VendorEntity

Job ID: VendorEntity-082625161430 2025-08-26 Completed

Upload Documents

Overall Alignment

54.8%

Needs Improvement

Controls Aligned

182 / 332

182 out of 332 controls found

Frameworks

CIS NIST

Assessment frameworks applied

Key Controls

120 / 179

Critical controls identified

Overall Alignment

Framework Breakdown

Key Controls Status

Framework Compliance Overview

Framework	Total Controls	Aligned	Gaps	Compliance Progress
CIS	34	7	27	20.59% Needs Work
NIST	298	175	123	58.72% Needs Work
OVERALL	332	182	150	54.8%

Document Analysis Details

02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	1	2.94%
NIST	298	21	7.05%

01_-_Handbook_-_Verterim_-_10182019.pdf 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	0	0.0%
NIST	298	23	7.72%

Acceptable_Use_Policy.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	3	8.82%
NIST	298	56	18.79%

Business_Continuity_Plan.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	0	0.0%
NIST	298	17	5.7%

Equipment_Disposal_Policy.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	2	5.88%
NIST	298	7	2.35%

Information_Security_Policy.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	0	0.0%
NIST	298	64	21.48%

Workstation_Security_Policy.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	0	0.0%
NIST	298	48	16.11%

Incident_Response_Procedure.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	1	2.94%
NIST	298	47	15.77%

Information_Sensitivity_Policy.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	4	11.76%
NIST	298	33	11.07%

Acceptable_Encryption_Policy.docx 2 frameworks

Framework	Total	Aligned	Coverage
CIS	34	1	2.94%
NIST	298	2	0.67%

Ethical_Sourcing_Policy.docx 1 frameworks

Framework	Total	Aligned	Coverage
NIST	298	3	1.01%

34 Total Controls

Control ID	Control Name	Status	Evidence Section	Document
1.1	Establish and Maintain Detailed Enterprise Asset Inventory Key Control	Gap	Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with... Critical Gap - Key Control Missing
1.2	Address Unauthorized Assets	Gap	Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may ch...
1.3	Utilize an Active Discovery Tool	Gap	Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure...
1.4	Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory	Gap	Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update th...
1.5	Use a Passive Asset Discovery Tool	Gap	Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and us...
2.1	Establish and Maintain a Software Inventory Key Control	Gap	Establish and maintain a detailed inventory of all licensed software installed on enterprise assets.... Critical Gap - Key Control Missing
2.2	Ensure Authorized Software is Currently Supported Key Control	Gap	Ensure that only currently supported software is designated as authorized in the software inventory ... Critical Gap - Key Control Missing
2.3	Address Unauthorized Software	Gap	Ensure that unauthorized software is either removed from use on enterprise assets or receives a docu...
2.4	Utilize Automated Software Inventory Tools	Gap	Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery...
2.7	Allowlist Authorized Scripts	Gap	Use technical controls, such as digital signatures and version control, to ensure that only authoriz...
3.1	Establish and Maintain a Data Management Process Key Control	Aligned	Overview and Purpose...	Equipment_Disposal_Policy.docx
3.1	Establish and Maintain a Data Management Process Key Control	Aligned	Storage and Disposal/Destruction...	Information_Sensitivity_Policy.docx
3.2	Establish and Maintain a Data Inventory Key Control	Gap	Establish and maintain a data inventory based on the enterprise’s data management process. Inventory... Critical Gap - Key Control Missing
3.3	Configure Data Access Control Lists	Gap	Configure data access control lists based on a user’s need to know. Apply data access control lists,...
3.4	Enforce Data Retention Key Control	Gap	Retain data according to the enterprise’s documented data management process. Data retention must in... Critical Gap - Key Control Missing
3.5	Securely Dispose of Data Key Control	Aligned	Overview...	Equipment_Disposal_Policy.docx
3.5	Securely Dispose of Data Key Control	Aligned	Disposal/Destruction...	Information_Sensitivity_Policy.docx
3.6	Encrypt Data on End-User Devices	Gap	Encrypt data on end-user devices containing sensitive data. Example implementations can include: Win...
3.7	Establish and Maintain a Data Classification Scheme	Aligned	Proprietary Information and Confidential Information...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
3.7	Establish and Maintain a Data Classification Scheme	Aligned	Guidelines on information classification...	Acceptable_Use_Policy.docx
3.7	Establish and Maintain a Data Classification Scheme	Aligned	Sensitivity Guidelines...	Information_Sensitivity_Policy.docx
3.8	Document Data Flows Key Control	Gap	Document data flows. Data flow documentation includes service provider data flows and should be base... Critical Gap - Key Control Missing
3.9	Encrypt Data on Removable Media	Gap	Encrypt data on removable media....
3.11	Encrypt Sensitive Data at Rest Key Control	Aligned	Section 3: Recommendations on Sensitive Data...	Acceptable_Use_Policy.docx
3.11	Encrypt Sensitive Data at Rest Key Control	Aligned	Encryption Policy...	Acceptable_Encryption_Policy.docx
3.12	Segment Data Processing and Storage Based on Sensitivity	Gap	Segment data processing and storage based on the sensitivity of the data. Do not process sensitive d...
3.13	Deploy a Data Loss Prevention Solution Key Control	Gap	Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all se... Critical Gap - Key Control Missing
3.14	Log Sensitive Data Access Key Control	Aligned	Handling of Information for Legal Proceedings...	Incident_Response_Procedure.docx
4.1	Establish and Maintain a Secure Configuration Process Key Control	Gap	Establish and maintain a documented secure configuration process for enterprise assets (end-user dev... Critical Gap - Key Control Missing
4.2	Establish and Maintain a Secure Configuration Process for Network Infrastructure Key Control	Gap	Establish and maintain a documented secure configuration process for network devices. Review and upd... Critical Gap - Key Control Missing
4.3	Configure Automatic Session Locking on Enterprise Assets	Aligned	Section 2: Automatic Session Locking...	Acceptable_Use_Policy.docx
4.4	Implement and Manage a Firewall on Servers	Gap	Implement and manage a firewall on servers, where supported. Example implementations include a virtu...
4.5	Implement and Manage a Firewall on End-User Devices	Gap	Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a defaul...
4.6	Securely Manage Enterprise Assets and Software Key Control	Aligned	Storage...	Information_Sensitivity_Policy.docx
4.7	Manage Default Accounts on Enterprise Assets and Software	Gap	Manage default accounts on enterprise assets and software, such as root, administrator, and other pr...
4.9	Configure Trusted DNS Servers on Enterprise Assets	Gap	Configure trusted DNS servers on network infrastructure. Example implementations include configuring...
4.11	Enforce Remote Wipe Capability on Portable End-User Devices Key Control	Gap	Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriat... Critical Gap - Key Control Missing
4.12	Separate Enterprise Workspaces on Mobile End-User Devices Key Control	Gap	Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example ... Critical Gap - Key Control Missing
5.1	Establish and Maintain an Inventory of Accounts Key Control	Gap	Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at... Critical Gap - Key Control Missing

