Hello!
Welcome to the Q4 08 release notes for the Unified Compliance Framework.
We've done a lot of work this quarter. The UCF team reviewed a total of 34 authority documents with 1813 unique citations. The result: the Q4 08 Unified Compliance Framework includes 640 updated and 25 new controls.
We also determined that systems hardening and configuration management included enough controls as to merit their own impact zone, separated from operational management. UCF customers with an Operational Management subscription will receive the newly created Configuration Management spreadsheet for the remainder of your subscription.
In short, one heck of a lot of work!
We welcome your feedback and appreciate your business.
Warm regards,
Dorian Cougias, Marcelo Halpern, and the rest of the UCF team
------------
What follows are the lists of authority documents that we've reviewed and released this quarter, and the list of the controls that we've reviewed and either updated or created this quarter.
The list of authority documents we've updated is as follows:
Sarbanes Oxley: Sarbanes-Oxley Act (SOX)
PCAOB AS 2: PCAOB Auditing Standard No. 2
AICPA Privacy: AICPA/CICA Privacy Framework
AICPA Suitable Trust: AICPA Suitable Trust Services Criteria
SEC 17 CFR 210 2 06: Retention of Audit and Review Records, SEC 17 CFR 210.2-06
SEC 17 CFR 240 15d 15: Controls and Procedures, SEC 17 CFR 240.15d-15
SEC 17 CFR 240 16a 3: Reporting Transactions and Holdings, SEC 17 CFR 240.16a-3
COSO ERM: COSO Enterprise Risk Management (ERM) Framework
Securities Exchange Act 1934: Securities Exchange Act of 1934
PCAOB AS 3: PCAOB Audit Standard No. 3
PCAOB AS 5: PCAOB Audit Standard No. 5
SAS 109: SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
SAS 110: SAS 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
NYSE Listed Company Manual: NYSE Listed Company Manual
Securities Act of 1933: Securities Act of 1933
SEC 17 CFR 210 through 229: Part II Securities and Exchange Commission 17 CFR Parts 210, 228, 229 and 240 Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting; Final Rule
PCI DSS 1.2: Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2
PCI SAQ A 1.2: Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2 October 2008
PCI SAQ B 1.2: Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2 October 2008
PCI SAQ C 1.2: Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2 October 2008
PCI SAQ D 1.2: Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008
NIST 800 55 R1: Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1
ISF Standard 2007: The Standard of Good Practice for Information Security
EU 8th Directive: EU 8th Directive (European SOX)
OECD Corporate Governance: OECD Principles of Corporate Governance
Combined Code: Financial Reporting Council, Combined Code on Corporate Governance
CMA Code of Ethics Standards: Canadian Marketing Association Code of Ethics and Standards of Practice
German Corporate Governance Code: German Corporate Governance Code ("The Code")
The Dutch corporate governance code: The Dutch corporate governance code, Principles of good corporate governance and best practice provisions
South African King Report 2002: The King Committee on Corporate Governance, Executive Summary of the King Report 2002
Swedish Code of Corporate Governance: Swedish Code of Corporate Governance; A Proposal by the Code Group
Australia CLERP: Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004
India Clause 49: Corporate Governance in listed Companies – Clause 49 of the Listing Agreement
Singapore Corporate Governance: CODE OF CORPORATE GOVERNANCE 2005
The list of controls that we've either updated or added is as follows.
Acquisition of technology and services, 9 records changed/updated:
Acquisition of technology and services [UCF Control ID 01123]
Consider alternative courses of action [UCF Control ID 01128]
Formulation of acquisition strategy [UCF Control ID 01133]
Risk Analysis report and decision approval. [UCF Control ID 01135]
Procurement Control [UCF Control ID 01136]
Document the software product acquisition methodology [UCF Control ID 01138]
Software licensing [UCF Control ID 01140]
Examine received software for vulnerabilities [UCF Control ID 01898]
Examine received hardware for vulnerabilities [UCF Control ID 01899]
Audits and risk management, 52 records changed/updated:
Audits and risk management [UCF Control ID 00677]
Clearly define the roles and responsibilities of all involved in the auditing process [UCF Control ID 00678]
Board of directors and senior management [UCF Control ID 00679]
IT audit will report to the board as an independent process [UCF Control ID 01184]
The board or directors will ensure outsourced audits are effectively managed [UCF Control ID 01203]
The board or directors will review external auditor's involvement in assessments of controls [UCF Control ID 01204]
Internal IT Audit Manager will functionally report to senior management [UCF Control ID 01185]
Internal IT Audit Manager will report findings directly to the board [UCF Control ID 01152]
Internal IT Audit Manager's compensation and appraisals will not be conducted by the board or audit committee [UCF Control ID 01186]
Internal IT Audit Staff [UCF Control ID 00681]
Internal IT Audit Staff will be responsible for operating a system of internal controls and will be trained to perform operational duties [UCF Control ID 01187]
External auditors [UCF Control ID 00683]
External auditor outsourcing contracts and engagement letters [UCF Control ID 01188]
Review of external auditor outsourcing contracts and engagement letters [UCF Control ID 01189]
Review of confidential information [UCF Control ID 01194]
Review of report and workpaper records management practices [UCF Control ID 01195]
Review of external auditor performance [UCF Control ID 01198]
Review of external auditor workpaper and report conclusions [UCF Control ID 01200]
External auditors must be present at the annual meeting to answer questions about how audits were conducted and what is contained in their reports [UCF Control ID 04587]
Internal audit program [UCF Control ID 00684]
Define materiality in IT compliance audits [UCF Control ID 01238]
Defining material change within information processes, information systems, and IT assets [UCF Control ID 01239]
Defining material weaknesses, failures, and errors within information processes, information systems, and IT assets [UCF Control ID 01240]
Audit Reporting [UCF Control ID 01145]
Review audit report and work papers [UCF Control ID 01146]
Review past audit reports for general adequacy [UCF Control ID 01155]
Review past audit reports for specific program steps and calculations as necessary [UCF Control ID 01160]
Review past audit reports for accurate and consistent weakness and risk reporting [UCF Control ID 01161]
Review past audit reports for correlation between internal and external audit groups [UCF Control ID 01158]
Review and summarize past meeting minutes [UCF Control ID 01151]
Review past responses to audit reports [UCF Control ID 01149]
