Technical security

UCF ID: 00508
Control Type: IT Impact Zone
Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Authority documents complied with:

SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.52, § 314.91; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 115; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 2.6; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 34, Exam Tier I Obj 1.2, Exam Tier II Obj 3.1; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 20, Exam Tier I Obj 1.2, Exam Tier I Obj 2.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.312; BBBOnline Code of Online Business Practices, Principle III.B.2; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 59; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 1-5.b, § 2-14.c(4); Protection of Assets Manual, ASIS International, Pg 11-III-19, Revised Volume 1 Pg 2-I-14; Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001, § 117; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(8); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001, § 44903(g)(2)(A); IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.15, Exhibit 4 SC-1, Exhibit 4 SI-1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.2.1; Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1, § 2.5 thru § 2.5.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § SC-1, App F § SI-1; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SC-1, SI-1; CobiT, Version 4.1, DS5.1, DS5.2; OGC ITIL: Security Management, § 2.3.1.2, § 4.1; Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, § 4.1.9; Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation, § 19(1); EU Directive on Privacy and Electronic Communications, 2002/58/EC, Art 4.1; Italy Personal Data Protection Code, § 3, § 34; NRC Regulations (10 CFR) § 73.54 Protection of digital computer and communication systems and networks, § 73.54(a); ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 7.5.1 ¶ 2; Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress, § 302(a)(4)(B)(iii); Federal Information Security Management Act of 2002, § 3543(a)(2)(B), § 3543(b), § 3543(c), § 3544(a)(1)(A)(ii), § 3547(1)

Sarbanes Oxley Guidance

The auditor should only consider safeguarding controls that affect the reliability of financial reporting. When considering which controls need to be assessed, the auditor's primary concern is how the specific control activity prevents or detects and corrects material misstatements. Those controls that are not relevant to the audit need not be tested. [§ 314.52, § 314.91, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Banking and Finance Guidance

The organization should implement robust procedures and policies to control residual risks. [¶ 115, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier I Obj 2.6, FFIEC IT Examination Handbook – Information Security]

The organization should implement security procedures and controls to ensure the integrity of data, the confidentiality of transmissions, and the authenticity of communications. [Pg 34, Exam Tier I Obj 1.2, Exam Tier II Obj 3.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The hardware and software should be configured to control access to the system. [Pg 20, Exam Tier I Obj 1.2, Exam Tier I Obj 2.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

Technical security is to be used to protect confidential and sensitive health information. [§ 164.312, Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

Energy Guidance

Licensees who are subject to this section's requirements must provide high assurance that all digital computer and communications systems and networks have been adequately protected against cyber attacks, up to and including the design basis threat described in section 73.1. [§ 73.54(a), NRC Regulations (10 CFR) § 73.54 Protection of digital computer and communication systems and networks]

Payment Card Guidance

The organization must provide industry standard levels of security and integrity to protect data being maintained by computers. [Principle III.B.2, BBBOnline Code of Online Business Practices]

The organization should adhere to the requirements of the Payment Card Industry (PCI) Data Security Standards. [Pg 59, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

All classified and unclassified-sensitive information, hardware, software, firmware, and documentation should be protected against unauthorized modification, unauthorized use, unauthorized access, unauthorized disclosure, unauthorized destruction, and denial of service. [§ 1-5.b, § 2-14.c(4), Army Regulation 380-19: Information Systems Security, February 27, 1998]

Airline computer reservation systems must use the best technology available to ensure that unauthorized users cannot gain access to reservations, manifests, or other nonpublic information. [§ 117, Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001]

Unauthorized onsite and/or remote access to critical processes must be prevented to deter cyber sabotage. [§ 27.230(a)(8), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Specifications for Minimum Security Requirements also calls for System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Airport operators and air carriers must work with the Under Secretary to strengthen and implement controls to eliminate the weaknesses to the access control system. [§ 44903(g)(2)(A), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001]

The Director of the Office of Management and Budget must oversee agency information security policies and practices, including requiring agencies to identify and provide information security protections that are commensurate with the magnitude and risk of harm resulting from unauthorized access to or use, disruption, disclosure, modification, or destruction of information systems or information maintained or collected by or on behalf of the agency. This authority does not apply to national security systems. For systems operated by the Department of Defense (DoD), DoD contractors, or any organization on behalf of DoD that processes information that would have a debilitating impact on the DoD mission, if accessed, used, disclosed, disrupted, modified, or destroyed without authorization, the authority is delegated to the Secretary of Defense. For systems operated by the Central Intelligence Agency (CIA), CIA contractors, or any organization on behalf of the CIA that processes information that would have a debilitating impact on the CIA mission, if accessed, used, disclosed, disrupted, modified, or destroyed without authorization, this authority is delegated to the Director of Central Intelligence. Each agency head is responsible for providing information security protections that are commensurate with the magnitude and risk of harm resulting from unauthorized access, disclosure, disruption, use, modification, or destruction of information collected or maintained by or on behalf of an agency or information systems used by or operated by an agency, agency contractor, or other organization on behalf of an agency. Each agency head that operates or exercises control over a national security system is responsible for ensuring the agency provides information security protections that are commensurate with the magnitude and risk of harm resulting from unauthorized access, disclosure, disruption, use, modification, or destruction of information contained in the system. [§ 3543(a)(2)(B), § 3543(b), § 3543(c), § 3544(a)(1)(A)(ii), § 3547(1), Federal Information Security Management Act of 2002]