298 Total Controls

Control ID	Control Name	Status	Evidence Section	Document
AC-1	Policy and Procedures Key Control	Aligned	Storage and Disposal/Destruction sections emphasize the need...	Information_Sensitivity_Policy.docx
AC-1	Policy and Procedures Key Control	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
AC-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
AC-1	Policy and Procedures Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
AC-10	Concurrent Session Control	Gap	Organizations may define the maximum number of concurrent sessions for system accounts globally, by ...
AC-11	Device Lock Key Control	Aligned	2. All PCs, laptops and workstations should be secured with ...	Acceptable_Use_Policy.docx
AC-11	Device Lock Key Control	Aligned	Securing workstations (screen lock or logout) prior to leavi...	Workstation_Security_Policy.docx
AC-12	Session Termination	Gap	Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-...
AC-14	Permitted Actions Without Identification or Authentication Key Control	Aligned	USE OF PERSONAL CELL PHONES AND MOBILE COMMUNICATION DEVICES...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-14	Permitted Actions Without Identification or Authentication Key Control	Aligned	11. Circumventing user authentication or security of any hos...	Acceptable_Use_Policy.docx
AC-16	Security and Privacy Attributes Key Control	Aligned	1. Purpose and Scope...	Information_Sensitivity_Policy.docx
AC-16	Security and Privacy Attributes Key Control	Aligned	3.1 Workforce members using workstations shall consider the ...	Workstation_Security_Policy.docx
AC-17	Remote Access Key Control	Aligned	Configuration of Verterim-to-other business connections...	Information_Sensitivity_Policy.docx
AC-17	Remote Access Key Control	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
AC-17	Remote Access Key Control	Aligned	3.2 Verterim will implement physical and technical safeguard...	Workstation_Security_Policy.docx
AC-18	Wireless Access	Gap	Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency),...
AC-19	Access Control for Mobile Devices Key Control	Aligned	USE OF PERSONAL CELL PHONES AND MOBILE COMMUNICATION DEVICES...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-19	Access Control for Mobile Devices Key Control	Aligned	Usage restrictions and specific implementation guidance for ...	01_-_Handbook_-_Verterim_-_10182019.pdf
AC-2	Account Management Key Control	Aligned	Ensuring workstations are used for authorized business purpo...	Workstation_Security_Policy.docx
AC-20	Use of External Systems Key Control	Aligned	Configuration of Verterim-to-other business connections...	Information_Sensitivity_Policy.docx
AC-21	Information Sharing Key Control	Aligned	Proprietary Information...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-21	Information Sharing Key Control	Aligned	Purpose...	Information_Sensitivity_Policy.docx
AC-21	Information Sharing Key Control	Aligned	Handling of Potential Evidence...	Incident_Response_Procedure.docx
AC-21	Information Sharing Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
AC-21	Information Sharing Key Control	Aligned	3. Verterim recommends that any information that users consi...	Acceptable_Use_Policy.docx
AC-21	Information Sharing Key Control	Aligned	Protection of Associates' Protected Health Information...	01_-_Handbook_-_Verterim_-_10182019.pdf
AC-21	Information Sharing Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
AC-22	Publicly Accessible Content Key Control	Aligned	Discussion of Confidential Information or Proprietary Inform...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-22	Publicly Accessible Content Key Control	Aligned	Purpose...	Information_Sensitivity_Policy.docx
AC-22	Publicly Accessible Content Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
AC-22	Publicly Accessible Content Key Control	Aligned	2. Employees are responsible for exercising good judgment re...	Acceptable_Use_Policy.docx
AC-22	Publicly Accessible Content Key Control	Aligned	3. Verterim recommends that any information that users consi...	Acceptable_Use_Policy.docx
AC-22	Publicly Accessible Content Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
AC-23	Data Mining Protection	Aligned	Proprietary Information and Confidential Information Protect...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-24	Access Control Decisions	Gap	Access control decisions (also known as authorization decisions) occur when authorization informatio...
AC-25	Reference Monitor Key Control	Aligned	Section 4 and 5 regarding monitoring and auditing...	Acceptable_Use_Policy.docx
AC-25	Reference Monitor Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	Compliance with policies and requirements concerning Confide...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-3	Access Enforcement Key Control	Aligned	To minimize risk to Verterim from an outside business connec...	Information_Sensitivity_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	Storage...	Information_Sensitivity_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	Circumventing user authentication or security of any host, n...	Acceptable_Use_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	2. All PCs, laptops and workstations should be secured with ...	Acceptable_Use_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	Access control and accountability...	Information_Security_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	3.1 Workforce members using workstations shall consider the ...	Workstation_Security_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	3.2 Verterim will implement physical and technical safeguard...	Workstation_Security_Policy.docx
AC-3	Access Enforcement Key Control	Aligned	3.2...	Workstation_Security_Policy.docx
AC-4	Information Flow Enforcement Key Control	Aligned	Compliance with policies concerning Confidential Information...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AC-4	Information Flow Enforcement Key Control	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
AC-5	Separation of Duties Key Control	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
AC-5	Separation of Duties Key Control	Aligned	Internal control – defined responsibility and delegation of ...	Information_Security_Policy.docx
AC-6	Least Privilege	Aligned	Access control and accountability...	Information_Security_Policy.docx
AC-7	Unsuccessful Logon Attempts	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
AC-7	Unsuccessful Logon Attempts	Aligned	Circumventing user authentication or security of any host, n...	Acceptable_Use_Policy.docx
AC-7	Unsuccessful Logon Attempts	Aligned	Interfering with or denying service to any user other than t...	Acceptable_Use_Policy.docx
AC-8	System Use Notification	Gap	System use notifications can be implemented using messages or warning banners displayed before indiv...
AC-9	Previous Logon Notification	Gap	Previous logon notification is applicable to system access via human user interfaces and access to s...
AT-1	Policy and Procedures Key Control	Aligned	Awareness and training policy and procedures...	Acceptable_Use_Policy.docx
AT-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
AT-1	Policy and Procedures Key Control	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
AT-2	Literacy Training and Awareness Key Control	Gap	Organizations provide basic and advanced levels of literacy training to system users, including meas... Critical Gap - Key Control Missing
AT-3	Role-based Training Key Control	Gap	Organizations determine the content of training based on the assigned roles and responsibilities of ... Critical Gap - Key Control Missing
AT-4	Training Records Key Control	Gap	Documentation for specialized training may be maintained by individual supervisors at the discretion... Critical Gap - Key Control Missing
AT-6	Training Feedback	Gap	Training feedback includes awareness training results and role-based training results. Training resu...
AU-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
AU-10	Non-repudiation	Aligned	Handling of Potential Evidence...	Incident_Response_Procedure.docx
AU-11	Audit Record Retention Key Control	Aligned	Handling of Potential Evidence...	Incident_Response_Procedure.docx
AU-12	Audit Record Generation	Gap	Audit records can be generated from many different system components. The event types specified in A...
AU-13	Monitoring for Information Disclosure Key Control	Aligned	Proprietary Information Definition and Obligations...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
AU-13	Monitoring for Information Disclosure Key Control	Aligned	Information Classification...	Information_Sensitivity_Policy.docx
AU-13	Monitoring for Information Disclosure Key Control	Aligned	Protection of Associates' Protected Health Information...	01_-_Handbook_-_Verterim_-_10182019.pdf
AU-14	Session Audit Key Control	Aligned	Handling of Potential Evidence...	Incident_Response_Procedure.docx
AU-14	Session Audit Key Control	Aligned	Section 9 and 10 regarding security breaches and network mon...	Acceptable_Use_Policy.docx
AU-14	Session Audit Key Control	Aligned	Personal Use of Business Computer Systems and Communication ...	01_-_Handbook_-_Verterim_-_10182019.pdf
AU-16	Cross-organizational Audit Logging Key Control	Aligned	In addition, any information gathered that may be of value i...	Incident_Response_Procedure.docx
AU-2	Event Logging Key Control	Aligned	In addition, any information gathered that may be of value i...	Incident_Response_Procedure.docx
AU-3	Content of Audit Records Key Control	Aligned	In addition, any information gathered that may be of value i...	Incident_Response_Procedure.docx
AU-4	Audit Log Storage Capacity Key Control	Aligned	Handling of Potential Evidence...	Incident_Response_Procedure.docx
AU-5	Response to Audit Logging Process Failures Key Control	Gap	Audit logging process failures include software and hardware errors, failures in audit log capturing... Critical Gap - Key Control Missing
AU-6	Audit Record Review, Analysis, and Reporting Key Control	Aligned	In addition, any information gathered that may be of value i...	Incident_Response_Procedure.docx
AU-6	Audit Record Review, Analysis, and Reporting Key Control	Aligned	Section 4 and 5 regarding monitoring and auditing of network...	Acceptable_Use_Policy.docx
AU-7	Audit Record Reduction and Report Generation Key Control	Gap	Audit record reduction is a process that manipulates collected audit log information and organizes i... Critical Gap - Key Control Missing
AU-8	Time Stamps	Gap	Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated...
AU-9	Protection of Audit Information Key Control	Aligned	Handling of Potential Evidence...	Incident_Response_Procedure.docx
AU-9	Protection of Audit Information Key Control	Aligned	Section 5: Auditing Networks and Systems...	Acceptable_Use_Policy.docx
CA-1	Policy and Procedures Key Control	Aligned	Computer Security Incident Response plan...	Incident_Response_Procedure.docx
CA-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
CA-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
CA-2	Control Assessments Key Control	Aligned	Review of the Plan...	Incident_Response_Procedure.docx
CA-3	Information Exchange Key Control	Aligned	Configuration of Verterim-to-other business connections...	Information_Sensitivity_Policy.docx
CA-5	Plan of Action and Milestones	Aligned	Business Continuity...	Information_Security_Policy.docx
CA-6	Authorization Key Control	Gap	Authorizations are official management decisions by senior officials to authorize operation of syste... Critical Gap - Key Control Missing
CA-7	Continuous Monitoring Key Control	Aligned	Section 4 and 5 regarding monitoring and auditing of network...	Acceptable_Use_Policy.docx
CA-8	Penetration Testing	Gap	Penetration testing is a specialized type of assessment conducted on systems or individual system co...
CA-9	Internal System Connections Key Control	Gap	Internal system connections are connections between organizational systems and separate constituent ... Critical Gap - Key Control Missing
