document Content
Matched Section
Section: Incident Lifecycle
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
AI Justification
The mention of conducting risk assessments and implementing controls based on their results aligns with the need for a risk assessment policy and procedures.
Document Content
Matched Section
Section: Incident Lifecycle
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
AI Justification
The text discusses the importance of conducting risk assessments to inform the selection and implementation of controls, which aligns with the requirements of RA-3.
Document Content
Matched Section
Section: Material Reactive Services
Content: • Material Reactive Services o Vulnerability handling o Vulnerability analysis o Vulnerability response coordination
Content: • Material Reactive Services o Vulnerability handling o Vulnerability analysis o Vulnerability response coordination
AI Justification
The text discusses various aspects of vulnerability monitoring, including the need for vulnerability analysis, handling, and response coordination, which aligns with the requirements outlined in RA-5.
Document Content
Matched Section
Section: Incident Lifecycle
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
Content: During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
AI Justification
The text discusses the importance of determining an appropriate response to risk and mentions the implementation of controls based on risk assessments, which aligns with the control's focus on risk response options.
Document Content
Matched Section
Section: System Development Life Cycle Process
Content: A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering.
Content: A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering.
AI Justification
The text discusses the integration of security and privacy considerations in the system development life cycle, which aligns with the principles outlined in SA-3.
Document Content
Matched Section
Section: Security Engineering Principles
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
Content: The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components.
AI Justification
The text mentions the importance of security engineering principles in designing, coding, and testing systems, which aligns with SA-8.
Document Content
Matched Section
Section: Recovery
Content: In recovery, system administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery efforts, generally carried out by IT personnel, should not commence until approved by the Information Security team and a full backup of the impact systems have been taken for archival and evidential purposes.
Content: In recovery, system administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery efforts, generally carried out by IT personnel, should not commence until approved by the Information Security team and a full backup of the impact systems have been taken for archival and evidential purposes.
AI Justification
The chunk discusses recovery processes that ensure systems are restored to a known good state, which aligns with the control's focus on preventing loss of confidentiality, integrity, or availability during failures.
Document Content
Matched Section
Section: Containment strategies for incidents
Content: Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack.
Content: Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack.
AI Justification
The chunk discusses containment strategies for incidents, including network-based DDoS attacks, which aligns with the need to address denial-of-service events.
Document Content
Matched Section
Section: Discussion on various types of attacks and incidents related to network security.
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. • Theft / Fraud / Human Safety / Child Sexual Abuse Material. • Computer-related incidents of a criminal nature, likely involving law enforcement. • Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. • Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. • A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. • Theft / Fraud / Human Safety / Child Sexual Abuse Material. • Computer-related incidents of a criminal nature, likely involving law enforcement. • Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. • Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. • A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that
AI Justification
The text discusses various types of attacks and incidents that can compromise network security, which aligns with the need for managed interfaces and boundary protection to mitigate such risks.
Document Content
Matched Section
Section: System and information integrity policy and procedures
Content: System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of policies and procedures related to system and information integrity, which aligns with the requirements of control SI-1.
Document Content
Matched Section
Section: Recovery and Post-incident Activity
Content: In recovery, system administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery efforts, generally carried out by IT personnel, should not commence until approved by the Information Security team and a full backup of the impact systems have been taken for archival and evidential purposes.
Content: In recovery, system administrators restore systems to normal operation and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery efforts, generally carried out by IT personnel, should not commence until approved by the Information Security team and a full backup of the impact systems have been taken for archival and evidential purposes.
AI Justification
The text discusses the need to remediate vulnerabilities and restore systems to normal operation, which aligns with the requirements of SI-2 regarding the identification and remediation of system flaws.
Document Content
Matched Section
Section: Cyber Security Incident Response Framework
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. • Theft / Fraud / Human Safety / Child Sexual Abuse Material. • Computer-related incidents of a criminal nature, likely involving law enforcement. • Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. • Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. • A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that.
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. • Theft / Fraud / Human Safety / Child Sexual Abuse Material. • Computer-related incidents of a criminal nature, likely involving law enforcement. • Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. • Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. • A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that.
AI Justification
The text discusses various types of cyber-attacks and incidents, including DDoS attacks, compromised hosts, and the need for forensic work post-incident, which aligns with the control's focus on managing and responding to incidents.
Document Content
Matched Section
Section: Recovery Plan of Action
Content: The Cyber Security Specialist determines the recovery plan of action in order to best return service from the incident that has occurred. Individuals providing inputs to the recovery plan of action are determined during the assessment phase.
Content: The Cyber Security Specialist determines the recovery plan of action in order to best return service from the incident that has occurred. Individuals providing inputs to the recovery plan of action are determined during the assessment phase.
AI Justification
The text discusses the importance of inputs in determining the recovery plan of action, which aligns with the need to ensure the integrity of information used in system services.
Document Content
Matched Section
Section: Malicious code protection mechanisms include both signature- and nonsignature-based technologies.
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host.
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host.
AI Justification
The chunk discusses various types of attacks, including DOS or DDOS attacks, and mentions compromised hosts and malware, which directly relates to the control's focus on malicious code and its protection mechanisms.
Document Content
Matched Section
Section: Situational guidance and formal declaration of a cybersecurity event.
Content: • Situational guidance and formal declaration of a cybersecurity event.
Content: • Situational guidance and formal declaration of a cybersecurity event.
AI Justification
The chunk discusses coordinating response strategies and communication during cybersecurity events, which aligns with the need for situational awareness and compliance with security directives.
Document Content
Matched Section
Section: Incident Reporting and Response Process
Content: A network management system or an external service provider raises an alert. A human contacts Helpdesk or the SOC to report a possible cybersecurity event. An endpoint system (e.g an antivirus) has detected a malware.
