Authority Document - Unified Compliance

Back

North America > US Congress

17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures

AD ID

0003022

AD STATUS

17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures

ORIGINATOR

US Congress

TYPE

Regulation or Statute

AVAILABILITY

Free

SYNONYMS

17 CFR Part 242

17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2019-09-19T00:00:00-0700.

URL

Click here

AD ID

0003022

AD STATUS

Free

ORIGINATOR

US Congress

TYPE

Regulation or Statute

AVAILABILITY

SYNONYMS

17 CFR Part 242

17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures

EFFECTIVE

Not Defined

ADDED

The document as a whole was last reviewed and released on 2019-09-19T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 59 Mandated Controls - bold
47 Implied Controls - italic 599 Implementation

Number of Controls

705 Total

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Integrate the risk management program with the organization's business activities. CC ID 13661 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. §242.1001(b)(2)(iv)]	Business Processes	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Establish Roles	Preventive
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii)]	Business Processes	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources Management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Establish Roles	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Establish Roles	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources Management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Establish Roles	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources Management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Establish Roles	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Establish Roles	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Establish Roles	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Establish Roles	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Establish Roles	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Establish Roles	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368	Establish/Maintain Documentation	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Establish Roles	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Establish Roles	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Establish Roles	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Establish Roles	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Establish Roles	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. §242.1001(b)(1)]	Establish/Maintain Documentation	Detective
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in §240.17a-1 of this chapter. §242.1005(a) {is accessible} Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and §242.1005(b)(2) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. §242.1005(c) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Align the Authority Document list with external requirements. CC ID 06288 [For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). §242.1001(a)(4)]	Establish/Maintain Documentation	Preventive