CM-1	Policy and Procedures	Aligned	The ISMS will define processes and standard practices that a...	Information_Security_Policy.docx
CM-1	Policy and Procedures	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
CM-10	Software Usage Restrictions Key Control	Aligned	Violations of the rights of any person or company protected ...	Acceptable_Use_Policy.docx
CM-10	Software Usage Restrictions Key Control	Aligned	Software License Compliance...	01_-_Handbook_-_Verterim_-_10182019.pdf
CM-11	User-installed Software Key Control	Aligned	Violations of the rights of any person or company protected ...	Acceptable_Use_Policy.docx
CM-11	User-installed Software Key Control	Aligned	Unauthorized copying of copyrighted material...	Acceptable_Use_Policy.docx
CM-11	User-installed Software Key Control	Aligned	Exporting software, technical information, encryption softwa...	Acceptable_Use_Policy.docx
CM-11	User-installed Software Key Control	Aligned	Introduction of malicious code or programs...	Acceptable_Use_Policy.docx
CM-11	User-installed Software Key Control	Aligned	Software Installation Policy...	01_-_Handbook_-_Verterim_-_10182019.pdf
CM-12	Information Location Key Control	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
CM-13	Data Action Mapping Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
CM-13	Data Action Mapping Key Control	Aligned	3. Verterim recommends that any information that users consi...	Acceptable_Use_Policy.docx
CM-13	Data Action Mapping Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
CM-14	Signed Components	Gap	Software and firmware components prevented from installation unless signed with recognized and appro...
CM-2	Baseline Configuration	Gap	Baseline configurations for systems and system components include connectivity, operational, and com...
CM-3	Configuration Change Control Key Control	Aligned	The Security Team reviews the Plan periodically as Verterim ...	Incident_Response_Procedure.docx
CM-4	Impact Analyses Key Control	Aligned	2.1 Events and Incidents...	Incident_Response_Procedure.docx
CM-4	Impact Analyses Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
CM-5	Access Restrictions for Change Key Control	Aligned	3.1 and 3.2...	Workstation_Security_Policy.docx
CM-6	Configuration Settings	Gap	Configuration settings are the parameters that can be changed in the hardware, software, or firmware...
CM-7	Least Functionality	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
CM-8	System Component Inventory Key Control	Gap	System components are discrete, identifiable information technology assets that include hardware, so... Critical Gap - Key Control Missing
CM-9	Configuration Management Plan Key Control	Gap	Configuration management activities occur throughout the system development life cycle. As such, the... Critical Gap - Key Control Missing
CP-1	Policy and Procedures Key Control	Aligned	Contingency Planning Policy and Procedures...	Business_Continuity_Plan.docx
CP-1	Policy and Procedures Key Control	Aligned	This Computer Security Incident Response plan (the "Plan") d...	Incident_Response_Procedure.docx
CP-1	Policy and Procedures Key Control	Aligned	Contingency planning policy and procedures...	Information_Security_Policy.docx
CP-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
CP-10	System Recovery and Reconstitution	Aligned	Recovery-time objectives...	Business_Continuity_Plan.docx
CP-10	System Recovery and Reconstitution	Aligned	4 Recovery...	Incident_Response_Procedure.docx
CP-10	System Recovery and Reconstitution	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-11	Alternate Communications Protocols	Aligned	Alternate Communications Between Verterim and Clients, Emplo...	Business_Continuity_Plan.docx
CP-11	Alternate Communications Protocols	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-12	Safe Mode Key Control	Gap	For systems that support critical mission and business functionsâ€šÃ„Ã®including military operations... Critical Gap - Key Control Missing
CP-13	Alternative Security Mechanisms Key Control	Aligned	Our Business Continuity Plan...	Business_Continuity_Plan.docx
CP-13	Alternative Security Mechanisms Key Control	Aligned	The timely restoration of service disrupted by a failure wit...	Information_Security_Policy.docx
CP-2	Contingency Plan Key Control	Aligned	Our Business Continuity Plan...	Business_Continuity_Plan.docx
CP-2	Contingency Plan Key Control	Aligned	Contingency Planning for Systems...	Incident_Response_Procedure.docx
CP-2	Contingency Plan Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-2	Contingency Plan Key Control	Aligned	Contingency Planning...	Information_Security_Policy.docx
CP-3	Contingency Training Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-4	Contingency Plan Testing	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-6	Alternate Storage Site Key Control	Aligned	Our Business Continuity Plan...	Business_Continuity_Plan.docx
CP-6	Alternate Storage Site Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-7	Alternate Processing Site Key Control	Aligned	Alternate Communications Between Verterim and Clients, Emplo...	Business_Continuity_Plan.docx
CP-7	Alternate Processing Site Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-8	Telecommunications Services Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
CP-9	System Backup Key Control	Aligned	Operational Risk...	Business_Continuity_Plan.docx
CP-9	System Backup Key Control	Aligned	Proprietary Information and Confidential Information Protect...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
CP-9	System Backup Key Control	Aligned	3.3.4 Collection of Evidence...	Incident_Response_Procedure.docx
CP-9	System Backup Key Control	Aligned	3.1 and 3.2...	Workstation_Security_Policy.docx
IA-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
IA-1	Policy and Procedures Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
IA-10	Adaptive Authentication	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
IA-10	Adaptive Authentication	Aligned	11. Circumventing user authentication or security of any hos...	Acceptable_Use_Policy.docx
IA-11	Re-authentication Key Control	Gap	In addition to the re-authentication requirements associated with device locks, organizations may re... Critical Gap - Key Control Missing
IA-12	Identity Proofing Key Control	Aligned	Employment Eligibility Verification...	01_-_Handbook_-_Verterim_-_10182019.pdf
IA-2	Identification and Authentication (Organizational Users) Key Control	Aligned	Identification and Authentication Requirements...	01_-_Handbook_-_Verterim_-_10182019.pdf
IA-3	Device Identification and Authentication Key Control	Aligned	Section 9-12 regarding security breaches and unauthorized ac...	Acceptable_Use_Policy.docx
IA-4	Identifier Management Key Control	Gap	Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addre... Critical Gap - Key Control Missing
IA-5	Authenticator Management Key Control	Aligned	One Time Password Authentication...	Information_Sensitivity_Policy.docx
IA-5	Authenticator Management Key Control	Aligned	1. Keep passwords secure and do not share accounts....	Acceptable_Use_Policy.docx
IA-5	Authenticator Management Key Control	Aligned	Authenticator management and issuance...	01_-_Handbook_-_Verterim_-_10182019.pdf
IA-5	Authenticator Management Key Control	Aligned	Access control and accountability...	Information_Security_Policy.docx
IA-5	Authenticator Management Key Control	Aligned	Enabling a password-protected screen saver with a short time...	Workstation_Security_Policy.docx
IA-6	Authentication Feedback	Gap	Authentication feedback from systems does not provide information that would allow unauthorized indi...
IA-7	Cryptographic Module Authentication Key Control	Aligned	Access control and accountability...	Information_Security_Policy.docx
IA-8	Identification and Authentication (Non-organizational Users) Key Control	Gap	Non-organizational users include system users other than organizational users explicitly covered by ... Critical Gap - Key Control Missing
IA-9	Service Identification and Authentication Key Control	Aligned	DocuSign: e-signature processing for legal execution of cont...	Business_Continuity_Plan.docx
IR-1	Policy and Procedures	Aligned	1.2 Purpose...	Incident_Response_Procedure.docx
IR-1	Policy and Procedures	Aligned	Incident Response Policy and Procedures...	Information_Security_Policy.docx
IR-1	Policy and Procedures	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
IR-2	Incident Response Training	Aligned	Incident Response Organization...	Incident_Response_Procedure.docx
IR-3	Incident Response Testing	Gap	Organizations test incident response capabilities to determine their effectiveness and identify pote...
IR-4	Incident Handling Key Control	Aligned	Incident Response Planning...	Incident_Response_Procedure.docx
IR-4	Incident Handling Key Control	Aligned	Section 9-12 regarding security breaches and network disrupt...	Acceptable_Use_Policy.docx
IR-5	Incident Monitoring	Aligned	3 Incident Response...	Incident_Response_Procedure.docx
IR-6	Incident Reporting	Aligned	Incident Reporting Procedures...	01_-_Handbook_-_Verterim_-_10182019.pdf
IR-7	Incident Response Assistance	Aligned	Section 3: Incident Response...	Incident_Response_Procedure.docx
IR-8	Incident Response Plan Key Control	Aligned	3 Incident Response...	Incident_Response_Procedure.docx
IR-9	Information Spillage Response	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
MA-1	Policy and Procedures Key Control	Aligned	3.3.3 Response Activities and 3.3.4 Collection of Evidence...	Incident_Response_Procedure.docx
MA-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
MA-2	Controlled Maintenance Key Control	Gap	Controlling system maintenance addresses the information security aspects of the system maintenance ... Critical Gap - Key Control Missing
MA-3	Maintenance Tools Key Control	Gap	Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues ... Critical Gap - Key Control Missing
MA-4	Nonlocal Maintenance	Gap	Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through ...
MA-5	Maintenance Personnel Key Control	Aligned	3.1 Workforce members using workstations shall consider the ...	Workstation_Security_Policy.docx
MA-6	Timely Maintenance Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
MA-7	Field Maintenance	Gap	Field maintenance is the type of maintenance conducted on a system or system component after the sys...
MP-1	Policy and Procedures Key Control	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
MP-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
MP-1	Policy and Procedures Key Control	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
MP-1	Policy and Procedures Key Control	Aligned	1. Overview...	Equipment_Disposal_Policy.docx
MP-2	Media Access	Gap	System media includes digital and non-digital media. Digital media includes flash drives, diskettes,...
MP-3	Media Marking	Aligned	Marking is at the discretion of the owner or custodian of th...	Information_Sensitivity_Policy.docx
MP-4	Media Storage Key Control	Aligned	Physical Security Measures...	Information_Sensitivity_Policy.docx
MP-4	Media Storage Key Control	Aligned	Overview...	Equipment_Disposal_Policy.docx
MP-5	Media Transport Key Control	Aligned	In addition, any information gathered that may be of value i...	Incident_Response_Procedure.docx
MP-6	Media Sanitization	Aligned	Disposal/Destruction...	Information_Sensitivity_Policy.docx
MP-6	Media Sanitization	Aligned	Overview...	Equipment_Disposal_Policy.docx
MP-7	Media Use Key Control	Gap	System media includes both digital and non-digital media. Digital media includes diskettes, magnetic... Critical Gap - Key Control Missing
MP-8	Media Downgrading	Aligned	1. Overview...	Equipment_Disposal_Policy.docx
PE-1	Policy and Procedures Key Control	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
PE-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