Ensure IS Governance initiates prompt action to correct reported deficiencies [UCF Control ID 01177]
Assess the quality of the audit function [UCF Control ID 01150]
Assess the quality of audit planning and scheduling criteria [UCF Control ID 01156]
Review the scope of the audit program [UCF Control ID 01159]
Risk Assessment [UCF Control ID 00685]
Conducting a Business Impact Analysis [UCF Control ID 01147]
Reviewing past audit reports [UCF Control ID 01148]
Reviewing published guidance, training, and awareness programs currently in place. [UCF Control ID 01245]
Ensuring tolerance to downtime is a part of the BIA [UCF Control ID 01172]
Risk Assessment Approach [UCF Control ID 00687]
Establishing processes for risk profiling [UCF Control ID 01157]
Identifying risks and probability for various events [UCF Control ID 01173]
Risk Identification [UCF Control ID 00698]
Vulnerability identification [UCF Control ID 00700]
Risk quantification and analysis [UCF Control ID 00701]
Risk measurement and scoring [UCF Control ID 00703]
Risk acceptance [UCF Control ID 00706]
Create gap analysis [UCF Control ID 00704]
Safeguard selection and prioritization in light of risk assessment findings [UCF Control ID 00707]
Risk action plan in light of risk assessment findings [UCF Control ID 00705]
Establishing a continual risk assessment commitment [UCF Control ID 00708]
Configuration Management, 48 records changed/updated:
Application design and implementation [UCF Control ID 00989]
Project management framework and initial planning [UCF Control ID 00990]
Overall project management roles and responsibilities [UCF Control ID 00991]
Obtain stakeholder approval [UCF Control ID 01033]
Investigate range of strategies available [UCF Control ID 01047]
Reassess the IT staffing needs and necessary relationships [UCF Control ID 01053]
Identify project requirements [UCF Control ID 01035]
Identify regulatory requirements [UCF Control ID 01037]
Identify recordkeeping security (availability and integrity) standards [UCF Control ID 01039]
Identify privacy policy requirements [UCF Control ID 01040]
Identify recordkeeping retention requirements [UCF Control ID 01042]
Identify and report on project feasibility and risks [UCF Control ID 01613]
User department participation in project initiation [UCF Control ID 00993]
Project definition [UCF Control ID 00995]
Project plans [UCF Control ID 01056]
Formal project risk management [UCF Control ID 01000]
Establish and manage project change control policies, procedures, and standards [UCF Control ID 01612]
Establish a project training plan [UCF Control ID 01002]
Quality Assurance standards [UCF Control ID 01004]
Establish a general quality plan [UCF Control ID 01005]
Quality Assurance approach [UCF Control ID 01006]
Quality Assurance review of adherence to IT policies, standards, and procedures [UCF Control ID 01008]
Establish program documentation standards [UCF Control ID 01016]
Establish systems design principles, guidelines, and lifecycle documentation [UCF Control ID 01057]
Establish design methodologies that meet industry standards [UCF Control ID 01058]
Design approval [UCF Control ID 01060]
Ensure all staff members are aware of their role [UCF Control ID 01062]
Ensure business unit leaders are aware of their role [UCF Control ID 01063]
The development team must have a separate development environment [UCF Control ID 01065]
The development team must not have access to the production environment [UCF Control ID 01066]
Redesign work processes [UCF Control ID 01067]
Design the system procedures [UCF Control ID 01074]
Design of security controls [UCF Control ID 01080]
Sensitive information must be stored in encrypted form [UCF Control ID 01083]
Establish secure session coding procedures [UCF Control ID 04584]
Development of application and systems software [UCF Control ID 01094]
Ensure that testing does not use production data [UCF Control ID 01103]
Parallel/pilot testing criteria and performance [UCF Control ID 01107]
Review and testing of all custom code [UCF Control ID 01316]
System cleanup before movement into production [UCF Control ID 01317]
Perform a final acceptance test [UCF Control ID 01108]
Systems implementation [UCF Control ID 01111]
Prepare implementation plan [UCF Control ID 01112]
Plan and document the implementation process [UCF Control ID 01114]
Formally manage the implementation process [UCF Control ID 01115]
Create and maintain an appropriate data conversion plan [UCF Control ID 01118]
Promote the system to production [UCF Control ID 01119]
Conduct a management level post-implementation review [UCF Control ID 01121]
Design and implementation, 48 records changed/updated:
Application design and implementation [UCF Control ID 00989]
Project management framework and initial planning [UCF Control ID 00990]
Overall project management roles and responsibilities [UCF Control ID 00991]
Obtain stakeholder approval [UCF Control ID 01033]
Investigate range of strategies available [UCF Control ID 01047]
Reassess the IT staffing needs and necessary relationships [UCF Control ID 01053]
Identify project requirements [UCF Control ID 01035]
Identify regulatory requirements [UCF Control ID 01037]
Identify recordkeeping security (availability and integrity) standards [UCF Control ID 01039]
Identify privacy policy requirements [UCF Control ID 01040]
Identify recordkeeping retention requirements [UCF Control ID 01042]
Identify and report on project feasibility and risks [UCF Control ID 01613]
User department participation in project initiation [UCF Control ID 00993]
Project definition [UCF Control ID 00995]
Project plans [UCF Control ID 01056]
Formal project risk management [UCF Control ID 01000]
Establish and manage project change control policies, procedures, and standards [UCF Control ID 01612]
Establish a project training plan [UCF Control ID 01002]
Quality Assurance standards [UCF Control ID 01004]
Establish a general quality plan [UCF Control ID 01005]
Quality Assurance approach [UCF Control ID 01006]
Quality Assurance review of adherence to IT policies, standards, and procedures [UCF Control ID 01008]
Establish program documentation standards [UCF Control ID 01016]
Establish systems design principles, guidelines, and lifecycle documentation [UCF Control ID 01057]
Establish design methodologies that meet industry standards [UCF Control ID 01058]
Design approval [UCF Control ID 01060]
Ensure all staff members are aware of their role [UCF Control ID 01062]
Ensure business unit leaders are aware of their role [UCF Control ID 01063]
The development team must have a separate development environment [UCF Control ID 01065]
The development team must not have access to the production environment [UCF Control ID 01066]
Redesign work processes [UCF Control ID 01067]
Design the system procedures [UCF Control ID 01074]
Design of security controls [UCF Control ID 01080]
Sensitive information must be stored in encrypted form [UCF Control ID 01083]
Establish secure session coding procedures [UCF Control ID 04584]