Content: A network management system or an external service provider raises an alert. A human contacts Helpdesk or the SOC to report a possible cybersecurity event. An endpoint system (e.g an antivirus) has detected a malware.
AI Justification
The chunk describes the process of raising alerts and reporting possible cybersecurity events, which aligns with the transitional states and notifications outlined in control SI-6.
Document Content
Matched Section
Section: Discussion of various computer-related incidents and attacks.
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. • Theft / Fraud / Human Safety / Child Sexual Abuse Material. • Computer-related incidents of a criminal nature, likely involving law enforcement. • Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. • Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. • A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that.
Content: • DOS or DDOS attack. • Any forensic work to be done by CSIRT post incident declaration. • Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. • Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. • Theft / Fraud / Human Safety / Child Sexual Abuse Material. • Computer-related incidents of a criminal nature, likely involving law enforcement. • Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. • Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. • A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that.
AI Justification
The chunk discusses various types of attacks and incidents that can lead to unauthorized changes or compromises of sensitive information and systems, aligning with the need for integrity-checking mechanisms.
Document Content
Matched Section
Section: Incident Communication and Reporting
Content: information with relevant Service Owners, stakeholders, external service providers (or their third parties) and others in regards to the incident. Once all relevant information is distributed and shared the Security Operations team will identify any further post incident activities that should be executed and report actions taken.
Content: information with relevant Service Owners, stakeholders, external service providers (or their third parties) and others in regards to the incident. Once all relevant information is distributed and shared the Security Operations team will identify any further post incident activities that should be executed and report actions taken.
AI Justification
The text discusses the importance of sharing information among relevant parties regarding incidents, which aligns with the need for communication among supply chain entities as stated in control SR-8.
16.0_IS_Maintaining_Security_during_BC__DR_Policy_1.pdf NIST
50 matches foundDocument Content
Matched Section
Section: 1.2 REQUIREMENTS
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
AI Justification
The text discusses the importance of access control policies and procedures, emphasizing their role in security and privacy assurance, which aligns with the requirements outlined in AC-1.
Document Content
Matched Section
Section: 1.2.2 Information Resources
Content: Personnel participating in a BC/DR event may require access rights to certain information resources needed in the recovery effort. Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
Content: Personnel participating in a BC/DR event may require access rights to certain information resources needed in the recovery effort. Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
AI Justification
The section on granting access rights to personnel participating in a BC/DR event aligns with the need for proper account management and access control.
Document Content
Matched Section
Section: Access rights to the Lazard networks and network services
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses access rights and the revocation of access, which aligns with the control's focus on managing remote access to organizational systems.
Document Content
Matched Section
Section: Requests for the granting of access to Lazard enterprise servers
Content: Requests for the granting of access to Lazard enterprise servers should be documented and approved by one of the following: a. A director level IT representative. b. A member of the Information Security department.
Content: Requests for the granting of access to Lazard enterprise servers should be documented and approved by one of the following: a. A director level IT representative. b. A member of the Information Security department.
AI Justification
The text mentions the need for documented and approved access requests, which aligns with the control's focus on enforcing access restrictions.
Document Content
Matched Section
Section: Access rights to the Lazard networks and network services
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses the revocation of access rights and the documentation of access requests, which aligns with the requirements for managing system accounts and access privileges.
Document Content
Matched Section
Section: 1.2.1 Access Control
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
AI Justification
The chunk discusses access control and the need for documented and approved access to information resources, which aligns with the principles of information sharing and access restrictions outlined in AC-21.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The text discusses the management of access to nonpublic information and the restrictions on its disclosure, aligning with the principles of access control.
Document Content
Matched Section
Section: Responsibilities for reviewing and authorizing access during a BC/DR event
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The text discusses responsibilities related to reviewing and authorizing access to information resources and networks, which aligns with the enforcement of access control policies as described in AC-25.
Document Content
Matched Section
Section: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested.
Content: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses the revocation of access rights, which aligns with the enforcement of access control policies to ensure that access is granted only for authorized tasks and revoked immediately upon completion.
Document Content
Matched Section
Section: 1.2.1 Access Control
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
Content: All security controls described in the IS Global Policies & Standards document entitled “8.0 Access Control Policy” should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
AI Justification
The text discusses the need for controlling the flow of information within systems and between organizations, which aligns with the principles of information flow control.
Document Content
Matched Section
Section: Responsibilities during a BC/DR event
Content: Is responsible for reviewing requests for the removal of furniture and/or computing assets from restricted areas during a BC/DR event, test, or execution. Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution. Other roles may share this responsibility.
Content: Is responsible for reviewing requests for the removal of furniture and/or computing assets from restricted areas during a BC/DR event, test, or execution. Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution. Other roles may share this responsibility.
AI Justification
The text discusses responsibilities and roles during a BC/DR event, indicating a division of duties among different individuals, which aligns with the principle of separation of duties.
Document Content
Matched Section
Section: Access rights to the Lazard networks and network services
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses revoking access immediately after task completion and ensuring that access is granted only as necessary, which aligns with the principle of least privilege.
Document Content
Matched Section
Section: Role-Based Training Responsibilities
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The text discusses responsibilities related to access authorization and physical security during a BC/DR event, which aligns with the need for role-based training to ensure personnel understand their roles and responsibilities.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the requirements for audit and accountability policies.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
Content: The information contained herein is the property of Lazard Freres & Co. LLC (“Lazard") and may not be copied, used, or disclosed in whole or in part, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, reprographic, recording or otherwise) outside of Lazard without prior written permission.
AI Justification
The section discusses the unauthorized copying, use, or disclosure of information, which aligns with the control's focus on preventing data leakage.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the approval process for exceptions to security policies, which aligns with the need for assessment and authorization procedures.