US Federal Privacy Guidance

Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to protect sensitive personally identifiable information while it is being used, transmitted, stored, and disposed by encryption, redaction, or access controls that are widely accepted as effective industry practices or industry standards, or other reasonable means. [§ 302(a)(4)(B)(iii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress]

US Internal Revenue Guidance

The organization must develop, document, distribute, and continuously update a system and communications protection policy that includes roles, responsibilities, compliance requirements, and the procedures for the implementation of the system and communications protection security controls. The organization must develop, document, distribute, and continuously update a system and information integrity policy that includes roles, responsibilities, compliance requirements, and the procedures for the implementation of the system and information integrity security controls. [§ 5.6.15, Exhibit 4 SC-1, Exhibit 4 SI-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.2.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

[§ 2.5 thru § 2.5.3, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1]

App F § SC-1 The organization should develop, disseminate, and frequently review system and communications protection policy and procedures that are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. System and communications protection procedures can be developed for the security program in general, and for a particular information system, when required.
App F § SI-1 The organization should develop, disseminate, and frequently review system and information integrity policies and procedures that are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The organizational risk management strategy is should be considered in the development of the system and information integrity policy. System and information integrity procedures can be developed for the security program in general, and for a particular information system, when required. [App F § SC-1, App F § SI-1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure the system and communications protection policy and procedures and the system and information integrity policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the system and communications protection policy and procedures control and the system and information integrity policy and procedures control. The system and communications protection policy and procedures and the system and information integrity policy and procedures should be examined for purpose, scope, responsibilities, compliance with laws, regulations, and directives and consistent with the organization's mission and function. Any problems discovered during the implementation of the system and communications protection policy and procedures control and/or the system and information integrity policy and procedures control should be documented and used to improve the controls.
Interviews should be conducted with personnel who review and modify the system and communications protection policy and procedures and with personnel who review and modify the system and information integrity policy and procedures. [SC-1, SI-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Handheld devices should have additional prevention and detection software installed to defend against malware and other forms of attacks. These products usually include capabilities for one or more of the following: encryption, firewall, antivirus, spam prevention, intrusion detection, authentication alternatives, content and memory card erasure, and virtual private networks. [§ 4.1.9, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

ISO Guidance

Service providers should ensure that, in their recovery site, the selection, development, and use of security controls are adequate for the assessed risks and services that are provided to the organization. [§ 7.5.1 ¶ 2, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

ITIL Guidance

[§ 2.3.1.2, § 4.1, OGC ITIL: Security Management]

General Guidance

Security personnel should not attempt a quick fix to a problem. They should ask questions to determine the actual problem(s) and then create a comprehensive assets protection program. Human factors should always be considered when the organization is developing security strategies. Internal controls should be used for each application, and write and read access should be granted to only those individuals with a need to know [Pg 11-III-19, Revised Volume 1 Pg 2-I-14, Protection of Assets Manual, ASIS International]

The organization should manage IT security at the highest appropriate organizational level, so the management of security actions is in line with business requirements.
The organization should translate business information requirements, IT configuration, information risk action plans and information security culture into an overall IT security plan. The plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users. [DS5.1, DS5.2, CobiT, Version 4.1]

EU Guidance

Publicly available electronic communications service providers must take appropriate organizational and technical measures to safeguard the security of its services, including its network. The measures must ensure the level of security is appropriate to the risks, taking into account the state of the art and the cost for its implementation. [Art 4.1, EU Directive on Privacy and Electronic Communications, 2002/58/EC]

Other European and African Guidance

Information security must be maintained by telecommunications operators and value added service providers for all of their services and by corporate subscribers for handling their users' identification data and geographic information. Information security is maintained if measures are taken for ensuring operating security, hardware security, data security, software security, and communications security are implemented that are commensurate with the level of technical development and costs and the seriousness of the threats. [§ 19(1), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation]

The use of personal data and identification data must be minimized by configuring the information systems and software in a way to rule out processing, if the purpose can be achieved by either anonymous data or suitable arrangements to allow identifying data subjects only when necessary. The processing of personal data by electronic means will only be allowed if the following minimum security measures are implemented with the technical specifications stated in Annex B of this Code: computerized authentication; authentication credentials management procedures; authorization system; regularly updating the processing operations that may be performed; protecting data against unlawful data processing, unauthorized access, and specific software; implementing procedures for safekeeping of backups, restoring data, and system availability; keeping the security policy up-to-date; and implementing encryption for processing by health care bodies that disclose health and sex life. [§ 3, § 34, Italy Personal Data Protection Code]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.