Development of application and systems software [UCF Control ID 01094]
Ensure that testing does not use production data [UCF Control ID 01103]
Parallel/pilot testing criteria and performance [UCF Control ID 01107]
Review and testing of all custom code [UCF Control ID 01316]
System cleanup before movement into production [UCF Control ID 01317]
Perform a final acceptance test [UCF Control ID 01108]
Systems implementation [UCF Control ID 01111]
Prepare implementation plan [UCF Control ID 01112]
Plan and document the implementation process [UCF Control ID 01114]
Formally manage the implementation process [UCF Control ID 01115]
Create and maintain an appropriate data conversion plan [UCF Control ID 01118]
Promote the system to production [UCF Control ID 01119]
Conduct a management level post-implementation review [UCF Control ID 01121]
Human resources management, 40 records changed/updated:
Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]
IT planning, strategy, and steering committees [UCF Control ID 00765]
Review of organizational achievements [UCF Control ID 00767]
Roles and responsibilities of the IT organization in particular [UCF Control ID 00768]
Data and system ownership [UCF Control ID 00772]
Separation of Duties [UCF Control ID 00774]
Evaluate IT staffing requirements [UCF Control ID 00775]
Job or position descriptions for IT staff [UCF Control ID 00776]
Key IT personnel [UCF Control ID 00777]
Contracted staff policies and procedures [UCF Control ID 00778]
Establish relationships with key stakeholders, business functions, and leadership outside the IT group [UCF Control ID 00779]
Personnel position categorization, recruitment, and promotion [UCF Control ID 00781]
Personnel qualifications competencies verification [UCF Control ID 00782]
Personnel clearance and screening procedures [UCF Control ID 00783]
Ensure the proper staffing of roles [UCF Control ID 00784]
Establish IT employee job performance evaluation [UCF Control ID 00787]
Ensure the terms and conditions of employment state that information security responsibilities extend outside normal working hours and organizational locations [UCF Control ID 04580]
Ensure job change and termination coincides with account and access right review or termination [UCF Control ID 00788]
Immediately deny access to confidential information [UCF Control ID 01309]
Employee sanctions [UCF Control ID 01442]
Establish proper IT personnel training [UCF Control ID 00785]
Training materials [UCF Control ID 00828]
Ensure that new-hires, or newly authorized staff, contractors, and vendors are trained appropriately. [UCF Control ID 01633]
Cross-training or staff back-up training [UCF Control ID 00786]
Management of third party services [UCF Control ID 00789]
Counterparty trust [UCF Control ID 00790]
maintain transaction authentication with third parties [UCF Control ID 00791]
Supplier Interfaces [UCF Control ID 00792]
Formalize third party relationships [UCF Control ID 00794]
Acknowledgment of responsibility for data in possession and control [UCF Control ID 01364]
The hosting provider should configure its systems to protect each entity's environment and data [UCF Control ID 04263]
The hosting provider should have access and privileges only to its own confidential data environment [UCF Control ID 04264]
Continuity plan by 3rd party vendors [UCF Control ID 01365]
Audit provisions [UCF Control ID 01366]
Termination provisions [UCF Control ID 01367]
Third-Party Qualifications [UCF Control ID 00795]
Outsourcing Contracts [UCF Control ID 00796]
Ensure the continuity of third party services [UCF Control ID 00797]
Audit the security and regulatory requirements of third parties [UCF Control ID 00798]
Monitor third party service delivery of services [UCF Control ID 00799]
Leadership and high level objectives, 21 records changed/updated:
Leadership and high level objectives [UCF Control ID 00597]
Establish and maintain an Information Architecture model [UCF Control ID 00599]
Establish and maintain sustainable technological infrastructure planning [UCF Control ID 00603]
Monitor future trends and regulations [UCF Control ID 00604]
Defining the scope of the organizational compliance framework and controls for your organization [UCF Control ID 01241]
Defining external rules that govern information systems, information, and information technology [UCF Control ID 00611]
Defining organizational practices for harmonizing external requirements [UCF Control ID 00623]
Maintaining an up-to-date ruleset, warning bulletins, and governance framework [UCF Control ID 01312]
Maintain full documentation of all policies, standards, and procedures that support the compliance effort [UCF Control ID 01636]
Maintain asset discovery audit trails [UCF Control ID 00689]
Software inventory [UCF Control ID 00692]
Maintain an accurate media inventory [UCF Control ID 00694]
Document, database, and messaging inventory [UCF Control ID 01260]
Create an exceptions policy, standard, and procedures [UCF Control ID 01628]
Defining the correct strategic roles and responsibilities [UCF Control ID 00608]
Board of Director involvement [UCF Control ID 00609]
Does the board review processes, policies, and procedures? [UCF Control ID 01179]
Are reports to the board about critical projects timely and of good quality? [UCF Control ID 01183]
Designated employee leadership [UCF Control ID 00610]
Create a high-level strategic IT plan [UCF Control ID 00628]
Monitoring and evaluating of IT plans [UCF Control ID 00634]
Monitoring and measurement, 71 records changed/updated:
Monitoring and measurement [UCF Control ID 00636]
Establishing overall monitoring and logging operations [UCF Control ID 00637]
Operationalizing key monitoring and logging concepts [UCF Control ID 00638]
Measurement [UCF Control ID 00639]
Synchronize system clocks [UCF Control ID 01340]
Log user identification [UCF Control ID 01334]
Ensure audit logs contain a timestamp which tracks user activity [UCF Control ID 00594]
Identify and log event types [UCF Control ID 01335]
Log success or failure of each event and provide alerts on failure [UCF Control ID 01337]
Log the origination of the event [UCF Control ID 01338]
Uniquely identify affected asset’s log [UCF Control ID 01339]
Log the use of identification and authentication mechanisms [UCF Control ID 00648]
Log access to all audit trails [UCF Control ID 00646]
Monitoring thoroughness [UCF Control ID 00641]
Monitoring frequency [UCF Control ID 00642]
Collection and interpretation of logs [UCF Control ID 00643]
Initialization of the audit logs [UCF Control ID 00649]
Review audit logs and IDS reports regularly [UCF Control ID 00596]
Assessing Performance [UCF Control ID 00651]
Assessing customer satisfaction [UCF Control ID 00652]
Management reporting and logging [UCF Control ID 00653]
Security testing and assessment [UCF Control ID 00654]
Run both internal and external vulnerability scans [UCF Control ID 00656]
Run penetration testing on all defined major, general support, and key minor application systems at least yearly and after any material changes. [UCF Control ID 01277]