Monitoring and measurement

145

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Monitoring of such systems to identify potential SCI events. §242.1001(a)(2)(vii)]	Monitor and Evaluate Occurrences	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitor and Evaluate Occurrences	Detective
Monitor systems for Denial of Service attacks. CC ID 01222	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitor and Evaluate Occurrences	Preventive
Address operational anomalies within the incident management system. CC ID 11633	Audits and Risk Management	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitor and Evaluate Occurrences	Detective
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Human Resources Management	Detective
Detect unauthorized access to systems. CC ID 06798	Monitor and Evaluate Occurrences	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitor and Evaluate Occurrences	Detective
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Audits and Risk Management	Preventive
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitor and Evaluate Occurrences	Detective
Monitor systems for unauthorized mobile code. CC ID 10034	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a testing program. CC ID 00654 [{internal threat} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; §242.1001(a)(2)(iv) {be efficient} {be timely}{be accurate} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; §242.1001(a)(2)(ii)]	Behavior	Preventive
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031	Establish/Maintain Documentation	Preventive
Conduct Red Team exercises, as necessary. CC ID 12131	Technical Security	Detective
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222	Establish/Maintain Documentation	Preventive
Include the scope in the security assessment and authorization policy. CC ID 14220	Establish/Maintain Documentation	Preventive
Include the purpose in the security assessment and authorization policy. CC ID 14219	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218	Communicate	Preventive
Include management commitment in the security assessment and authorization policy. CC ID 14189	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security assessment and authorization policy. CC ID 14183	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056	Establish/Maintain Documentation	Preventive
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224	Communicate	Preventive
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Human Resources Management	Preventive
Test security systems and associated security procedures, as necessary. CC ID 11901 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and §242.1003(b)(1)(ii)]	Technical Security	Detective
Document improvement actions based on test results and exercises. CC ID 16840	Establish/Maintain Documentation	Preventive
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Testing	Detective
Define the test requirements for each testing program. CC ID 13177	Establish/Maintain Documentation	Preventive
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Testing	Preventive
Test the in scope system in accordance with its intended purpose. CC ID 14961	Testing	Preventive
Perform network testing in accordance with organizational standards. CC ID 16448	Testing	Preventive
Test user accounts in accordance with organizational standards. CC ID 16421	Testing	Preventive
Identify risk management measures when testing in scope systems. CC ID 14960	Process or Activity	Detective
Scan organizational networks for rogue devices. CC ID 00536	Testing	Detective
Include mechanisms for emergency stops in the testing program. CC ID 14398	Establish/Maintain Documentation	Preventive
Scan the network for wireless access points. CC ID 00370	Testing	Detective
Document the business need justification for authorized wireless access points. CC ID 12044	Establish/Maintain Documentation	Preventive
Scan wireless networks for rogue devices. CC ID 11623	Technical Security	Detective
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Testing	Detective
Implement incident response procedures when rogue devices are discovered. CC ID 11880	Technical Security	Corrective
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428	Monitor and Evaluate Occurrences	Corrective
Deny network access to rogue devices until network access approval has been received. CC ID 11852	Configuration	Preventive
Isolate rogue devices after a rogue device has been detected. CC ID 07061	Configuration	Corrective
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Establish/Maintain Documentation	Preventive
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Communicate	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Communicate	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Communicate	Preventive
Create technical documentation assessment certificates in an official language. CC ID 15110	Establish/Maintain Documentation	Preventive
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Testing	Preventive
Perform conformity assessments, as necessary. CC ID 15095	Testing	Detective
Define the test frequency for each testing program. CC ID 13176	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Technical Security	Detective
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Establish/Maintain Documentation	Preventive
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Communicate	Preventive
Establish, implement, and maintain a penetration test program. CC ID 01105	Behavior	Preventive
Align the penetration test program with industry standards. CC ID 12469	Establish/Maintain Documentation	Preventive
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429	Establish Roles	Preventive
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Testing	Preventive
Retain penetration test results according to internal policy. CC ID 10049	Records Management	Preventive
Retain penetration test remediation action records according to internal policy. CC ID 11629	Records Management	Preventive
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Testing	Detective
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Testing	Corrective
Perform penetration tests, as necessary. CC ID 00655 [Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and §242.1003(b)(1)(i)]	Testing	Detective
Perform internal penetration tests, as necessary. CC ID 12471	Technical Security	Detective
Perform external penetration tests, as necessary. CC ID 12470	Technical Security	Detective
Include coverage of all in scope systems during penetration testing. CC ID 11957	Testing	Detective
Test the system for broken access controls. CC ID 01319	Testing	Detective
Test the system for broken authentication and session management. CC ID 01320	Testing	Detective
Test the system for insecure communications. CC ID 00535	Testing	Detective
Test the system for cross-site scripting attacks. CC ID 01321	Testing	Detective
Test the system for buffer overflows. CC ID 01322	Testing	Detective
Test the system for injection flaws. CC ID 01323	Testing	Detective
Ensure protocols are free from injection flaws. CC ID 16401	Process or Activity	Preventive
Test the system for Denial of Service. CC ID 01326	Testing	Detective
Test the system for insecure configuration management. CC ID 01327	Testing	Detective
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Testing	Detective
Test the system for cross-site request forgery. CC ID 06296	Testing	Detective
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Technical Security	Detective
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Technical Security	Detective
Verify segmentation controls are operational and effective. CC ID 12545	Audits and Risk Management	Detective
Repeat penetration testing, as necessary. CC ID 06860	Testing	Detective
Test the system for covert channels. CC ID 10652	Testing	Detective
Estimate the maximum bandwidth of any covert channels. CC ID 10653	Technical Security	Detective
Reduce the maximum bandwidth of covert channels. CC ID 10655	Technical Security	Corrective
Test systems to determine which covert channels might be exploited. CC ID 10654	Testing	Detective
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Establish/Maintain Documentation	Preventive
Include facilities in the business line testing strategy. CC ID 13253	Establish/Maintain Documentation	Preventive
Include electrical systems in the business line testing strategy. CC ID 13251	Establish/Maintain Documentation	Preventive
Include mechanical systems in the business line testing strategy. CC ID 13250	Establish/Maintain Documentation	Preventive
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Establish/Maintain Documentation	Preventive
Include emergency power supplies in the business line testing strategy. CC ID 13247	Establish/Maintain Documentation	Preventive
Include environmental controls in the business line testing strategy. CC ID 13246	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Establish/Maintain Documentation	Preventive
Perform vulnerability scans, as necessary. CC ID 11637	Technical Security	Detective
Repeat vulnerability scanning, as necessary. CC ID 11646	Testing	Detective
Identify and document security vulnerabilities. CC ID 11857	Technical Security	Detective
Rank discovered vulnerabilities. CC ID 11940	Investigate	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Technical Security	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Technical Security	Detective
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Establish/Maintain Documentation	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Communicate	Preventive
Maintain vulnerability scan reports as organizational records. CC ID 12092	Records Management	Preventive