Document Content
Matched Section
Section: Responsibilities for reviewing and authorizing access during a BC/DR event
Content: • Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: • Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The chunk discusses responsibilities related to reviewing and authorizing access to information resources and networks during a BC/DR event, which aligns with the concept of authorizations as described in CA-6.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the need for a configuration management policy and procedures, including the approval process for exceptions, which aligns with CM-1.
Document Content
Matched Section
Section: 1.2.2 Information Resources
Content: Personnel participating in a BC/DR event may require access rights to certain information resources needed in the recovery effort. Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
Content: Personnel participating in a BC/DR event may require access rights to certain information resources needed in the recovery effort. Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
AI Justification
The chunk discusses the need for access control and the identification of information resources, which aligns with understanding where information is processed and stored.
Document Content
Matched Section
Section: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested.
Content: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses the revocation of access rights and the importance of maintaining security controls, which aligns with the need for qualified individuals to manage access and changes.
Document Content
Matched Section
Section: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested.
Content: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard enterprise servers should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The requirement to revoke access rights aligns with the enforcement of access controls to ensure that only authorized individuals have access to systems.
Document Content
Matched Section
Section: It is paramount that the established security perimeter and entry controls are maintained at all times.
Content: It is paramount that the established security perimeter and entry controls are maintained at all times.
Content: It is paramount that the established security perimeter and entry controls are maintained at all times.
AI Justification
The mention of maintaining security perimeter and entry controls during a BC/DR event aligns with physical access control requirements.
Document Content
Matched Section
Section: Glossary - Business continuity and disaster recovery (BCDR or BC/DR)
Content: Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations.
Content: Business continuity and disaster recovery (BCDR or BC/DR) is a set of processes and techniques used to help an organization recover from a disaster and continue or resume routine business operations.
AI Justification
The text discusses the importance of business continuity and disaster recovery processes, which align with the recovery and reconstitution activities outlined in CP-10.
Document Content
Matched Section
Section: Contingency planning for systems
Content: Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached.
Content: Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached.
AI Justification
The text discusses the importance of contingency planning for systems, including recovery objectives and actions to be taken during incidents, which aligns with CP-2.
Document Content
Matched Section
Section: Responsibilities during a BC/DR event, test, or execution.
Content: Is responsible for reviewing requests for the removal of furniture and/or computing assets from restricted areas during a BC/DR event, test, or execution.
Content: Is responsible for reviewing requests for the removal of furniture and/or computing assets from restricted areas during a BC/DR event, test, or execution.
AI Justification
The text discusses roles and responsibilities during a BC/DR event, which aligns with the need for contingency training linked to assigned roles.
Document Content
Matched Section
Section: Access rights to the Lazard networks and network services
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The text discusses access rights and the requirement for documented approval for access, which aligns with the identification and authentication of users.
Document Content
Matched Section
Section: Access to Enterprise Servers
Content: Personnel participating in a BC/DR event may require access to enterprise servers (Windows and *Nix) needed in the recovery effort. Requests for the granting of access to Lazard enterprise servers should be documented and approved by one of the following: a. A director level IT representative. b. A member of the Information Security department.
Content: Personnel participating in a BC/DR event may require access to enterprise servers (Windows and *Nix) needed in the recovery effort. Requests for the granting of access to Lazard enterprise servers should be documented and approved by one of the following: a. A director level IT representative. b. A member of the Information Security department.
AI Justification
The text outlines the process for granting and revoking access, which is part of account management.
Document Content
Matched Section
Section: Responsibilities for reviewing and authorizing access
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The text discusses the responsibilities of reviewing and authorizing access to information resources, which implies the need for authentication mechanisms to verify the identity and authorization of operators.
Document Content
Matched Section
Section: Access rights to the Lazard networks and network services
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard networks and network services should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The chunk discusses the revocation of access rights and the documentation of access requests, which relates to the identification and authentication of users accessing systems.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures in place for maintenance, including the need for exceptions to be approved, which aligns with the maintenance policy and procedures control.
Document Content
Matched Section
Section: Security Personnel
Content: Is responsible for reviewing and authorizing personnel entry and exit of physical perimeter should the badge entry system be compromised during a BC/DR event, test or execution.
Content: Is responsible for reviewing and authorizing personnel entry and exit of physical perimeter should the badge entry system be compromised during a BC/DR event, test or execution.
AI Justification
The text discusses responsibilities related to authorizing access to information resources and physical perimeter management during a BC/DR event, which aligns with the need for physical access controls.
Document Content
Matched Section
Section: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The text implies the need for authorized personnel to manage access to systems and resources, which relates to the control concerning maintenance personnel and their access requirements.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied.
AI Justification
The text discusses the approval process for exceptions to the media protection policy, which aligns with the need for policies and procedures that address media protection controls.
Document Content
Matched Section
Section: 1.2.6 Physical Security Perimeter and Entry Controls
Content: It is paramount that the established security perimeter and entry controls are maintained at all times. It is especially critical during a BC/DR event when visiting employees and vendors may need to access the Lazard facilities that are involved in the BC/DR event.
Content: It is paramount that the established security perimeter and entry controls are maintained at all times. It is especially critical during a BC/DR event when visiting employees and vendors may need to access the Lazard facilities that are involved in the BC/DR event.
AI Justification
The text discusses the need to maintain security perimeter and entry controls, which aligns with the enforcement of authorizations for entry and exit of system components.
Document Content
Matched Section
Section: Section 1.3 ROLES & RESPONSIBILITIES
Content: All personnel wishing to enter the restricted area should have the appropriate Lazard issued identification or be an approved vendor.