Assessment and vulnerability testing [UCF Control ID 01105]
Testing for unvalidated input [UCF Control ID 01318]
Testing for broken access control [UCF Control ID 01319]
Testing for broken authentication control and session management [UCF Control ID 01320]
Testing for cross site scripting attacks [UCF Control ID 01321]
Testing for buffer overflows [UCF Control ID 01322]
Testing for injection flaws [UCF Control ID 01323]
Testing for proper error handling [UCF Control ID 01324]
Testing for insecure storage [UCF Control ID 01325]
Testing for denial of service [UCF Control ID 01326]
Testing for configuration management [UCF Control ID 01327]
Overall risk monitoring and ongoing testing [UCF Control ID 00658]
Ensure that the system has a security plan and that the system operates in accordance with that plan [UCF Control ID 01922]
Ensure the completeness of testing procedures, to include error details, identification of root causes, and mitigating actions [UCF Control ID 00664]
Performance monitoring [UCF Control ID 00667]
Monitor for usage and capacity [UCF Control ID 00668]
Monitor for errors and faults [UCF Control ID 04544]
Compliance monitoring and auditing [UCF Control ID 00671]
Develop and maintain a metrics reporting standard and template [UCF Control ID 02157]
Report on the percentage of staff who are assigned and acknowledge responsibilities for approved policies, standards, and procedures [UCF Control ID 01680]
Report on the percentage of individuals who are able to assign security privileges for systems and applications who are trained and authorized security administrators [UCF Control ID 01692]
Report on the percentage of users who have either special access or access confidential information and have undergone background checks [UCF Control ID 01693]
Report on the percentage of third-party relationships that have been reviewed for compliance with information security requirements [UCF Control ID 02050]
Establish and maintain a business continuity (plans that have been reviewed, exercised/tested, and updated in accordance with policy) metrics program [UCF Control ID 02056]
Report on the percentage of business continuity plans that have been reviewed, exercised/tested, and updated in accordance with policy [UCF Control ID 02058]
Report on the percentage of total systems that have been authorized for processing following certification and accreditation [UCF Control ID 02143]
Report on the percentage of users with access to shared accounts [UCF Control ID 04573]
Report on the percentage of systems for which approved configuration settings have been implemented as required by policy [UCF Control ID 02097]
Report on the percentage of system components that undergo maintenance on schedule [UCF Control ID 04562]
Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy [UCF Control ID 02103]
Report on the percentage of remote access points used to gain unauthorized access [UCF Control ID 04572]
Report on the percentage of mobile computing devices using encryption for critical information assets in accordance with policy [UCF Control ID 02118]
Report on the percentage of media that passes sanitization procedures testing [UCF Control ID 04574]
Report on the percentage of security incidents that were managed in accordance with established policies, procedures, and processes [UCF Control ID 02127]
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period [UCF Control ID 02129]
Report on the percentage of physical security incidents allowing unauthorized entry into facility containing information systems [UCF Control ID 04564]
Provide transactional walk-through capabilities for 3rd party auditor [UCF Control ID 00672]
Availability and non repudiation of audit results [UCF Control ID 00673]
Limit audit trails to a need to know basis [UCF Control ID 01342]
Protect audit trails from unauthorized modifications [UCF Control ID 01343]
Backing up audit trails [UCF Control ID 01344]
Copy logs from wireless networks into a log server [UCF Control ID 01346]
Protect the audit logs per se [UCF Control ID 01345]
Properly preserve (archive) the audit and log results [UCF Control ID 00674]
Monitoring follow-up activities and action plan [UCF Control ID 00675]
Report monitoring statistics and follow-up to the Board of Directors [UCF Control ID 00676]
Protect against the misuse of audit tools [UCF Control ID 04547]
Operational management, 74 records changed/updated:
Operational management [UCF Control ID 00805]
Roles and responsibilities [UCF Control ID 00806]
Board of directors [UCF Control ID 00807]
Chief information officer [UCF Control ID 00808]
IT line or operations management [UCF Control ID 00809]
Business unit manager [UCF Control ID 00810]
Establish an organizational framework of policies, standards, and procedures [UCF Control ID 01406]
Establish a positive information control environment [UCF Control ID 00813]
Documenting all policies and procedures [UCF Control ID 00824]
Management’s responsibility for policies [UCF Control ID 00814]
Communication of organization policies [UCF Control ID 00815]
Establish appropriate policy implementation resources [UCF Control ID 00816]
Continuous quality commitment [UCF Control ID 00819]
Establishment of key policies [UCF Control ID 00812]
Establish a security and internal control framework policy [UCF Control ID 00820]
The policy will include threat, vulnerability, and risk assessment management [UCF Control ID 01347]
The organizational security policy and procedures will be reviewed when the environment changes or at least annually [UCF Control ID 01348]
The organizational security framework will contain daily operational security procedures [UCF Control ID 01349]
The organizational security framework will contain continuous monitoring for security alerts and information [UCF Control ID 01358]
The organizational security framework will contain procedures for timely security incident response and escalation [UCF Control ID 01359]
The organizational security framework will contain procedures for continuous user account and authentication management [UCF Control ID 01360]
The organizational security framework will contain procedures for continuous monitoring and control for all access to data [UCF Control ID 01361]
Communication of IT security awareness [UCF Control ID 00823]
Ensure that the security awareness plan has an appropriate education methodology [UCF Control ID 01362]
Require employees to acknowledge they have read and understand the organization’s security policies [UCF Control ID 01363]
Establish usage and proper behavior policies [UCF Control ID 01350]
Usage policies will contain explicit management approval [UCF Control ID 01351]
Usage policies will contain authentication before use [UCF Control ID 01352]
Usage policies will tie to asset system and user authentication system [UCF Control ID 01353]
Usage policies will contain methods for labeling devices [UCF Control ID 01354]