PE-1	Policy and Procedures Key Control	Aligned	Overview and Purpose...	Equipment_Disposal_Policy.docx
PE-10	Emergency Shutoff	Gap	Emergency power shutoff primarily applies to organizational facilities that contain concentrations o...
PE-11	Emergency Power	Aligned	Ensuring that all workstations use a surge protector or a UP...	Workstation_Security_Policy.docx
PE-12	Emergency Lighting Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
PE-13	Fire Protection	Gap	The provision of fire detection and suppression systems applies primarily to organizational faciliti...
PE-14	Environmental Controls Key Control	Gap	The provision of environmental controls applies primarily to organizational facilities that contain ... Critical Gap - Key Control Missing
PE-15	Water Damage Protection	Gap	The provision of water damage protection primarily applies to organizational facilities that contain...
PE-16	Delivery and Removal Key Control	Aligned	Access Control Procedures...	01_-_Handbook_-_Verterim_-_10182019.pdf
PE-16	Delivery and Removal Key Control	Aligned	Restricting physical access to workstations...	Workstation_Security_Policy.docx
PE-17	Alternate Work Site Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
PE-18	Location of System Components Key Control	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
PE-18	Location of System Components Key Control	Aligned	Restricting physical access to workstations and securing wor...	Workstation_Security_Policy.docx
PE-19	Information Leakage	Aligned	Information Classification...	Information_Sensitivity_Policy.docx
PE-19	Information Leakage	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
PE-2	Physical Access Authorizations Key Control	Aligned	Physical Access Authorizations...	01_-_Handbook_-_Verterim_-_10182019.pdf
PE-2	Physical Access Authorizations Key Control	Aligned	3.2 Verterim will implement physical and technical safeguard...	Workstation_Security_Policy.docx
PE-2	Physical Access Authorizations Key Control	Aligned	3.2 Verterim will implement physical and technical safeguard...	Workstation_Security_Policy.docx
PE-20	Asset Monitoring and Tracking Key Control	Gap	Asset location technologies can help ensure that critical assetsâ€šÃ„Ã®including vehicles, equipment... Critical Gap - Key Control Missing
PE-21	Electromagnetic Pulse Protection	Gap	An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a rang...
PE-22	Component Marking Key Control	Gap	Hardware components that may require marking include input and output devices. Input devices include... Critical Gap - Key Control Missing
PE-23	Facility Location	Gap	Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terror...
PE-3	Physical Access Control Key Control	Aligned	Physical Security...	Information_Sensitivity_Policy.docx
PE-3	Physical Access Control Key Control	Aligned	Physical Security...	Information_Sensitivity_Policy.docx
PE-3	Physical Access Control Key Control	Aligned	Physical Access Control Procedures...	01_-_Handbook_-_Verterim_-_10182019.pdf
PE-3	Physical Access Control Key Control	Aligned	Restricting physical access to workstations and securing wor...	Workstation_Security_Policy.docx
PE-4	Access Control for Transmission	Aligned	Physical security...	Information_Sensitivity_Policy.docx
PE-5	Access Control for Output Devices Key Control	Aligned	Physical security means either having actual possession of a...	Information_Sensitivity_Policy.docx
PE-5	Access Control for Output Devices Key Control	Aligned	Restricting physical access to workstations and ensuring mon...	Workstation_Security_Policy.docx
PE-6	Monitoring Physical Access Key Control	Gap	Physical access monitoring includes publicly accessible areas within organizational facilities. Exam... Critical Gap - Key Control Missing
PE-8	Visitor Access Records Key Control	Gap	Visitor access records include the names and organizations of individuals visiting, visitor signatur... Critical Gap - Key Control Missing
PE-9	Power Equipment and Cabling	Aligned	Protection of Power Equipment and Cabling...	Workstation_Security_Policy.docx
PL-1	Policy and Procedures	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
PL-1	Policy and Procedures	Aligned	1.1 Audience and 1.2 Purpose...	Incident_Response_Procedure.docx
PL-1	Policy and Procedures	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
PL-1	Policy and Procedures	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
PL-1	Policy and Procedures	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
PL-10	Baseline Selection Key Control	Gap	Control baselines are predefined sets of controls specifically assembled to address the protection n... Critical Gap - Key Control Missing
PL-11	Baseline Tailoring	Aligned	The Security Team reviews the Plan periodically as Verterim ...	Incident_Response_Procedure.docx
PL-2	System Security and Privacy Plans	Aligned	Section 2.2 Incident Response Organization...	Incident_Response_Procedure.docx
PL-2	System Security and Privacy Plans	Aligned	Section 2.1 describes the different types of requirements th...	Information_Security_Policy.docx
PL-4	Rules of Behavior Key Control	Aligned	VERTERIM ASSOCIATE CODE OF ETHICS AND BUSINESS CONDUCT...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
PL-4	Rules of Behavior Key Control	Aligned	1. Keep passwords secure and do not share accounts....	Acceptable_Use_Policy.docx
PL-4	Rules of Behavior Key Control	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
PL-4	Rules of Behavior Key Control	Aligned	Rules for handling keys and passwords...	01_-_Handbook_-_Verterim_-_10182019.pdf
PL-7	Concept of Operations Key Control	Gap	The CONOPS may be included in the security or privacy plans for the system or in other system develo... Critical Gap - Key Control Missing
PL-8	Security and Privacy Architectures	Gap	The security and privacy architectures at the system level are consistent with the organization-wide...
PL-9	Central Management Key Control	Aligned	Consistent execution of well defined processes will be an in...	Information_Security_Policy.docx
PM-1	Information Security Program Plan	Aligned	Information Security Program...	Information_Security_Policy.docx
PM-10	Authorization Process Key Control	Aligned	Integration of Information Security processes into business ...	Information_Security_Policy.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	Proprietary Information and Confidential Information Protect...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
PM-11	Mission and Business Process Definition Key Control	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	2.2 Incident Response Organization...	Incident_Response_Procedure.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	2. Employees are responsible for exercising good judgment re...	Acceptable_Use_Policy.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	3. Verterim recommends that any information that users consi...	Acceptable_Use_Policy.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
PM-11	Mission and Business Process Definition Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
PM-12	Insider Threat Program Key Control	Gap	Organizations that handle classified information are required, under Executive Order 13587 EO 13587 ... Critical Gap - Key Control Missing
PM-13	Security and Privacy Workforce Key Control	Aligned	Commitment to Information Security and the establishment of ...	Information_Security_Policy.docx
PM-14	Testing, Training, and Monitoring	Aligned	Show active and clear support for the principles of Informat...	Information_Security_Policy.docx
PM-15	Security and Privacy Groups and Associations	Gap	Ongoing contact with security and privacy groups and associations is important in an environment of ...
PM-16	Threat Awareness Program	Aligned	Threat Information Classification...	Information_Sensitivity_Policy.docx
PM-17	Protecting Controlled Unclassified Information on External Systems	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
PM-18	Privacy Program Plan	Gap	A privacy program plan is a formal document that provides an overview of an organizationâ€šÃ„Ã´s pri...
PM-19	Privacy Program Leadership Role	Gap	The privacy officer is an organizational official. For federal agenciesâ€šÃ„Ã®as defined by applicab...
PM-2	Information Security Program Leadership Role	Aligned	Scope...	Information_Security_Policy.docx
PM-20	Dissemination of Privacy Program Information	Gap	For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include p...
PM-21	Accounting of Disclosures Key Control	Aligned	Handling of potential evidence...	Incident_Response_Procedure.docx
PM-22	Personally Identifiable Information Quality Management	Gap	Personally identifiable information quality management includes steps that organizations take to con...
PM-23	Data Governance Body Key Control	Gap	A Data Governance Body can help ensure that the organization has coherent policies and the ability t... Critical Gap - Key Control Missing
PM-24	Data Integrity Board	Gap	A Data Integrity Board is the board of senior officials designated by the head of a federal agency a...
PM-25	Minimization of Personally Identifiable Information Used in Testing, Training, and Research Key Control	Aligned	3.1 Workforce members using workstations shall consider the ...	Workstation_Security_Policy.docx
PM-26	Complaint Management	Aligned	Complaints of policy violation will be promptly and carefull...	01_-_Handbook_-_Verterim_-_10182019.pdf
PM-27	Privacy Reporting Key Control	Gap	Through internal and external reporting, organizations promote accountability and transparency in or... Critical Gap - Key Control Missing
PM-28	Risk Framing	Gap	Risk framing is most effective when conducted at the organization level and in consultation with sta...
PM-29	Risk Management Program Leadership Roles	Gap	The senior accountable official for risk management leads the risk executive (function) in organizat...
PM-3	Information Security and Privacy Resources	Aligned	Support for Information Security Principles and Roles and Re...	Information_Security_Policy.docx
PM-30	Supply Chain Risk Management Strategy	Gap	An organization-wide supply chain risk management strategy includes an unambiguous expression of the...
PM-31	Continuous Monitoring Strategy Key Control	Gap	Continuous monitoring at the organization level facilitates ongoing awareness of the security and pr... Critical Gap - Key Control Missing
PM-32	Purposing Key Control	Aligned	Mission Critical Systems...	Business_Continuity_Plan.docx
PM-4	Plan of Action and Milestones Process	Gap	The plan of action and milestones is a key organizational document and is subject to reporting requi...
PM-5	System Inventory	Gap	OMB A-130 provides guidance on developing systems inventories and associated reporting requirements....
PM-6	Measures of Performance	Aligned	Performance Management and Organizational Capability...	Information_Security_Policy.docx
PM-7	Enterprise Architecture	Aligned	Integration of Information Security processes into other bus...	Information_Security_Policy.docx
PM-8	Critical Infrastructure Plan	Aligned	Business Continuity...	Information_Security_Policy.docx
PM-9	Risk Management Strategy	Aligned	Comprehensive Strategy...	Information_Security_Policy.docx
PS-1	Policy and Procedures Key Control	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
PS-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
PS-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
PS-2	Position Risk Designation Key Control	Aligned	Position risk designations reflect Office of Personnel Manag...	Workstation_Security_Policy.docx
PS-3	Personnel Screening Key Control	Gap	Personnel screening and rescreening activities reflect applicable laws, executive orders, directives... Critical Gap - Key Control Missing
PS-4	Personnel Termination Key Control	Aligned	Exit Responsibilities of Associates...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
PS-4	Personnel Termination Key Control	Aligned	Exit Interview Process and Return of Property...	01_-_Handbook_-_Verterim_-_10182019.pdf