Content: All personnel wishing to enter the restricted area should have the appropriate Lazard issued identification or be an approved vendor.
AI Justification
The text discusses the verification of badge holders and the authorization of personnel entering restricted areas, which aligns with the control's focus on ensuring assets remain in authorized locations.
Document Content
Matched Section
Section: 1.2.6 Physical Security Perimeter and Entry Controls
Content: It is paramount that the established security perimeter and entry controls are maintained at all times. It is especially critical during a BC/DR event when visiting employees and vendors may need to access the Lazard facilities that are involved in the BC/DR event.
Content: It is paramount that the established security perimeter and entry controls are maintained at all times. It is especially critical during a BC/DR event when visiting employees and vendors may need to access the Lazard facilities that are involved in the BC/DR event.
AI Justification
The text discusses the importance of maintaining security perimeters and entry controls, which aligns with the requirements for physical access control.
Document Content
Matched Section
Section: Responsibilities related to reviewing and authorizing access during a BC/DR event.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The chunk discusses responsibilities related to reviewing and authorizing access to information resources and physical perimeter entry, which aligns with the need for physical access monitoring.
Document Content
Matched Section
Section: 1.2.1 Access Control
Content: All security controls described in the IS Global Policies & Standards document entitled '8.0 Access Control Policy' should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
Content: All security controls described in the IS Global Policies & Standards document entitled '8.0 Access Control Policy' should be strictly adhered to while conducting a drill or participating in an actual BC/DR event.
AI Justification
The text discusses the importance of access agreements and rules of behavior for organizational users, which aligns with the requirements for establishing rules of behavior as outlined in control PL-4.
Document Content
Matched Section
Section: 1.2.2 Information Resources
Content: Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
Content: Requests for the granting of access to Lazard information resources should be documented and approved by one of the following: a. The information asset’s owner. b. A director level IT representative. c. A member of the Information Security department.
AI Justification
The mention of access rights and the requirement for documented approval for access aligns with the principles of access control and user agreements outlined in AC-8.
Document Content
Matched Section
Section: Authorization processes for organizational systems and environments of operation
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The chunk discusses responsibilities related to reviewing and authorizing access to information resources and networks during a BC/DR event, which aligns with the need for authorization processes as outlined in PM-10.
Document Content
Matched Section
Section: 1.11 DOCUMENT INFORMATION
Content: CONTACT(S): CONTACT DETAILS NAME POSITION SIGNATURE DATE Peter Keenan Chief Information Security Officer (CISO) 12/07/2023
Content: CONTACT(S): CONTACT DETAILS NAME POSITION SIGNATURE DATE Peter Keenan Chief Information Security Officer (CISO) 12/07/2023
AI Justification
The presence of the Chief Information Security Officer (CISO) indicates the role of a senior agency information security officer as defined in the control.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the approval process for exceptions to the policy, which aligns with the need for established personnel security policies and procedures.
Document Content
Matched Section
Section: Access rights to the Lazard information resources should be revoked immediately upon completion of the task for which the access was requested.
Content: Access rights to the Lazard information resources should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
Content: Access rights to the Lazard information resources should be revoked immediately upon completion of the task for which the access was requested. The revocation should be documented and attached to the approved access request documentation.
AI Justification
The chunk discusses the immediate revocation of access rights, which aligns with the accountability and security constraints mentioned in PS-4 regarding terminated individuals and their access to system-related property.
Document Content
Matched Section
Section: Detailed mitigation information, if available.
Content: 4. Detailed mitigation information, if available.
Content: 4. Detailed mitigation information, if available.
AI Justification
The chunk discusses the need for detailed mitigation information and the process for handling exceptions, which aligns with the concept of responding to risk as outlined in RA-7.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk. In such cases, Lazard's policy exception process should be followed and applied. Exceptions to this policy can be requested by submitting a policy exception form in the ServiceNow portal. The request should contain the supporting information requested below, and should be approved by the Department Manager (not lower than director level) and the CISO or his/her designee: 1. Policy statement requiring the exception. 2. Exception duration. Provide detailed information.
AI Justification
The text discusses the need for policies and procedures regarding exceptions to security policies, which aligns with the control's focus on establishing acquisition policies and procedures.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets.
AI Justification
The text discusses the need for a policy regarding exceptions to security measures, which aligns with the requirement for a system and communications protection policy that addresses controls.
Document Content
Matched Section
Section: Responsibilities during a BC/DR event, test, or execution
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
Content: Is responsible for reviewing and authorizing access to information resources, networks, network services, and Enterprise Servers during a BC/DR event, test, or execution.
AI Justification
The text discusses responsibilities related to reviewing and authorizing access to information resources during a BC/DR event, which aligns with the control's focus on preventing unauthorized access to shared system resources.
Document Content
Matched Section
Section: Adversarial strategies during security events
Content: A target is the most vulnerability while their attention is focused on something other than security. It is important to maintain Lazard’s security posture at all times, and especially during a BC/DR event or exercise, to avoid cybercriminals taking advantage of the firm’s personnel while they focus on the BC/DR event or exercise.
Content: A target is the most vulnerability while their attention is focused on something other than security. It is important to maintain Lazard’s security posture at all times, and especially during a BC/DR event or exercise, to avoid cybercriminals taking advantage of the firm’s personnel while they focus on the BC/DR event or exercise.
AI Justification
The text discusses the concept of adversaries exploiting distractions to gain unauthorized access, which aligns with the control's focus on lateral movement and exfiltration strategies.
Document Content
Matched Section
Section: Exceptions to the policy should be approved by InfoSec in advance.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy. In exceptional cases Divisions & Functions may implement a lower protection level to adequately address the related information security risk.