Usage policies will contain acceptable uses of the technology, which locations the technology can be used from, and which external systems can be used [UCF Control ID 01355]
Usage policies will directly correlate to, and explicitly state network technical security standards [UCF Control ID 01356]
Usage policies will correlate to the organizational acquisitions policy and explicitly state a list of company approved products [UCF Control ID 01357]
Establish configuration recording methodology [UCF Control ID 00861]
Ensure configuration management procedures are applied to firewalls, routers, and managed switches and hubs [UCF Control ID 01281]
Maintain formalized operations procedures [UCF Control ID 00831]
Maintain VOIP operating procedures [UCF Control ID 04583]
Maintain Service Level Agreements (SLAs) [UCF Control ID 00838]
Service Level Agreement framework [UCF Control ID 00839]
Aspects of Service Level Agreements [UCF Control ID 00840]
Performance procedures in Service Level Agreements [UCF Control ID 00841]
Monitoring and reporting of Service Level Agreements [UCF Control ID 00842]
Review of Service Level Agreements and contracts [UCF Control ID 00843]
Maintain confidentiality and nondisclosure agreements [UCF Control ID 04536]
Help Desk operations [UCF Control ID 00846]
Establish a Problem Management system [UCF Control ID 00853]
Establish and maintain Help Desk operations [UCF Control ID 00847]
Establishment of a problem management and incident handling system [UCF Control ID 00852]
Establish problem escalation [UCF Control ID 00856]
Maintain a problem tracking audit trail [UCF Control ID 00857]
Establish emergency and temporary access authorizations [UCF Control ID 00858]
Perform current capacity and performance reviews [UCF Control ID 01616]
Proactive Performance Management [UCF Control ID 00937]
Resources Availability [UCF Control ID 00940]
Establish an IT financial management framework [UCF Control ID 01610]
Annual IT Operating Budget [UCF Control ID 00872]
Cost and benefit monitoring and management [UCF Control ID 00873]
Systems preventative maintenance [UCF Control ID 00885]
Maintenance is performed in a timely manner by ensuring spare parts can be received within an acceptable timeframe [UCF Control ID 01435]
A change management program, with all necessary policies, and procedures will be established to prevent unauthorized changes [UCF Control ID 00886]
Change Request Initiation and control [UCF Control ID 00887]
Impact assessment of proposed changes [UCF Control ID 00888]
Control of changes [UCF Control ID 00889]
Validate your system before making changes [UCF Control ID 01510]
Enable emergency changes [UCF Control ID 00890]
Software release policy [UCF Control ID 00893]
Control patch management [UCF Control ID 00896]
Ensure that all system software is the latest version [UCF Control ID 00897]
Ensure that all critical and important security updates available to date are installed [UCF Control ID 01696]
Test all security and update patches before they are deployed [UCF Control ID 00898]
Document the implementation of patches [UCF Control ID 01642]
Prior to moving a system back into operation after a change, the system should pass a system acceptance test [UCF Control ID 04541]
Update backup data after system modifications [UCF Control ID 04498]
Systems redeployment or disposal [UCF Control ID 00901]
Physical and environmental protection, 22 records changed/updated:
Physical and environmental protection [UCF Control ID 00709]
Physical security of facilities [UCF Control ID 00711]
Monitor physical access [UCF Control ID 01638]
Use cameras to monitor sensitive areas [UCF Control ID 01328]
Use alarm systems [UCF Control ID 01639]
Human observation of access points [UCF Control ID 01640]
Visitor controls [UCF Control ID 01329]
Visitor authorization [UCF Control ID 01330]
Visitor identification procedures and access methods [UCF Control ID 00713]
Visitor token surrendering [UCF Control ID 01331]
Maintain visitor log [UCF Control ID 00715]
Establish and maintain physical security of distributed IT assets [UCF Control ID 00718]
Maintain cabinet and vault security [UCF Control ID 00717]
Desktop and notebook security [UCF Control ID 00719]
Physical information and media security [UCF Control ID 00720]
Physically protect managed network hardware in locked rooms or cabinets [UCF Control ID 01873]
Maintain adequate environmental controls [UCF Control ID 00724]
Uninterruptible Power Supplies (UPS) and secondary power [UCF Control ID 00725]
HVAC equipment for temperature and humidity controls [UCF Control ID 00727]
Extreme heat and smoke detection [UCF Control ID 00728]
Fire suppression systems [UCF Control ID 00729]
Water detection and damage protection [UCF Control ID 00730]
Privacy protection for information and data, 81 records changed/updated:
Privacy protection for information and data [UCF Control ID 00008]
Establish personal information collection limitation boundaries [UCF Control ID 00507]
Data should be collected in proper information framework [UCF Control ID 00009]
Data should be collected lawfully, fairly and honestly [UCF Control ID 00010]
Collection must be done with the consent and knowledge of the data subject- notify subject you are collecting the info [UCF Control ID 00012]
Collect personal information without consent if required by law [UCF Control ID 00020]
Ensure that data is collected and recorded for specific, explicit, and legitimate purposes and used in processing for those specific purposes [UCF Control ID 00027]
Maintain a working definition of personally sensitive data [UCF Control ID 00028]
Collect data when the individual gives consent [UCF Control ID 00030]
Pay special attention to the collection of children’s data [UCF Control ID 00038]
If collecting from the child, use simple understandable language [UCF Control ID 00039]
Parental Consent required for collection [UCF Control ID 00041]
Establish requirements to verify an applicant is who they are claiming to be [UCF Control ID 00077]
Limit the amount of information an applicant must disclose [UCF Control ID 00078]
Ensure data quality maintenance [UCF Control ID 00084]
Ensure that data related to the purpose for which it is being used [UCF Control ID 00087]
Ensure data accuracy [UCF Control ID 00088]
Ensure the correct recording of privacy related information [UCF Control ID 00089]
Ensure that privacy related information is complete [UCF Control ID 00090]
Ensure that privacy related information is up to date [UCF Control ID 00091]
Ensure that privacy related information is kept in a form that does not permit identification of data subjects for longer than is necessary for the purposes of processing [UCF Control ID 00092]
Maintain a purpose specifications for privacy related data [UCF Control ID 00093]
Collect and use the minimum data necessary [UCF Control ID 00094]
Display the minimum data necessary [UCF Control ID 04643]
Ensure that the purpose of collecting privacy related data must be identified before or during data collection [UCF Control ID 00095]