PS-5	Personnel Transfer Key Control	Aligned	Personnel Transfer Policy...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
PS-6	Access Agreements	Gap	Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, an...
PS-7	External Personnel Security Key Control	Aligned	3.0 Scope...	Acceptable_Use_Policy.docx
PS-7	External Personnel Security Key Control	Aligned	Personnel controls and Contractual controls...	Information_Security_Policy.docx
PS-7	External Personnel Security Key Control	Aligned	All Vendors / Suppliers that provide software and/or Service...	Ethical_Sourcing_Policy.docx
PS-8	Personnel Sanctions Key Control	Aligned	PAYMENTS TO GOVERNMENT OFFICIALS...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
PS-8	Personnel Sanctions Key Control	Aligned	Penalty for deliberate or inadvertent disclosure...	Information_Sensitivity_Policy.docx
PS-8	Personnel Sanctions Key Control	Aligned	Enforcement...	Information_Sensitivity_Policy.docx
PS-8	Personnel Sanctions Key Control	Aligned	Enforcement of Policies...	01_-_Handbook_-_Verterim_-_10182019.pdf
PS-8	Personnel Sanctions Key Control	Aligned	Disciplinary Actions...	Information_Security_Policy.docx
PS-9	Position Descriptions Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
PT-1	Policy and Procedures Key Control	Aligned	2.2 Incident Response Organization...	Incident_Response_Procedure.docx
PT-1	Policy and Procedures Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
PT-1	Policy and Procedures Key Control	Aligned	2. Employees are responsible for exercising good judgment re...	Acceptable_Use_Policy.docx
PT-1	Policy and Procedures Key Control	Aligned	3. Verterim recommends that any information that users consi...	Acceptable_Use_Policy.docx
PT-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
PT-1	Policy and Procedures Key Control	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
PT-2	Authority to Process Personally Identifiable Information Key Control	Aligned	In addition, any information gathered that may be of value i...	Incident_Response_Procedure.docx
PT-2	Authority to Process Personally Identifiable Information Key Control	Aligned	Processing of Personally Identifiable Information...	01_-_Handbook_-_Verterim_-_10182019.pdf
PT-2	Authority to Process Personally Identifiable Information Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
PT-3	Personally Identifiable Information Processing Purposes Key Control	Gap	Identifying and documenting the purpose for processing provides organizations with a basis for under... Critical Gap - Key Control Missing
PT-4	Consent	Gap	Consent allows individuals to participate in making decisions about the processing of their informat...
PT-5	Privacy Notice Key Control	Gap	Privacy notices help inform individuals about how their personally identifiable information is being... Critical Gap - Key Control Missing
PT-6	System of Records Notice	Gap	The PRIVACT requires that federal agencies publish a system of records notice in the Federal Registe...
PT-7	Specific Categories of Personally Identifiable Information Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
PT-7	Specific Categories of Personally Identifiable Information Key Control	Aligned	3. Verterim recommends that any information that users consi...	Acceptable_Use_Policy.docx
PT-7	Specific Categories of Personally Identifiable Information Key Control	Aligned	Protection of Associates’ Protected Health Information...	01_-_Handbook_-_Verterim_-_10182019.pdf
PT-7	Specific Categories of Personally Identifiable Information Key Control	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
PT-8	Computer Matching Requirements	Gap	The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matchi...
RA-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
RA-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
RA-10	Threat Hunting	Aligned	Response Objectives...	Incident_Response_Procedure.docx
RA-2	Security Categorization	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
RA-2	Security Categorization	Aligned	Incident Response Organization...	Incident_Response_Procedure.docx
RA-2	Security Categorization	Aligned	Purpose...	Information_Security_Policy.docx
RA-2	Security Categorization	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
RA-3	Risk Assessment Key Control	Gap	Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operati... Critical Gap - Key Control Missing
RA-5	Vulnerability Monitoring and Scanning	Gap	Security categorization of information and systems guides the frequency and comprehensiveness of vul...
RA-6	Technical Surveillance Countermeasures Survey	Gap	A technical surveillance countermeasures survey is a service provided by qualified personnel to dete...
RA-7	Risk Response	Aligned	Response Team Decision-Making...	Incident_Response_Procedure.docx
RA-8	Privacy Impact Assessments	Gap	A privacy impact assessment is an analysis of how personally identifiable information is handled to ...
RA-9	Criticality Analysis Key Control	Gap	Not all system components, functions, or services necessarily require significant protections. For e... Critical Gap - Key Control Missing
SA-1	Policy and Procedures Key Control	Aligned	Controls...	Information_Security_Policy.docx
SA-1	Policy and Procedures Key Control	Aligned	1.0 Purpose, 2.0 Scope, 3.0 Policy...	Workstation_Security_Policy.docx
SA-10	Developer Configuration Management Key Control	Gap	Organizations consider the quality and completeness of configuration management activities conducted... Critical Gap - Key Control Missing
SA-11	Developer Testing and Evaluation	Aligned	Security Team reviews the Plan periodically...	Incident_Response_Procedure.docx
SA-15	Development Process, Standards, and Tools Key Control	Aligned	Information Security Management System (ISMS) Processes...	Information_Security_Policy.docx
SA-16	Developer-provided Training	Gap	Developer-provided training applies to external and internal (in-house) developers. Training personn...
SA-17	Developer Security and Privacy Architecture and Design	Gap	Developer security and privacy architecture and design are directed at external developers, although...
SA-2	Allocation of Resources Key Control	Aligned	Resource allocation for information security and privacy...	Information_Security_Policy.docx
SA-20	Customized Development of Critical Components Key Control	Gap	Organizations determine that certain system components likely cannot be trusted due to specific thre... Critical Gap - Key Control Missing
SA-21	Developer Screening Key Control	Gap	Developer screening is directed at external developers. Internal developer screening is addressed by... Critical Gap - Key Control Missing
SA-22	Unsupported System Components Key Control	Gap	Support for system components includes software patches, firmware updates, replacement parts, and ma... Critical Gap - Key Control Missing
SA-23	Specialization Key Control	Gap	It is often necessary for a system or system component that supports mission-essential services or f... Critical Gap - Key Control Missing
SA-3	System Development Life Cycle Key Control	Aligned	Consistent execution of well defined processes will be an in...	Information_Security_Policy.docx
SA-4	Acquisition Process	Aligned	Controls...	Information_Security_Policy.docx
SA-5	System Documentation	Aligned	3.3.4 Collection of Evidence...	Incident_Response_Procedure.docx
SA-8	Security and Privacy Engineering Principles	Aligned	Information Security Management System (ISMS) Processes...	Information_Security_Policy.docx
SA-8	Security and Privacy Engineering Principles	Aligned	Where feasible and efficient, Information Security processes...	Information_Security_Policy.docx
SA-9	External System Services Key Control	Aligned	Establishing relationships with external service providers...	Business_Continuity_Plan.docx
SC-1	Policy and Procedures	Aligned	System and communications protection policy and procedures...	Business_Continuity_Plan.docx
SC-1	Policy and Procedures	Aligned	2.2 Incident Response Organization...	Incident_Response_Procedure.docx
SC-1	Policy and Procedures	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
SC-1	Policy and Procedures	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
SC-1	Policy and Procedures	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
SC-10	Network Disconnect	Gap	Network disconnect applies to internal and external networks. Terminating network connections associ...
SC-11	Trusted Path	Gap	Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) ...
SC-12	Cryptographic Key Establishment and Management	Aligned	Section 3: Encryption Recommendations...	Acceptable_Use_Policy.docx
SC-12	Cryptographic Key Establishment and Management	Aligned	Cryptographic controls...	Information_Security_Policy.docx
SC-12	Cryptographic Key Establishment and Management	Aligned	3.0 Policy...	Acceptable_Encryption_Policy.docx
SC-13	Cryptographic Protection	Aligned	Approved Encrypted email and files...	Information_Sensitivity_Policy.docx
SC-13	Cryptographic Protection	Aligned	Section 3: Encryption Recommendations...	Acceptable_Use_Policy.docx
SC-13	Cryptographic Protection	Aligned	3.0 Policy...	Acceptable_Encryption_Policy.docx
SC-15	Collaborative Computing Devices and Applications	Gap	Collaborative computing devices and applications include remote meeting devices and applications, ne...
SC-16	Transmission of Security and Privacy Attributes Key Control	Aligned	Proprietary Information and Confidential Information...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SC-16	Transmission of Security and Privacy Attributes Key Control	Aligned	Purpose and Scope...	Information_Sensitivity_Policy.docx
SC-16	Transmission of Security and Privacy Attributes Key Control	Aligned	1. While Verterim desires to provide a reasonable level of p...	Acceptable_Use_Policy.docx
SC-16	Transmission of Security and Privacy Attributes Key Control	Aligned	Privacy and Confidentiality of Protected Health Information...	01_-_Handbook_-_Verterim_-_10182019.pdf
SC-16	Transmission of Security and Privacy Attributes Key Control	Aligned	3.1 Workforce members using workstations shall consider the ...	Workstation_Security_Policy.docx
SC-17	Public Key Infrastructure Certificates	Gap	Public key infrastructure (PKI) certificates are certificates with visibility external to organizati...
SC-18	Mobile Code	Gap	Mobile code includes any program, application, or content that can be transmitted across a network (...
SC-2	Separation of System and User Functionality	Gap	System management functionality includes functions that are necessary to administer databases, netwo...
SC-20	Secure Name/Address Resolution Service (Authoritative Source) Key Control	Gap	Providing authoritative source information enables external clients, including remote Internet clien... Critical Gap - Key Control Missing
SC-21	Secure Name/Address Resolution Service (Recursive or Caching Resolver)	Gap	Each client of name resolution services either performs this validation on its own or has authentica...
SC-22	Architecture and Provisioning for Name/Address Resolution Service	Gap	Systems that provide name and address resolution services include domain name system (DNS) servers. ...
SC-23	Session Authenticity	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
SC-24	Fail in Known State	Aligned	3.3.4 Collection of Evidence...	Incident_Response_Procedure.docx
SC-24	Fail in Known State	Aligned	The timely restoration of service disrupted by a failure wit...	Information_Security_Policy.docx
SC-25	Thin Nodes	Gap	The deployment of system components with minimal functionality reduces the need to secure every endp...
SC-26	Decoys	Gap	Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and de...
SC-27	Platform-independent Applications	Gap	Platforms are combinations of hardware, firmware, and software components used to execute software a...