AI Justification
The text discusses the ability of divisions to implement stronger or lower security requirements based on specific threats and operational environments, which aligns with the need for additional strength of mechanism for domain separation and policy enforcement.
Document Content
Matched Section
Section: Exceptions to the policy
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
Content: Exceptions to the policy should be approved by InfoSec in advance. The technical and organizational controls define minimum requirements for securing assets. Divisions & Functions are free to define and implement stronger security requirements and mechanisms if a higher protection level is necessary and they do not contradict the Policy.
AI Justification
The text discusses the importance of having policies and procedures for system and information integrity, including the process for requesting exceptions to these policies.
4.0_IS_Organization_of_Information_Security_Policy_1.pdf NIST
100 matches foundDocument Content
Matched Section
Section: Access Control Policy and Procedures
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
Content: Control: AC-1: Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance.
AI Justification
The text discusses the importance of access control policies and procedures, which aligns with the requirements of AC-1.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy A.9.1.1
Content: Access Control Policy A.9.1.1
AI Justification
The mention of access control policies directly aligns with the control A.9.1.1 which focuses on access control measures.
Document Content
Matched Section
Section: Access to Networks & Network Services
Content: Access to Networks & Network Services A.9.1.2
Content: Access to Networks & Network Services A.9.1.2
AI Justification
The text implies the need for access control measures which is relevant to A.9.1.2.
Document Content
Matched Section
Section: Information Access Restriction
Content: Information Access Restriction A.9.4.1
Content: Information Access Restriction A.9.4.1
AI Justification
The discussion on access control policies suggests the need for restricting access to information, aligning with A.9.4.1.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The text discusses the security of teleworking and the use of mobile devices, emphasizing the need for adequate protection to prevent information leakage.
Document Content
Matched Section
Section: Information Security Policies for Supplier Relationships
Content: Control: AC-2: Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan.
Content: Control: AC-2: Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan.
AI Justification
The text discusses the identification of authorized system users, specification of access privileges, and the management of various account types, which aligns with the requirements of AC-2.
Document Content
Matched Section
Section: Access Control Policy
Content: A.9.1.1 Access Control Policy
Content: A.9.1.1 Access Control Policy
AI Justification
The mention of access control decisions aligns with the need for a formal access control policy that governs how access is granted and enforced.
Document Content
Matched Section
Section: Access to Networks & Network Services
Content: A.9.1.2 Access to Networks & Network Services
Content: A.9.1.2 Access to Networks & Network Services
AI Justification
The discussion of access control decisions and enforcement is relevant to how access is managed for networks and services.
Document Content
Matched Section
Section: Management of Privileged Access Rights
Content: A.9.2.3 Management of Privileged Access Rights
Content: A.9.2.3 Management of Privileged Access Rights
AI Justification
The control emphasizes the importance of managing access rights, which relates to authorization decisions.
Document Content
Matched Section
Section: Access Control Policy
Content: A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects.
Content: A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects.
AI Justification
The text discusses the enforcement of access control policies, which aligns with the control's focus on establishing and maintaining an access control policy.
Document Content
Matched Section
Section: Information Access Restriction
Content: Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong.
Content: Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong.
AI Justification
The control is relevant as the text describes how access is restricted based on the identity of subjects, which aligns with the concept of restricting information access.
Document Content
Matched Section
Section: Access Control Policy
Content: Access Control Policy
Content: Access Control Policy
AI Justification
The section discusses the need for access control policies which aligns with the control's focus on managing access between users and systems.
Document Content
Matched Section
Section: Access to Networks & Network Services
Content: Access to Networks & Network Services
Content: Access to Networks & Network Services
AI Justification
This control is relevant as it pertains to managing access to network services, which is a key aspect of access control.
Document Content
Matched Section
Section: Management of Privileged Access Rights
Content: Management of Privileged Access Rights
Content: Management of Privileged Access Rights
AI Justification
The management of privileged access rights is a critical part of access control policies.
Document Content
Matched Section
Section: Information Access Restriction
Content: Information Access Restriction
Content: Information Access Restriction
AI Justification
This control focuses on restricting access to information, which is a fundamental aspect of access control.
Document Content
Matched Section
Section: 1.3 SEGREGATION OF DUTIES
Content: a) Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
Content: a) Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
AI Justification
The text explicitly discusses the segregation of conflicting duties and areas of responsibility to reduce unauthorized modifications or misuse, which aligns with the principles of separation of duties.
Document Content
Matched Section
Section: 1.3 SEGREGATION OF DUTIES
Content: iii. Authorization levels should be defined and documented.
Content: iii. Authorization levels should be defined and documented.
AI Justification
The text discusses the need for defining and documenting authorization levels, which aligns with the principle of least privilege by ensuring that access is limited to what is necessary for specific duties.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
Content: Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
AI Justification
The text discusses the provision of literacy training and awareness for system users, which aligns with the requirements of AT-2.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.
Content: Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training.
AI Justification
The text mentions the need for ongoing literacy training and awareness, which can be related to role-based training requirements.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Control: AT-3: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
Content: Control: AT-3: Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties.
AI Justification
The text discusses the importance of role-based training tailored to the responsibilities and security requirements of individuals, which aligns directly with control AT-3.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text discusses the importance of defining responsibilities for information security and the need for policies and procedures related to audit and accountability, which aligns with the AU-1 control.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the development and maintenance of a comprehensive management framework for information security, which aligns with the need for assessment, authorization, and monitoring policies and procedures.
Document Content
Matched Section
Section: System information exchange requirements
Content: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications.
Content: Control: CA-3: System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications.
AI Justification
The chunk discusses the requirements and considerations for system information exchanges, which aligns directly with CA-3.