Ensure that if collected and stored for research and statistics, privacy related data may not be used for other purposes [UCF Control ID 00096]
Data purpose definition notification specification [UCF Control ID 00097]
Administrative decrees [UCF Control ID 00101]
Consequences of not presenting info for specified purpose [UCF Control ID 00104]
Later change of purpose for the use of privacy related information specification [UCF Control ID 00105]
Maintain a procedure for change of purpose for the use of privacy related data [UCF Control ID 00106]
Document as acceptable usage if the organization draws attention to the opt-out ability during each direct marketing communication [UCF Control ID 00113]
Document as acceptable usage if each written direct marketing attempt displays organization's contact info [UCF Control ID 00114]
Document as acceptable usage if the information is for statistical/scholarly/science research and data subjects will be made anonymous [UCF Control ID 00117]
Document as acceptable use if the use is required by law [UCF Control ID 00119]
Timely disposal of media,information, and data [UCF Control ID 00126]
When there is no longer a reason to keep data, data controller must dispose of data [UCF Control ID 00127]
The usage limitations of privacy related information [UCF Control ID 00128]
Ensure that explicit consent is obtained directly from an individual before any use of the individual’s sensitive data [UCF Control ID 00178]
The organization must obtain parental consent for the use or disclosure of a child’s personal or sensitive information [UCF Control ID 00198]
The organization will obtain an opt-in consent from a teenager before collecting, using, or disclosing personal information [UCF Control ID 00199]
The organization will gather and process personal data pertaining to the health of patients only for the purpose of treating the patient, only disclosing that information to third parties with the direct consent of the patient [UCF Control ID 00200]
Ensure that explicit consent is obtained directly from either a parent or the student before any use or disclosure of the individual’s sensitive educational data [UCF Control ID 00220]
The organization will not make public an individual’s Personal ID Number and must ensure that explicit consent is obtained directly from an individual before any use (processing or otherwise) of the number [UCF Control ID 00238]
Appropriate policies and procedures will be maintained for managing consumer credit report data and information [UCF Control ID 00257]
The organization will ensure that commercial e-mail is not sent to a third party computer if it does not contain a functioning return e-mail address that is clearly visible to the receiver [UCF Control ID 00287]
Do not send communications (phone calls, e-mails, physical mail) after a subject has opted out of communication [UCF Control ID 00288]
Inclusion of personal identifier, Opt-Out, and physical address can be added to the do not contact list [UCF Control ID 00289]
Ability to Opt-out of notice [UCF Control ID 00391]
The organization will ensure that it does not use misleading or false subject lines on marketing e-mails [UCF Control ID 00294]
The organization will maintain a do-not-email registry and enter any individual into that registry upon request [UCF Control ID 00297]
Subject consented to receive messages [UCF Control ID 00302]
Existing relationship [UCF Control ID 00301]
Transfer to Third Parties [UCF Control ID 00333]
Transferee has adequate level of protection for data [UCF Control ID 00335]
Must notify data subject that their data has been transferred [UCF Control ID 00352]
Transferee has adequate level of protection for data [UCF Control ID 00314]
Define what constitutes confidential information that can be breached [UCF Control ID 00800]
Risk Assessment [UCF Control ID 00357]
Confidentiality measures [UCF Control ID 00361]
Restrict the right of maintaining record structures that support confidentiality [UCF Control ID 00360]
Develop organizational measures to limit information leakage [UCF Control ID 00356]
Security Awareness and Training [UCF Control ID 00358]
Third Party Obligations (comply w/ your security) [UCF Control ID 00359]
Incident response with regard to personal data privacy [UCF Control ID 00364]
Write, edit, and test to ascertain that all policies regarding the protection of private information are clearly written and easily understandable [UCF Control ID 00376]
For information that must be made available upon request, provide adequate structures, policies, procedures, and mechanisms to support access directly by the data subject [UCF Control ID 00393]
Make e-commence order information available to the customer that ordered the product [UCF Control ID 04585]
Provide shareholders the ability to be electronically notified of annual meetings and access to the meeting notice via electronic means [UCF Control ID 04586]
Posting of Privacy Policy [UCF Control ID 00401]
The means of gaining access to personal information held by the organization [UCF Control ID 00410]
Maintain an online ability for consumers to file complaints or contact the organization’s support center [UCF Control ID 04570]
The right of individuals to access personal data [UCF Control ID 00414]
Within a reasonable time [UCF Control ID 00429]
At a charge that is not excessive [UCF Control ID 00430]
In a form that is readily intelligible to him/her [UCF Control ID 00432]
Reasons for refusing an individual's request for his or her data [UCF Control ID 00434]
The right of individuals to challenge personal data [UCF Control ID 00457]
If correction is refused and the subject requests it, the controller will attach to info a statement from the individual of the correction sought [UCF Control ID 00466]
Inform any other person to whom data was transferred that data is wrong-correct it [UCF Control ID 00467]
Conditions for referring a complaint to the commissioner [UCF Control ID 00481]
Records management, 34 records changed/updated:
Records management [UCF Control ID 00902]
Manage records as an integral part of each system [UCF Control ID 00903]
Determining how long to retain records and create a data retention policy [UCF Control ID 00906]
Maintain a records usage and tracking documentation standard [UCF Control ID 00919]
Maintain accuracy and completeness tracking [UCF Control ID 00921]
Control data input error handling [UCF Control ID 00922]
Maintain data processing integrity through separation of duties [UCF Control ID 00923]
Maintain output handling and retention procedures commensurate with organizational policies [UCF Control ID 00926]
Output distribution [UCF Control ID 00927]
Maintain appropriate security provisions for all output reports [UCF Control ID 00930]
Labeling output [UCF Control ID 01420]
E-mail and other electronic message markings for the identified sensitive records [UCF Control ID 01896]
Maintain backups and duplicate copies [UCF Control ID 00953]
Maintain an appropriate backup and restoration plan for all records [UCF Control ID 00955]