SC-28	Protection of Information at Rest Key Control	Aligned	Proprietary Information and Confidential Information Protect...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SC-28	Protection of Information at Rest Key Control	Aligned	Verterim and Clients reserve the right to access and disclos...	01_-_Handbook_-_Verterim_-_10182019.pdf
SC-28	Protection of Information at Rest Key Control	Aligned	3.1 and 3.2...	Workstation_Security_Policy.docx
SC-29	Heterogeneity	Gap	Increasing the diversity of information technologies within organizational systems reduces the impac...
SC-3	Security Function Isolation	Gap	Security functions are isolated from nonsecurity functions by means of an isolation boundary impleme...
SC-30	Concealment and Misdirection	Gap	Concealment and misdirection techniques can significantly reduce the targeting capabilities of adver...
SC-31	Covert Channel Analysis	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
SC-32	System Partitioning	Gap	System partitioning is part of a defense-in-depth protection strategy. Organizations determine the d...
SC-34	Non-modifiable Executable Programs Key Control	Gap	The operating environment for a system contains the code that hosts applications, including operatin... Critical Gap - Key Control Missing
SC-35	External Malicious Code Identification	Gap	External malicious code identification differs from decoys in SC-26 in that the components actively ...
SC-36	Distributed Processing and Storage Key Control	Gap	Distributing processing and storage across multiple physical locations or logical domains provides a... Critical Gap - Key Control Missing
SC-37	Out-of-band Channels Key Control	Aligned	Distribution outside of Verterim internal mail...	Information_Sensitivity_Policy.docx
SC-37	Out-of-band Channels Key Control	Aligned	Electronic distribution...	Information_Sensitivity_Policy.docx
SC-38	Operations Security	Aligned	Proprietary Information...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SC-38	Operations Security	Aligned	Purpose...	Information_Sensitivity_Policy.docx
SC-38	Operations Security	Aligned	3.0 Policy...	Workstation_Security_Policy.docx
SC-39	Process Isolation	Gap	Systems can maintain separate execution domains for each executing process by assigning each process...
SC-4	Information in Shared System Resources Key Control	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
SC-4	Information in Shared System Resources Key Control	Aligned	Overview...	Equipment_Disposal_Policy.docx
SC-40	Wireless Link Protection	Aligned	9. Affecting security breaches or disruptions of network com...	Acceptable_Use_Policy.docx
SC-41	Port and I/O Device Access	Gap	Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/ou...
SC-42	Sensor Capability and Data Key Control	Aligned	USE OF PERSONAL CELL PHONES AND MOBILE COMMUNICATION DEVICES...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SC-42	Sensor Capability and Data Key Control	Aligned	Use of personal cell phones and other mobile communication d...	01_-_Handbook_-_Verterim_-_10182019.pdf
SC-43	Usage Restrictions Key Control	Aligned	USE OF PERSONAL CELL PHONES AND MOBILE COMMUNICATION DEVICES...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SC-43	Usage Restrictions Key Control	Aligned	4.3. Unacceptable Use...	Acceptable_Use_Policy.docx
SC-44	Detonation Chambers	Gap	Detonation chambers, also known as dynamic execution environments, allow organizations to open email...
SC-45	System Time Synchronization	Gap	Time synchronization of system clocks is essential for the correct execution of many system services...
SC-46	Cross Domain Policy Enforcement Key Control	Aligned	Section 9-12 regarding security breaches and network monitor...	Acceptable_Use_Policy.docx
SC-47	Alternate Communications Paths	Aligned	Alternate Communications Between Verterim and Clients, Emplo...	Business_Continuity_Plan.docx
SC-47	Alternate Communications Paths	Aligned	Response Team Coordination...	Incident_Response_Procedure.docx
SC-47	Alternate Communications Paths	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
SC-47	Alternate Communications Paths	Aligned	The timely restoration of service disrupted by a failure wit...	Information_Security_Policy.docx
SC-48	Sensor Relocation Key Control	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
SC-49	Hardware-enforced Separation and Policy Enforcement Key Control	Gap	System owners may require additional strength of mechanism and robustness to ensure domain separatio... Critical Gap - Key Control Missing
SC-5	Denial-of-service Protection	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
SC-5	Denial-of-service Protection	Aligned	Interfering with or denying service to any user other than t...	Acceptable_Use_Policy.docx
SC-50	Software-enforced Separation and Policy Enforcement Key Control	Gap	System owners may require additional strength of mechanism to ensure domain separation and policy en... Critical Gap - Key Control Missing
SC-51	Hardware-based Protection	Gap	None....
SC-6	Resource Availability	Gap	Priority protection prevents lower-priority processes from delaying or interfering with the system t...
SC-7	Boundary Protection Key Control	Aligned	Configuration of Verterim-to-other business connections...	Information_Sensitivity_Policy.docx
SC-7	Boundary Protection Key Control	Aligned	Section 9: Affecting security breaches or disruptions of net...	Acceptable_Use_Policy.docx
SC-7	Boundary Protection Key Control	Aligned	Section 11: Circumventing user authentication or security of...	Acceptable_Use_Policy.docx
SC-7	Boundary Protection Key Control	Aligned	Section 12: Interfering with or denying service to any user ...	Acceptable_Use_Policy.docx
SC-7	Boundary Protection Key Control	Aligned	Zones and gateways – physical and network security, and remo...	Information_Security_Policy.docx
SC-8	Transmission Confidentiality and Integrity Key Control	Aligned	Operational Risk...	Business_Continuity_Plan.docx
SC-8	Transmission Confidentiality and Integrity Key Control	Aligned	Verterim Confidential...	Information_Sensitivity_Policy.docx
SC-8	Transmission Confidentiality and Integrity Key Control	Aligned	Section 3: Verterim recommends that any information that use...	Acceptable_Use_Policy.docx
SI-1	Policy and Procedures Key Control	Aligned	2.2 Incident Response Organization...	Incident_Response_Procedure.docx
SI-1	Policy and Procedures Key Control	Aligned	4.0 Policy...	Acceptable_Use_Policy.docx
SI-1	Policy and Procedures Key Control	Aligned	Support for Information Security principles and integration ...	Information_Security_Policy.docx
SI-1	Policy and Procedures Key Control	Aligned	1.0 Purpose and 3.0 Policy...	Workstation_Security_Policy.docx
SI-10	Information Input Validation	Gap	Checking the valid syntax and semantics of system inputsâ€šÃ„Ã®including character set, length, nume...
SI-11	Error Handling	Gap	Organizations consider the structure and content of error messages. The extent to which systems can ...
SI-12	Information Management and Retention	Aligned	Records Management and Backup Procedures...	Business_Continuity_Plan.docx
SI-12	Information Management and Retention	Aligned	VERTERIM ASSOCIATE CODE OF ETHICS AND BUSINESS CONDUCT...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SI-12	Information Management and Retention	Aligned	Storage and Disposal/Destruction...	Information_Sensitivity_Policy.docx
SI-12	Information Management and Retention	Aligned	3.3.5 Notification...	Incident_Response_Procedure.docx
SI-13	Predictable Failure Prevention Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
SI-14	Non-persistence	Gap	Implementation of non-persistent components and services mitigates risk from advanced persistent thr...
SI-15	Information Output Filtering	Gap	Certain types of attacks, including SQL injections, produce output results that are unexpected or in...
SI-16	Memory Protection	Gap	Some adversaries launch attacks with the intent of executing code in non-executable regions of memor...
SI-17	Fail-safe Procedures Key Control	Aligned	Business Continuity...	Information_Security_Policy.docx
SI-18	Personally Identifiable Information Quality Operations Key Control	Aligned	Handling of Associates’ protected health information...	01_-_Handbook_-_Verterim_-_10182019.pdf
SI-18	Personally Identifiable Information Quality Operations Key Control	Aligned	3.1 Workforce members using workstations shall consider the ...	Workstation_Security_Policy.docx
SI-19	De-identification	Gap	De-identification is the general term for the process of removing the association between a set of i...
SI-2	Flaw Remediation Key Control	Gap	The need to remediate system flaws applies to all types of software and firmware. Organizations iden... Critical Gap - Key Control Missing
SI-20	Tainting	Aligned	2.2 Incident Response Organization...	Incident_Response_Procedure.docx
SI-20	Tainting	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
SI-21	Information Refresh	Gap	Retaining information for longer than it is needed makes it an increasingly valuable and enticing ta...
SI-22	Information Diversity Key Control	Gap	Actions taken by a system service or a function are often driven by the information it receives. Cor... Critical Gap - Key Control Missing
SI-23	Information Fragmentation	Gap	One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltra...
SI-3	Malicious Code Protection	Aligned	Section 9-12 regarding security breaches and disruptions of ...	Acceptable_Use_Policy.docx
SI-4	System Monitoring	Aligned	3.3.4 Collection of Evidence...	Incident_Response_Procedure.docx
SI-4	System Monitoring	Aligned	Affecting security breaches or disruptions of network commun...	Acceptable_Use_Policy.docx
SI-4	System Monitoring	Aligned	Operations controls...	Information_Security_Policy.docx
SI-5	Security Alerts, Advisories, and Directives Key Control	Aligned	Incident Response Objectives...	Incident_Response_Procedure.docx
SI-6	Security and Privacy Function Verification Key Control	Gap	Transitional states for systems include system startup, restart, shutdown, and abort. System notific... Critical Gap - Key Control Missing
SI-7	Software, Firmware, and Information Integrity Key Control	Gap	Unauthorized changes to software, firmware, and information can occur due to errors or malicious act... Critical Gap - Key Control Missing
SI-8	Spam Protection Key Control	Aligned	Email and Communications Activities...	Acceptable_Use_Policy.docx
SR-1	Policy and Procedures Key Control	Aligned	Decisions made that contain Information Security, Privacy, o...	Information_Security_Policy.docx
SR-10	Inspection of Systems or Components	Gap	The inspection of systems or systems components for tamper resistance and detection addresses physic...
SR-11	Component Authenticity	Aligned	Section 4: Introduction of malicious code or programs...	Acceptable_Use_Policy.docx
SR-12	Component Disposal Key Control	Aligned	Disposal/Destruction...	Information_Sensitivity_Policy.docx
SR-12	Component Disposal Key Control	Aligned	Overview...	Equipment_Disposal_Policy.docx
SR-2	Supply Chain Risk Management Plan Key Control	Aligned	Supply Chain Risk Management Policy...	Ethical_Sourcing_Policy.docx
SR-3	Supply Chain Controls and Processes Key Control	Aligned	3.5 Working Conditions...	Ethical_Sourcing_Policy.docx
SR-4	Provenance Key Control	Aligned	3.3.4 Collection of Evidence...	Incident_Response_Procedure.docx
SR-5	Acquisition Strategies, Tools, and Methods Key Control	Gap	The use of the acquisition process provides an important vehicle to protect the supply chain. There ... Critical Gap - Key Control Missing
SR-6	Supplier Assessments and Reviews Key Control	Aligned	Assessment and review of supplier risk...	Business_Continuity_Plan.docx
SR-7	Supply Chain Operations Security Key Control	Aligned	Proprietary Information and Confidential Information Protect...	02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf
SR-8	Notification Agreements Key Control	Aligned	Communication with Critical Business Constituents...	Business_Continuity_Plan.docx
SR-9	Tamper Resistance and Detection	Gap	Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system co...