Document Content
Matched Section
Section: Joint authorization of the systems exchanging information
Content: A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2), may help to communicate and reduce risk.
Content: A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2), may help to communicate and reduce risk.
AI Justification
The text mentions joint authorization of systems exchanging information, which aligns with CA-6(1).
Document Content
Matched Section
Section: Authorization levels should be defined and documented.
Content: iii. Authorization levels should be defined and documented.
Content: iii. Authorization levels should be defined and documented.
AI Justification
The text discusses the need for defined and documented authorization levels, which aligns with the requirement for official management decisions to authorize operations and accept risks.
Document Content
Matched Section
Section: Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
Content: a) Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
Content: a) Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets.
AI Justification
The text emphasizes the importance of segregating conflicting duties to reduce unauthorized modifications, which is a key aspect of the separation of duties control.
Document Content
Matched Section
Section: Configuration Management Policy and Procedures
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
AI Justification
The text discusses the importance of having defined roles and responsibilities, as well as procedures for managing security incidents, which aligns with the need for configuration management policies and procedures.
Document Content
Matched Section
Section: Segregation of Duties Principle
Content: Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
Content: Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
AI Justification
The text mentions the principle of segregation of duties and the need for separate teams to manage servers and network devices, which aligns with the control for separation of duties.
Document Content
Matched Section
Section: Contact with Authorities
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The text outlines the need for procedures regarding contact with authorities and reporting security incidents, which aligns with incident handling controls.
Document Content
Matched Section
Section: Job Description (JD) and Management Responsibilities
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
AI Justification
The text discusses the identification of security roles and responsibilities, which aligns with the need for individuals to possess the necessary skills and expertise to conduct impact analyses related to security and privacy responsibilities.
Document Content
Matched Section
Section: Contingency Planning Policy and Procedures
Content: Control: CP-1: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures.
Content: Control: CP-1: Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures.
AI Justification
The text discusses the importance of contingency planning policies and procedures, including the need for collaboration between security and privacy programs, which aligns with the intent of CP-1.
Document Content
Matched Section
Section: Control: CP-3
Content: Control: CP-3: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
Content: Control: CP-3: Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training.
AI Justification
The text discusses the importance of contingency training linked to roles and responsibilities, which aligns directly with the CP-3 control requirements.
Document Content
Matched Section
Section: NIST SP 800-53 Rev 5
Content: NIST SP 800-53 Rev 5 CP-2: Contingency Planning | Contingency Plan
Content: NIST SP 800-53 Rev 5 CP-2: Contingency Planning | Contingency Plan
AI Justification
The mention of contingency plans and training requirements reflects the need for a structured contingency planning process.
Document Content
Matched Section
Section: Section d) and e)
Content: Maintaining contact with authorities should be a requirement to support information security incident management or the business continuity and contingency planning process. Contacts with other authorities that should be maintained include utilities, emergency services, electricity suppliers and health & safety, e.g., fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment).
Content: Maintaining contact with authorities should be a requirement to support information security incident management or the business continuity and contingency planning process. Contacts with other authorities that should be maintained include utilities, emergency services, electricity suppliers and health & safety, e.g., fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability) and water suppliers (in connection with cooling facilities for equipment).
AI Justification
The chunk discusses maintaining contact with telecommunication providers, which aligns with the requirements for alternate telecommunications services in CP-8.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the importance of policies and procedures related to identification and authentication, aligning with the control's focus on establishing such policies within organizations.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The mention of ensuring security for teleworking and mobile devices aligns with access control measures to protect information assets.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
Content: Access Control | Policy & Procedures
AI Justification
The chunk discusses various aspects of authenticator management, including the types of authenticators, their characteristics, and the importance of safeguarding them.
Document Content
Matched Section
Section: Access Control | Access Enforcement
Content: Access Control | Access Enforcement
Content: Access Control | Access Enforcement
AI Justification
The mention of access control decisions and enforcement aligns with the need to manage authenticators effectively.
Document Content
Matched Section
Section: Access Control | Least Privilege
Content: Access Control | Least Privilege
Content: Access Control | Least Privilege
AI Justification
The control emphasizes the need to limit access based on the principle of least privilege, which is relevant to authenticator management.
Document Content
Matched Section
Section: Access Control | Security & Privacy Attributes
Content: Access Control | Security & Privacy Attributes
Content: Access Control | Security & Privacy Attributes
AI Justification
The control relates to the protection of stored authenticators, such as passwords, which is discussed in the chunk.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The text discusses the importance of testing incident response capabilities, which aligns directly with the requirements of control IR-3.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The mention of incident handling and the need for effective incident response processes aligns with the requirements of control IR-4.
Document Content
Matched Section
Section: 1.4 CONTACT WITH AUTHORITIES
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The text discusses the identification of security roles and responsibilities, segregation of duties, and the establishment of compensating controls, which are all relevant to incident response capabilities and management.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The chunk discusses incident response management and the importance of documenting incidents, which aligns with the requirements of control IR-5.
Document Content
Matched Section
Section: Incident Response | Incident Handling
Content: Incident Response | Incident Handling
Content: Incident Response | Incident Handling
AI Justification
The chunk references IR-4, which provides information on the types of incidents that are appropriate for monitoring, aligning with the incident response context.
Document Content
Matched Section
Section: 1.4 CONTACT WITH AUTHORITIES
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The section discusses the procedures for contacting authorities and reporting security incidents, which aligns with the requirements for incident reporting as outlined in control IR-6.
Document Content
Matched Section
Section: Incident Response Management
Content: Incident Response Management
Content: Incident Response Management
AI Justification
The text mentions incident response management and refers to resources and processes related to incident handling, which aligns with the control's focus on providing support resources for incident response.