Document each backup job or script and each restoration step [UCF Control ID 00956]
Maintain appropriate backup storage facilities [UCF Control ID 00957]
Encrypt backup data [UCF Control ID 00958]
Maintain media controls [UCF Control ID 00959]
Inventory and physically secure all media that stores confidential information [UCF Control ID 00962]
Transit and distribution of confidential media [UCF Control ID 00963]
Obtain management approval for transit [UCF Control ID 00964]
Physical protection while media is in storage [UCF Control ID 00965]
Label media [UCF Control ID 00966]
Track while in transit [UCF Control ID 00967]
Maintain proper online digital storage controls [UCF Control ID 00942]
Ensure the use of proper non-rewriteable, non-erasable formats for certain record types [UCF Control ID 00944]
Encryption [UCF Control ID 00945]
Continuing retention [UCF Control ID 00968]
Manage disposition and destruction [UCF Control ID 00971]
Manage the identification of disposition status of all records [UCF Control ID 00972]
Physical destruction [UCF Control ID 00970]
Destruction and disposal of hard copy materials and media [UCF Control ID 01333]
Deleted and residual data sanitization [UCF Control ID 00973]
Evidential weight of information and information processing assets [UCF Control ID 00624]
Systems continuity, 37 records changed/updated:
Roles and responsibilities within systems continuity [UCF Control ID 00733]
Continuity planning coordination with other elements [UCF Control ID 01386]
Wrap-up Procedures [UCF Control ID 00761]
Defining critical personnel [UCF Control ID 00739]
Defining critical IT Resources [UCF Control ID 00740]
SLAs include continuity planning [UCF Control ID 00741]
Ensure that the information posted on organizational websites is that which should be posted and that all links are in working order [UCF Control ID 04579]
Systems protection considerations [UCF Control ID 01268]
Communications systems considerations [UCF Control ID 00743]
Ensure multiple network routes exist so that a single link failure does not interrupt LAN communications [UCF Control ID 04581]
Wide Area Network considerations [UCF Control ID 01294]
Primary and alternate telecommunications service agreements contain priority-of-service provisions [UCF Control ID 01396]
Ensure multiple network routes exist so that a single link failure does not interrupt LAN communications [UCF Control ID 04582]
Alternate power considerations [UCF Control ID 01254]
Damaged site considerations [UCF Control ID 01374]
Off site storage for backup media [UCF Control ID 01332]
The alternate storage site is configured to facilitate timely and effective recovery operations [UCF Control ID 01392]
Alternate processing site considerations [UCF Control ID 00742]
Technical preparation considerations for backup operations [UCF Control ID 01250]
Backup Procedures for applications, databases, security configurations, network configurations, documents, and messaging systems [UCF Control ID 01258]
Backup operations (and their subsequent restoration operations) will be defined for all key recovery point objectives [UCF Control ID 01259]
System backups will be regularly tested to ensure media and information integrity [UCF Control ID 01401]
Transporting physical media onsite and off site [UCF Control ID 01264]
Document the systems continuity plans [UCF Control ID 00752]
Sequence of recovery activities [UCF Control ID 01376]
Recovery Procedures [UCF Control ID 01377]
Alternate site preparations [UCF Control ID 00744]
Contingency Arrangements for all offices [UCF Control ID 00746]
The alternate processing site will be fully configured to the extent of the MOU, SLA, or contract in support of minimum required operational capabilities defined by the organization [UCF Control ID 01395]
Annual (or more frequent) continuity plan testing [UCF Control ID 00756]
Off site testing [UCF Control ID 01174]
The systems continuity plan testing will be coordinated with all applicable organizational elements [UCF Control ID 01388]
Updating the continuity plan [UCF Control ID 00758]
Systems continuity plan training [UCF Control ID 00759]
Systems continuity plan distribution [UCF Control ID 00760]
Distributing the plan to all appropriate personnel [UCF Control ID 01170]
Off site storage of the plan [UCF Control ID 01171]
Technical security, 118 records changed/updated:
Technical security [UCF Control ID 00508]
Establish access policies and procedures [UCF Control ID 00512]
Transaction Security [UCF Control ID 00564]
Encryption management [UCF Control ID 00570]
Prevent malicious code attacks [UCF Control ID 00574]
Manage the intrusion/incident detection and response framework [UCF Control ID 00579]
Establish an identification, authentication, and access rights management plan [UCF Control ID 00513]
Network configuration [UCF Control ID 00530]
Ensure accounts (and stored information) are segregated from operating system access [UCF Control ID 00552]
Confidentiality protection of sensitive messages [UCF Control ID 00565]
Manage cryptographic keys [UCF Control ID 00571]
Install anti-virus, anti-spam, and ani-spyware protection [UCF Control ID 00575]
Maintain intrusion detection and incident monitoring and response capabilities [UCF Control ID 00580]
Logged surveillance of logical access controls [UCF Control ID 00527]
Protocols, ports, and services [UCF Control ID 00537]
Implement two-factor authentication [UCF Control ID 00561]
Ensure that signature files are up to date [UCF Control ID 00576]
Prepare the organization for breach or incident notifications [UCF Control ID 00584]
Secure the Domain Name Server (DNS) system [UCF Control ID 00540]
Maintain and audit log of all malicious code that has been discovered, quarantined, or eradicated [UCF Control ID 00577]
Establish and maintain firewall design and configuration practices [UCF Control ID 00544]
Monitor remote access usage [UCF Control ID 00563]
Ensure anti-virus system works on e-mails [UCF Control ID 00578]
Maintain control over access rights and user privileges [UCF Control ID 00004]
Establish and maintain user account management [UCF Control ID 00514]
Maintain up to date network diagrams [UCF Control ID 00531]
Secure router configurations against unauthorized changes [UCF Control ID 00541]
Enable NAT or PAT [UCF Control ID 00545]
Automated IDS [UCF Control ID 00581]
Timely operation of internal controls [UCF Control ID 00586]
DMZ areas should be designed with proper isolation rules in mind [UCF Control ID 00532]
Document and justify any protocols beyond HTTP, SSL, SSH, and VPN [UCF Control ID 00539]
Establish an overarching firewall placement standard [UCF Control ID 00546]
Limit repeated attempts by locking out the user ID after not more than a predefined number of attempts [UCF Control ID 00555]
Honeypots [UCF Control ID 00582]
Operational anomaly management [UCF Control ID 00589]
User control of user accounts [UCF Control ID 00526]
Segregate security restricted servers into their own domain [UCF Control ID 00533]