AI Justification

The text discusses the proper disposal of technology equipment and emphasizes the need for securely erasing data before disposal, aligning with the requirement to securely dispose of data as outlined in the enterprise’s documented data management process.

Information_Security_Policy.docx CIS

0 matches found

No detailed analysis available for this document.

Workstation_Security_Policy.docx CIS

0 matches found

No detailed analysis available for this document.

Incident_Response_Procedure.docx CIS

1 matches found

Document Content

Matched Section

Acceptable_Encryption_Policy.docx CIS

1 matches found

Document Content

Matched Section

Document Content

Matched Section

AI Justification

The text discusses the importance of maintaining communication paths and the measures taken to ensure continuity of services during disruptions, which aligns with the need for alternate communications paths as outlined in SC-47.

Document Content

Matched Section

Section: Discussion of Confidential Information or Proprietary Information on social networking websites
Content: Any discussion of Confidential Information or Proprietary Information (that is confidential) on social networking websites and weblogs such as Facebook, LinkedIn, Twitter, MySpace and similar sites is strictly prohibited, regardless of privacy settings and/or the intended recipient.

AI Justification

The chunk discusses the prohibition of discussing confidential or proprietary information on social networking sites, aligning with the control's focus on restricting access to nonpublic information.

Document Content

Matched Section

Section: Proprietary Information
Content: Proprietary Information is any information that is the property of a Client or VERTERIM, or that a Client or VERTERIM obtains the right to use from a third party that owns such information. Proprietary Information shall include, without limitation, trade secrets and information regarding VERTERIM or a Client’s: (1) business; (2) financial performance, if it is not already generally publically available; (3) customers; (4) products, services, and pricing; (5) patents and other intellectual property; (6) systems plans and information; (7) data centers or other property information; (8) passwords and computer programs; (9) business plans; (10) marketing plans, strategies, and costs; and (11) potential acquisitions and divestitures. Proprietary Information may, but need not, be confidential.

AI Justification

The chunk discusses proprietary information, which aligns with the definition of information that may be restricted based on formal or administrative determinations.

Document Content

Matched Section

The chunk discusses Proprietary Information and the obligation to protect it, which relates to the management of security and privacy attributes associated with information.

Document Content

Matched Section

AI Justification

The chunk discusses the protection of proprietary and confidential information, which aligns with the control's focus on the confidentiality and integrity of information at rest.

Document Content

Matched Section

AI Justification

The chunk discusses the protection of proprietary information, which aligns with the OPSEC process of identifying and protecting critical information.

Document Content

Matched Section

AI Justification

The chunk discusses the use of personal mobile devices and the associated policies regarding their use, which aligns with the control's focus on sensor capabilities in mobile devices.

Document Content

Document Content

Matched Section

AI Justification

The text discusses the need to restrict access to corporate information from external business connections, which aligns with the control's focus on managing external systems and their access.

Document Content

Matched Section

Section: Purpose
Content: The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Verterim without proper authorization.

AI Justification

The section discusses guidelines for determining what information can be disclosed and emphasizes the sensitivity of information, aligning with the control's focus on restricted information sharing.

Document Content

Matched Section

The chunk discusses the use of one-time password authentication, which aligns with the control's focus on various types of authenticators including one-time password devices.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures related to information sensitivity and handling, which aligns with the requirements of MP-1 for establishing media protection policies.

Document Content

Matched Section

Section: Marking is at the discretion of the owner or custodian of the information.
Content: Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words 'Verterim Confidential' may be written or designated in a conspicuous place on or in the information in question. If no marking is present, Verterim information is presumed to be 'Verterim Confidential' unless expressly determined to be Verterim Public information by a Verterim employee with authority to do so.

AI Justification

The text discusses the marking of information as 'Verterim Confidential' and the implications of marking or not marking information, which aligns with the control's focus on security marking.

Document Content

Matched Section

The chunk discusses methods for securing computers and sensitive materials, which aligns with the physical access control measures outlined in PE-3.

Document Content

Matched Section

Section: Physical security
Content: Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.

AI Justification

The chunk discusses methods of securing physical devices, which aligns with the control's focus on preventing physical tampering and ensuring security for devices.

Document Content

Document Content

Matched Section

AI Justification

The text discusses the categorization of information sensitivity and the importance of determining what information can be disclosed, which aligns with the security categorization process outlined in RA-2.

Document Content

Document Content

Matched Section

Section: Distribution outside of Verterim internal mail
Content: Sent via U.S. mail or approved private carriers.

AI Justification

The chunk discusses the use of U.S. mail and approved private carriers for distribution, which aligns with the concept of out-of-band channels as they are separate from electronic channels.

Document Content

Matched Section

Section: Electronic distribution
Content: No restrictions to approved recipients within Verterim, but should be encrypted or sent via a private link to approved recipients outside of Verterim premises.

AI Justification

The mention of electronic distribution being encrypted or sent via a private link aligns with the need for secure transmission methods, which is a consideration for out-of-band channels.

Document Content

Matched Section

AI Justification

The text discusses minimizing risk from outside business connections and restricting access to corporate information, which aligns with the concept of boundary protection and managed interfaces.

Document Content

Matched Section

Section: Handling of Potential Evidence
Content: • All information must be logged. • When possible obtain supporting logs from other computers or devices as evidence to support primary evidence. • The chain of evidence must be protected. All actions taken with potential evidence must be logged. This includes change of possession/access, burning to read-only media, change of location. Include who, what, where and when. • All handling of potential evidence must be logged. For example the transfer of evidence from one computer to another and the burning of evidence

AI Justification

The chunk discusses the logging of information and handling of potential evidence, which aligns with the session auditing practices outlined in AU-14.

Document Content

Document Content

Matched Section

Section: Computer Security Incident Response plan
Content: This Computer Security Incident Response plan (the "Plan") describes preparation, policies and procedures for response to an anticipated, suspected or ongoing security incident.

AI Justification

The text discusses the importance of policies and procedures in response to security incidents, aligning with the need for assessment and monitoring as outlined in CA-1.

Document Content

The chunk discusses the importance of documenting evidence and system activity, which aligns with the need for system documentation to understand the implementation and operation of controls.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures related to system and communications protection, which aligns with the control SC-1.

Document Content

Matched Section

AI Justification

The chunk discusses the importance of preserving system state information and capturing evidence, which aligns with the control's focus on maintaining system integrity and preventing loss of confidentiality, integrity, or availability during failures.

Document Content

Matched Section

Section: Response Team Coordination
Content: All available members of the Response team join a conference call where the verifier shares indicators and their analysis. At this time the Response Team may conclude on the basis of the information at hand or additional information that has subsequently become available that no security threat exists and end the response protocol.

AI Justification

The text discusses the coordination of the Response Team and the importance of communication during incident response, which aligns with the need for alternate communications paths as stated in SC-47.

Document Content

Matched Section

The text discusses the importance of capturing and documenting evidence, which aligns with the objectives of system monitoring, including the observation of events and the collection of data for future legal proceedings.

Document Content

The text discusses unauthorized access and actions that can lead to security breaches, which relates to the need for separation of duties to prevent abuse of privileges.

Document Content

Matched Section

The chunk discusses the importance of keeping passwords secure, changing them regularly, and managing authenticator security, which aligns with the requirements for authenticators outlined in IA-5.

Document Content

Matched Section

AI Justification

The chunk emphasizes the responsibilities of authorized users regarding password security, which aligns with the need for established rules of behavior for using authenticators.

Document Content

Matched Section

AI Justification

The chunk mentions the importance of securing systems with password-protected screensavers and logging off when unattended, which aligns with access enforcement controls.

Document Content

Matched Section

The recommendation for encrypting sensitive information aligns with the need to protect personally identifiable information and the associated risks.

Document Content

Matched Section

AI Justification

The text emphasizes the importance of policies and procedures for security, which aligns with the need for a personnel security policy as outlined in PS-1.

Document Content

Document Content

Matched Section

Section: 4.0 Policy
Content: The purpose of this policy is to outline the acceptable use of computer equipment at Verterim. These rules are in place to protect the employee and Verterim.

AI Justification

The text discusses the importance of policies and procedures related to system and communications protection, emphasizing the need for collaboration between security and privacy programs.

Document Content

Document Content

Matched Section

AI Justification

The mention of denial of service attacks directly relates to the control's focus on preventing such attacks.

Document Content

Matched Section

Section: Section 3: Verterim recommends that any information that users consider sensitive or vulnerable be encrypted.
Content: Verterim recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see Verterim's Information Sensitivity Policy. For guidelines on encrypting email and documents, see Verterim’s Acceptable Encryption Policy.

AI Justification

The chunk discusses the importance of encrypting sensitive information, which aligns with the control's focus on protecting confidentiality and integrity during transmission.