Document Content
Matched Section
Section: 1.4 CONTACT WITH AUTHORITIES
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The chunk discusses the responsibilities related to security roles and the importance of having procedures for contacting authorities regarding security incidents, which aligns with the need for a coordinated incident response approach.
Document Content
Matched Section
Section: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified.
Content: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
Content: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
AI Justification
The text discusses the importance of policies and procedures for media protection, aligning with the requirements of MP-1.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text emphasizes the need for defining responsibilities for information security risk management activities, which aligns with the control PM-9.
Document Content
Matched Section
Section: DOCUMENT CLASSIFICATION
Content: DOCUMENT CLASSIFICATION Confidential
Content: DOCUMENT CLASSIFICATION Confidential
AI Justification
The chunk discusses document classification and the handling of confidential information, which aligns with the concept of security marking for digital and non-digital media.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The text discusses the importance of having policies and procedures for physical and environmental protection, including the management of exceptions and emergency situations.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The text discusses the protection of information resources and the prevention of information leakage, which aligns with the control's focus on safeguarding against data release to untrusted environments.
Document Content
Matched Section
Section: Equipment Siting & Protection
Content: Equipment Siting & Protection
Content: Equipment Siting & Protection
AI Justification
The chunk mentions 'Equipment Siting & Protection', which aligns with the need to determine protection types for power equipment and cabling.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The chunk discusses the necessity of having documented policies and procedures for exceptions, which aligns with the planning and implementation of controls as described in PL-1.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the development and maintenance of a comprehensive management framework for information security, which aligns with the requirements of an information security program plan.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text discusses responsibilities for information security risk management and acceptance of residual risks, which aligns with the need for an organization-wide risk management process.
Document Content
Matched Section
Section: Responsibilities for the protection of individual assets and for carrying out specific information security
Content: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
Content: Responsibilities for the protection of individual assets and for carrying out specific information security should be identified. See the Asset Management Policy1 for additional information and guidance.
AI Justification
The text discusses the responsibilities for the protection of individual assets and information security, which aligns with the need for defining protection and personally identifiable information processing needs as outlined in PM-11.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The mention of responsibilities for information security risk management activities aligns with the need to derive information protection needs from organizational risk management strategies.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
AI Justification
The chunk discusses the importance of role-based training programs for individuals assigned security and privacy roles, aligning with the control's focus on training tailored to specific roles.
Document Content
Matched Section
Section: Job Description (JD) and Management Responsibilities
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
AI Justification
The text discusses the identification of security roles and responsibilities, which aligns with the need for oversight in testing, training, and monitoring activities.
Document Content
Matched Section
Section: Management Responsibilities
Content: Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
Content: Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
AI Justification
The mention of separate teams for reviewing, administering, and monitoring aligns with the need for coordinated testing and monitoring activities.
Document Content
Matched Section
Section: Management Responsibilities
Content: Mitigating or compensating controls should be established, in those instances where duties cannot be fully segregated. Compensating controls include Audit trails, monitoring activities, supervisory reviews.
Content: Mitigating or compensating controls should be established, in those instances where duties cannot be fully segregated. Compensating controls include Audit trails, monitoring activities, supervisory reviews.
AI Justification
The establishment of compensating controls, including audit trails and monitoring activities, supports the need for ongoing assessments and monitoring.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks
Content: c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: c) Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The chunk discusses responsibilities for information security risk management activities, which aligns with the need for risk framing at the organizational level and in consultation with stakeholders.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text discusses responsibilities for information security risk management activities and acceptance of residual risks, which aligns with the requirements of a risk management strategy.
Document Content
Matched Section
Section: Job Description and Security Roles and Responsibilities
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
Content: has prepared the Job Description (JD) should be responsible for identifying the security roles and responsibilities associated with every individual.
AI Justification
The text discusses the importance of defining roles and responsibilities related to security, which aligns with the need for personnel security policies and procedures.
Document Content
Matched Section
Section: Segregation of Duties and Compensating Controls
Content: Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
Content: Management, where feasible, should ensure that there are separate teams to review, administer, and monitor the servers and network devices adhering to segregation of duties principle.
AI Justification
The mention of management ensuring segregation of duties and establishing compensating controls relates to the overarching personnel security policy.
Document Content
Matched Section
Section: Contact with Authorities
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
Content: Management should have procedures specifying when and by whom authorities (e.g., law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information including security incidents should be reported in a timely manner.
AI Justification
The procedures for contacting authorities and reporting incidents reflect the need for established policies and procedures in personnel security.
Document Content
Matched Section
Section: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
Content: Control: PS-2: Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position.
AI Justification
The text discusses the importance of position risk designations and how they relate to personnel security programs, aligning directly with the control's focus on proper position designation.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: iv. Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
Content: iv. Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
AI Justification
The text discusses the need for documentation and oversight of third-party relationships, which aligns with the requirements for managing external providers.
Document Content
Matched Section
Section: Information Security Roles & Responsibilities
Content: Information Security Roles & Responsibilities
Content: Information Security Roles & Responsibilities
AI Justification
The chunk discusses roles and responsibilities related to security and privacy, which aligns with the specification of these roles in organizational position descriptions.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
AI Justification
The mention of role-based training in the context of security and privacy responsibilities aligns with the requirement for role-based training.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the importance of policies and procedures related to information security and the protection of personally identifiable information, which aligns with the control's focus on processing and transparency.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The mention of ensuring the security of teleworking and mobile devices indicates a focus on access control measures to protect information assets.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text discusses the importance of defining responsibilities for information security risk management activities, which aligns with the need for a risk assessment policy and procedures.