All mobile computers should be equipped with a firewall that is installed, active, configured by the organization, and not changeable by the end user [UCF Control ID 00550]
Set the lockout duration to a predefined amount of time [UCF Control ID 00556]
Data, configuration, and file control monitoring [UCF Control ID 01205]
Scan for unknown workstations and other network devices and default deny access [UCF Control ID 00536]
Control the addition, and modification of user IDs, credentials, or other identifier objects [UCF Control ID 00515]
Deny all traffic except designated traffic [UCF Control ID 00547]
Maintain incident response capabilities [UCF Control ID 01206]
Train staff to recognize an incident [UCF Control ID 01211]
Immediately revoke accesses of terminated users [UCF Control ID 00516]
Ensure firewall change procedures are formalized [UCF Control ID 00548]
Maintain appropriate contacts with authorities and regulatory bodies [UCF Control ID 01213]
Remove inactive user accounts at least every 90 days or sooner as defined by the organization [UCF Control ID 00517]
Establish incident response documentation processes [UCF Control ID 01218]
Distributing password procedures and policies to all users who have access to confidential information [UCF Control ID 00518]
Do not permit group passwords [UCF Control ID 00519]
Change user passwords on a regular basis [UCF Control ID 00520]
Require a minimum password length suited to the organization’s needs [UCF Control ID 00521]
Test the and update the incident response plan [UCF Control ID 01216]
Using passwords containing both numeric and alphabetic characters [UCF Control ID 00522]
Do not allow an individual to submit a new password that is the same as any of the last few passwords he or she has used [UCF Control ID 00523]
Review access capabilities for any functional change in user status [UCF Control ID 00524]
Sharing information with proper authorities if necessary [UCF Control ID 01210]
Sharing information with all concerned parties [UCF Control ID 01212]
Unauthorized user access monitoring [UCF Control ID 01220]
Monitoring for inappropriate usage incidents [UCF Control ID 01221]
Monitoring for Denial Of Service (DOS) incidents [UCF Control ID 01222]
Monitoring for blended attacks and multiple component incidents [UCF Control ID 01225]
Assess the incident [UCF Control ID 01226]
Contain the incident [UCF Control ID 01227]
Documenting lessons learned [UCF Control ID 01233]
Using collected incident data [UCF Control ID 01234]
Formalize the processes for testing and approving all external network connections [UCF Control ID 01270]
Ensure that all user IDs are unique and that each has a proper authentication method [UCF Control ID 01273]
Place firewalls between all security domains and between any DMZ, secure subnet, and internal network zones [UCF Control ID 01274]
Document and justify the use of risky protocols such as FTP [UCF Control ID 01280]
Configure firewalls, routers, and networking equipment to follow organizational compliance mandates in order to protect confidential information and systems [UCF Control ID 01284]
Restrict inbound internet traffic to the DMZ area [UCF Control ID 01285]
Establish and test for stateful inspection [UCF Control ID 01288]
Ensure applications and databases holding confidential information are placed in an internal network zone that is segregated from the DMZ. [UCF Control ID 01289]
Synchronize and secure all router and firewall configuration files [UCF Control ID 01291]
Place perimeter firewalls between any wireless networks and applications or databases with confidential information and either completely deny, or strictly control wireless traffic to these applications and databases [UCF Control ID 01293]
Retrict outbound traffic from systems with confidential data [UCF Control ID 01295]
Restrict access to keys [UCF Control ID 01297]
Store keys securely [UCF Control ID 01298]
Generate strong keys [UCF Control ID 01299]
Secure distribution of keys [UCF Control ID 01300]
Periodic key changes [UCF Control ID 01302]
Destruction of old keys [UCF Control ID 01303]
Split knowledge and dual control of keys [UCF Control ID 01304]
Prevention of unauthorized substitution of keys [UCF Control ID 01305]
Replacement of known or suspected compromised keys [UCF Control ID 01306]
Key custodians must document their understanding and acceptance of organizational policies [UCF Control ID 01308]
Test untrusted or unverified files and removable media for viruses and malicious code [UCF Control ID 01311]
Ensure that the firewalls are designed to detect malicious code and spoofed addresses [UCF Control ID 01313]
Information flow enforcement [UCF Control ID 01410]
Ensure access is based upon the idea of least privilege [UCF Control ID 01411]
Establish idle session termination capabilities [UCF Control ID 01418]
Enforce access restrictions for change management [UCF Control ID 01428]
Establish and maintain Voice over Internet Protocol design and configuration criteria [UCF Control ID 01449]
Key web-facing applications should have application layer firewalls [UCF Control ID 01450]
Fault tolerant architecture and provisioning for name/address resolution service [UCF Control ID 01626]
Ensure and maintain Wireless LAN design and configuration criteria [UCF Control ID 01646]
WEP-only encryption should not be trusted [UCF Control ID 01647]
Determine the severity level [UCF Control ID 01650]
Define team roles [UCF Control ID 01652]
Ensure that encryption or a protected distributed system is enabled when sending sensitive information [UCF Control ID 01749]
Ensure that authentication requirements are met before personally identifiable information is sent between devices [UCF Control ID 01750]
Take immediate steps to prevent further loss and preserve the system for forensic investigation [UCF Control ID 01751]
Eradicate the cause of the incident [UCF Control ID 01757]
Recover from the incident [UCF Control ID 01758]
Sharing information with the media [UCF Control ID 01759]
Maintain appropriate incident response tools and resources [UCF Control ID 01760]
Enforce access restrictions for sensitive data [UCF Control ID 01921]
Protect all network connection interfaces of the firewall [UCF Control ID 01955]
Ensure that accounts and userids for remote maintenance by vendors are only made activated when necessary [UCF Control ID 04262]
Create and maintain a policy for encryption management and cryptographic controls [UCF Control ID 04546]
User identities should be verified in person before a password is reset [UCF Control ID 04567]
Restrict downloading to reduce the likelihood of malicious code attacks. [UCF Control ID 04576]
Establish a policy on whether to allow web-based e-mail and instant messaging services [UCF Control ID 04577]
If the organization is going to allow instant messaging, a standard for acceptable usage should be documented [UCF Control ID 04578]
UCF Quarterly release for Q4 08
Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.