Document Content

Matched Section

AI Justification

The text discusses the handling and protection of personally identifiable information, particularly in the context of health information, which aligns with the control's focus on ensuring the accuracy and relevance of such information throughout its life cycle.

Information_Security_Policy.docx NIST

66 matches found

Document Content

Matched Section

AI Justification

The text discusses the importance of accountability and authority in decision-making related to information security and privacy, which aligns with the need for an access control policy that defines roles and responsibilities.

Document Content

Matched Section

Section: Internal control – defined responsibility and delegation of authority, process controls, segregation and separation of duties
Content: * Internal control – defined responsibility and delegation of authority, process controls, segregation and separation of duties

AI Justification

The chunk discusses segregation and separation of duties, which aligns with the principles of AC-5.

Document Content

Matched Section

Document Content

Matched Section

Section: The timely restoration of service disrupted by a failure within a system, process, or function
Content: * The timely restoration of service disrupted by a failure within a system, process, or function * The emergency recovery of service at an alternate location in the event of a disaster or prolonged outage at the primary site * Limited recovery of critical services in the event of major loss of staff.

AI Justification

The text discusses the timely restoration of services and emergency recovery, which aligns with the concept of using alternative mechanisms to ensure continuity of operations.

Document Content

Document Content

Matched Section

AI Justification

Document Content

Matched Section

The text discusses identifying and limiting business risks associated with major failures or disasters, which aligns with specifying system components that result in increased risk.

Document Content

The text discusses the execution of defined processes as indicators of organizational capability and maturity, which aligns with the concept of measuring effectiveness and efficiency in information security programs.

Document Content

Matched Section

AI Justification

The text discusses the identification and management of business risks and the criticality of services, which aligns with the prioritization of critical assets and resources.

Document Content

Matched Section

Section: Comprehensive Strategy
Content: Decisions made that contain Information Security, Privacy, or risk-related concerns must be made by those with accountability and authority for accepting the risks involved. Risks will be reported and aggregated upward for review and treatment as analyzed by the ISP using the policies, procedures, and methodologies of the ISMS.

AI Justification

The text discusses the need for accountability in decision-making related to information security and risk management, aligning with the principles of an organization-wide risk management strategy.

Document Content

Matched Section

AI Justification

The text discusses the importance of accountability and authority in decision-making related to information security and risk management, which aligns with the establishment of personnel security policies and procedures.

Document Content

Matched Section

Section: Personnel controls and Contractual controls
Content: Personnel controls – Working with the Human Resources department, will assist with the screening, employment terms and conditions, compliance agreements, awareness, training, supervision, incentives, and consequences for full time and part time staff, contractors and vendors’ personnel. Contractual controls, including outsourcing.

AI Justification

The chunk discusses personnel controls and contractual controls, which relate to the management of external providers and their personnel.

Document Content

The text discusses the integration of information security processes into various business processes, which aligns with the principles of systems security engineering as outlined in SA-8.

Document Content

Matched Section

Document Content

Document Content

Matched Section

Section: Zones and gateways – physical and network security, and remote access
Content: Zones and gateways – physical and network security, and remote access

AI Justification

The chunk discusses planning and architecture related to zones and gateways, which aligns with the control's focus on managed interfaces and boundary protection.

Document Content

Document Content

Matched Section

Section: Operations controls
Content: Operations controls – IT service management, operating procedures, system integrity, monitoring and reporting, intrusion detection, and incident management

AI Justification

The chunk discusses operations controls including monitoring and reporting, which aligns with the objectives of system monitoring as described in control SI-4.

Document Content

Document Content

Matched Section

AI Justification

The policy discusses the importance of protecting sensitive information, including PII, and ensuring that access is restricted to authorized users, which aligns with the principles of information sharing and access restrictions outlined in AC-21.

Document Content

Matched Section

AI Justification

The text discusses the importance of restricting access to sensitive information and ensuring that only authorized users can access such information, which aligns with the control's focus on managing access to nonpublic information.

Document Content

Matched Section

AI Justification

The text discusses the enforcement of access control policies to restrict access to sensitive information, aligning with the requirements of a reference monitor.

Document Content

Matched Section

AI Justification

The text discusses the importance of considering the sensitivity of information and minimizing unauthorized access, which aligns with the principles of access control policies.

Document Content

Matched Section

AI Justification

The implementation of physical and technical safeguards to restrict access to authorized users directly relates to access control policies.

Document Content

Matched Section

Section: 1.0 Purpose, 2.0 Scope, 3.0 Policy
Content: The purpose of this policy is to provide guidance for workstation security for Verterim workstations in order to ensure the security of information on the workstation and information the workstation may have access to. This policy applies to all Verterim employees, contractors, workforce members, vendors and agents with a Verterim-owned or personal-workstation connected to the Verterim network. Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information, including protected health information (PHI), Personally Identifiable Information (PII) and that access to sensitive information is restricted to authorized users and protected from disclosure.

AI Justification

The text discusses the importance of policies and procedures for workstation security, which aligns with the need for awareness and training related to security controls.

Document Content

Document Content

Matched Section

Section: 3.1 and 3.2
Content: 3.1 Workforce members using workstations shall consider the sensitivity of the information, including protected health information (PHI), Personally Identifiable Information (PII) that may be accessed and minimize the possibility of unauthorized access. 3.2 Verterim will implement physical and technical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

AI Justification

The text discusses the importance of restricting access to systems and ensuring that only authorized individuals can make changes, which aligns with the control's focus on managing changes to systems securely.

Document Content

Matched Section

Section: 3.2
Content: 3.2 Verterim will implement physical and technical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

AI Justification

The mention of restricting access to authorized users directly aligns with the access enforcement control.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures for ensuring security and privacy, which aligns with the requirements of CP-1 regarding contingency planning.

Document Content

The mention of using surge protectors and UPS aligns with the need to determine necessary protections for power equipment and cabling.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures for workstation security, which aligns with the planning and implementation of controls as outlined in PL-1.

Document Content

Document Content

Document Content

Matched Section

AI Justification

Document Content

Matched Section

AI Justification

The policy outlines the need for appropriate measures to protect sensitive information, including PII, which aligns with the requirements for applying conditions or protections for specific categories of personally identifiable information.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures for workstation security, which aligns with the need for risk assessment policies that address security measures.

Document Content

Matched Section

AI Justification

The text discusses the importance of ensuring the confidentiality, integrity, and availability of sensitive information, which aligns with the need for security categorization to understand potential adverse impacts.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures for security and privacy assurance, which aligns with the requirements of SA-1 regarding the establishment of such policies.

Document Content

Matched Section

AI Justification

The text discusses the importance of policies and procedures for workstation security, which aligns with the need for a system and communications protection policy.

Document Content

Section: 3.0 Policy
Content: All Verterim encryption shall be done using NIST approved cryptographic modules. Common and recommended ciphers include AES 256, Triple DES and RSA. Symmetric cryptosystem key lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. Verterim’s key length requirements shall be reviewed annually as part of the yearly security review and upgraded as technology allows.

AI Justification

The policy outlines the use of NIST approved cryptographic modules and specifies key length requirements, aligning with the control's focus on key management and establishment.

Document Content

Matched Section

AI Justification

The policy emphasizes the use of NIST approved cryptographic modules and specifies the use of certain algorithms, aligning with the control's focus on cryptography for security solutions.

Equipment_Disposal_Policy.docx NIST

7 matches found

Document Content

Document Content

Matched Section

Section: 1. Overview
Content: In order to protect our constituent’s data, all storage mediums must be properly erased before being disposed of. However, simply deleting or even formatting data is not considered sufficient. When deleting files or formatting a device, data is marked for deletion, but is still accessible until being overwritten by a new file. Therefore, special tools must be used to securely erase data prior to equipment disposal.

AI Justification

The text discusses the proper disposal and erasure of storage media, which aligns with the concept of media downgrading to ensure sensitive data is not retrievable.

Document Content

Controls Aligned

Frameworks

Key Controls

Overall Alignment

Framework Breakdown

Key Controls Status

Compliance Summary & Framework Analysis

Framework Compliance Overview

Document Analysis Details

02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf 2 frameworks

01_-_Handbook_-_Verterim_-_10182019.pdf 2 frameworks

Acceptable_Use_Policy.docx 2 frameworks

Business_Continuity_Plan.docx 2 frameworks

Equipment_Disposal_Policy.docx 2 frameworks

Information_Security_Policy.docx 2 frameworks

Workstation_Security_Policy.docx 2 frameworks

Incident_Response_Procedure.docx 2 frameworks

Information_Sensitivity_Policy.docx 2 frameworks

Acceptable_Encryption_Policy.docx 2 frameworks

Ethical_Sourcing_Policy.docx 1 frameworks

CIS Framework Checklist Complete control verification 20.6% Complete

NIST Framework Checklist Complete control verification 58.7% Complete

Detailed Document Analysis

02_-_Code_of_Ethics_and_Business_Conduct_-_Verterim.pdf CIS

3.7 Data Classification Scheme... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

01_-_Handbook_-_Verterim_-_10182019.pdf CIS

Acceptable_Use_Policy.docx CIS

3.7 Data Classification Scheme... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

3.11 Encrypt sensitive data at rest... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

4.3 Session Locking... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

Business_Continuity_Plan.docx CIS

Equipment_Disposal_Policy.docx CIS

3.1 Access Control Policy... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

3.5 Secure Data Disposal... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

Information_Security_Policy.docx CIS

Workstation_Security_Policy.docx CIS

Incident_Response_Procedure.docx CIS

3.14 Log sensitive data access... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

Information_Sensitivity_Policy.docx CIS

3.1 Data Management Process... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

3.5 Secure Data Disposal... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

3.7 Data Classification Scheme... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

4.6 Securely manage enterprise assets and software... Click to view evidence details Matched

Document Content

Matched Section

AI Justification

Acceptable_Encryption_Policy.docx CIS

3.11 Encrypt sensitive data at rest... Click to view evidence details Matched