Document Content
Matched Section
Section: Responsibilities for information security risk management activities and for acceptance of residual risks
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
Content: Responsibilities for information security risk management activities and for acceptance of residual risks should be defined. See the Risk Management Policy2 for additional information and guidance.
AI Justification
The text discusses responsibilities for information security risk management activities and the acceptance of residual risks, which aligns with the need for risk assessments that consider various factors affecting organizational operations.
Document Content
Matched Section
Section: Policy statement requiring the exception.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
Content: A record of all approved requests should be maintained by the CISO or his/her designee and be available on request. In emergency situations, exceptions to this policy can be approved by the business unit’s IT Director, the CIO, and the CISO or his/her designee without following the above procedures.
AI Justification
The chunk discusses the process of handling exceptions and the need for detailed mitigation information, which aligns with the risk response strategies outlined in RA-7.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the development and maintenance of policies and procedures related to information security, which aligns with the requirements of SA-1 for establishing acquisition policies that address security and privacy.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The mention of ensuring the security of teleworking and mobile devices indicates a need for access control measures, which aligns with AC-1.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
AI Justification
The chunk mentions various types of training, which aligns with the need for developer-provided training as outlined in control SA-16.
Document Content
Matched Section
Section: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
Content: Security Awareness & Skills Training
AI Justification
The mention of training personnel and the types of training aligns with the role-based training aspect of control AT-3.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Control: SA-21: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy.
Content: Control: SA-21: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3. Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy.
AI Justification
The text discusses the importance of screening developers, particularly external ones, to ensure trustworthiness, which aligns with the SA-21 control.
Document Content
Matched Section
Section: Access Control | Policy & Procedures
Content: Control: SA-21: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3.
Content: Control: SA-21: Developer screening is directed at external developers. Internal developer screening is addressed by PS-3.
AI Justification
The text mentions that internal developer screening is addressed by PS-3, indicating its relevance to the personnel security aspect.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the implementation and operation of information security within Lazard, which aligns with the principles of integrating security into the system development life cycle as outlined in SA-3.
Document Content
Matched Section
Section: 1.2 INFORMATION SECURITY ROLES & RESPONSIBILITIES
Content: Information security responsibilities should be defined and allocated within Lazard business units.
Content: Information security responsibilities should be defined and allocated within Lazard business units.
AI Justification
The mention of security roles and responsibilities within Lazard aligns with the need for qualified personnel in system development life cycle processes as described in SA-8.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the implementation and operation of information security policies, which aligns with the need for derived security and privacy requirements as described in SA-4.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The mention of ensuring the security of teleworking and mobile devices indicates the need for access control measures to protect information assets.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the implementation of information security principles and responsibilities within Lazard, which aligns with the need for security and privacy engineering principles throughout the system development life cycle.
Document Content
Matched Section
Section: Coordination and oversight of third-party relationships
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
Content: Coordination and oversight of third-party relationships should be identified and documented. See section in Supplier Relationship Policy4, for additional information and guidance.
AI Justification
The text discusses the documentation and oversight of third-party relationships, which aligns with the need for organizations to manage risks associated with external service providers and document trust relationships.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the development and maintenance of a comprehensive management framework for information security, which aligns with the need for policies and procedures in the SC family.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
Content: This policy should also ensure the security of teleworking and use of mobile devices within Lazard so that they are adequately protected to prevent leakage of information through them.
AI Justification
The text discusses the security of mobile devices and the potential risks associated with their use, which aligns with the control's focus on sensor capabilities in mobile devices.
Document Content
Matched Section
Section: Access to Networks & Network Services
Content: Control: SC-7: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
Content: Control: SC-7: Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture.
AI Justification
The text discusses managed interfaces and boundary protection, which directly relates to access control measures for networks and network services.
Document Content
Matched Section
Section: Network Controls
Content: Control: SC-7: Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary.
Content: Control: SC-7: Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary.
AI Justification
The mention of boundary protection and network components aligns with the need for network controls to manage and secure network traffic.
Document Content
Matched Section
Section: Electronic Messaging
Content: Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions
Content: Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions
AI Justification
The chunk discusses protecting the confidentiality and integrity of transmitted information, which aligns directly with SC-8.
Document Content
Matched Section
Section: Electronic Messaging
Content: Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions
Content: Electronic Messaging Confidentiality or Non-Disclosure Agreements Securing Application Services on Public Networks Protecting Application Services Transactions
AI Justification
The mention of protecting communication paths and the use of protected distribution systems relates to boundary protection.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the development, maintenance, and communication of a comprehensive management framework for protecting information resources, which aligns with the requirements for system and information integrity policies and procedures.
Document Content
Matched Section
Section: Control: SI-12
Content: Control: SI-12: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
Content: Control: SI-12: Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information.
AI Justification
The text discusses the requirements for information management and retention, including the full life cycle of information and coordination with records management personnel.
Document Content
Matched Section
Section: 1.1 SCOPE & APPLICABILITY
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
Content: Lazard′s Executive Management has charged Information Security with the responsibility for developing, maintaining, and communicating a comprehensive management framework to protect the confidentiality, integrity, and availability of Lazard information resources.
AI Justification
The text discusses the importance of policies and procedures in managing risks related to information security, including the security of teleworking and mobile devices, which aligns with supply chain risk management.
Document Content
Matched Section
Section: Information Security Policies for Supplier Relationships
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization.
Content: The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization.
AI Justification
The text discusses the importance of managing supply chain risks, which aligns with the control's focus on the risks associated with external providers and the need for a coordinated effort in managing these risks.
Document Content
Matched Section
Section: Information Security Policies for Supplier Relationships
Content: Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.
Content: Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.
AI Justification
The text emphasizes the need for coordinated efforts across an organization to manage supply chain risks, which aligns with the control's focus on leadership roles in risk management.