Correlate vulnerability scan reports from the various systems. CC ID 10636	Technical Security	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Testing	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Technical Security	Detective
Implement scanning tools, as necessary. CC ID 14282	Technical Security	Detective
Update the vulnerability scanners' vulnerability list. CC ID 10634	Configuration	Corrective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Technical Security	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Technical Security	Detective
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Business Processes	Preventive
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Testing	Preventive
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Technical Security	Detective
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Behavior	Corrective
Perform vulnerability assessments, as necessary. CC ID 11828	Technical Security	Corrective
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Technical Security	Detective
Test the system for unvalidated input. CC ID 01318	Testing	Detective
Test the system for proper error handling. CC ID 01324	Testing	Detective
Test the system for insecure data storage. CC ID 01325	Testing	Detective
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Testing	Detective
Approve the vulnerability management program. CC ID 15722	Process or Activity	Preventive
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Establish Roles	Preventive
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Technical Security	Preventive
Test the system for insecure cryptographic storage. CC ID 11635	Technical Security	Detective
Perform self-tests on cryptographic modules within the system. CC ID 06537	Testing	Detective
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Testing	Detective
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Testing	Detective
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Configuration	Detective
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639	Technical Security	Corrective
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Configuration	Corrective
Recommend mitigation techniques based on penetration test results. CC ID 04881	Establish/Maintain Documentation	Corrective
Correct or mitigate vulnerabilities. CC ID 12497	Technical Security	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Technical Security	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Business Processes	Preventive
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Actionable Reports or Measurements	Detective
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and §242.1003(b)(2) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. §242.1003(b)(3)]	Actionable Reports or Measurements	Corrective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Establish/Maintain Documentation	Preventive
Establish and maintain the scope of the continuity framework. CC ID 11908	Establish/Maintain Documentation	Preventive
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Systems Continuity	Detective
Include network security in the scope of the continuity framework. CC ID 16327	Establish/Maintain Documentation	Preventive
Explain any exclusions to the scope of the continuity framework. CC ID 12236	Establish/Maintain Documentation	Preventive
Refrain from including exclusions that could affect business continuity. CC ID 12740	Records Management	Preventive
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235	Establish/Maintain Documentation	Preventive
Include business units in the scope of the continuity framework. CC ID 11898	Establish/Maintain Documentation	Preventive
Include business functions in the scope of the continuity framework. CC ID 12699	Establish/Maintain Documentation	Preventive
Include information security continuity in the scope of the continuity framework. CC ID 12009	Systems Continuity	Preventive
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Systems Continuity	Preventive
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242	Establish/Maintain Documentation	Preventive
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a shelter in place plan. CC ID 16260	Establish/Maintain Documentation	Preventive
Designate safe rooms in the shelter in place plan. CC ID 16276	Establish/Maintain Documentation	Preventive
Include Quality Management in the continuity framework. CC ID 12239	Establish/Maintain Documentation	Preventive
Establish and maintain a system continuity plan philosophy. CC ID 00734	Establish/Maintain Documentation	Preventive
Define the executive vision of the continuity planning process. CC ID 01243	Establish/Maintain Documentation	Preventive
Include a pandemic plan in the continuity plan. CC ID 06800	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733	Establish Roles	Preventive
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386	Systems Continuity	Preventive
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761	Establish/Maintain Documentation	Preventive
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246	Systems Continuity	Corrective
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373	Monitor and Evaluate Occurrences	Detective
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573	Communicate	Preventive
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374	Systems Continuity	Detective
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053	Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Include the protection of personnel in the continuity plan. CC ID 06378	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a critical personnel list. CC ID 00739 [{business continuity plan} {disaster recovery plan} {is necessary} Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; §242.1004 ¶ 1(a)]	Establish/Maintain Documentation	Detective
Identify alternate personnel for each person on the critical personnel list. CC ID 12771	Human Resources Management	Preventive
Define the triggering events for when to activate the pandemic plan. CC ID 06801	Establish/Maintain Documentation	Preventive
Train personnel on the continuity plan. CC ID 00759 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Behavior	Preventive
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387	Behavior	Preventive
Incorporate simulated events into the continuity plan training. CC ID 01402	Behavior	Preventive
Include cross-team coordination in continuity plan training. CC ID 16235	Training	Preventive
Include stay at home order training in the continuity plan training. CC ID 14382	Training	Preventive
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Training	Preventive
Include personal protection in continuity plan training. CC ID 14394	Training	Preventive
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Testing	Preventive
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Testing	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Testing	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Testing	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Testing	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Testing	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Testing	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Testing	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Testing	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Testing	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Testing	Detective
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Establish/Maintain Documentation	Preventive
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity plan} {disaster recovery plan} Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. §242.1004 ¶ 1(c)]	Testing	Preventive
Review all third party's continuity plan test results. CC ID 01365	Testing	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Testing	Detective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Actionable Reports or Measurements	Preventive
Approve the continuity plan test results. CC ID 15718	Systems Continuity	Preventive
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Testing	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Testing	Detective

Operational management

361

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a capacity management plan. CC ID 11751	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: The establishment of reasonable current and future technological infrastructure capacity planning estimates; §242.1001(a)(2)(i)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Behavior	Preventive
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Establish/Maintain Documentation	Preventive
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Acquisition/Sale of Assets or Services	Preventive
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Establish/Maintain Documentation	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Process or Activity	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: §242.1003(b)(1)]	Process or Activity	Preventive
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Audits and Risk Management	Preventive
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Human Resources Management	Preventive
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Human Resources Management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Establish/Maintain Documentation	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Establish/Maintain Documentation	Preventive
Include the scope in the compliance policy. CC ID 14812	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Establish/Maintain Documentation	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Establish/Maintain Documentation	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Communicate	Preventive
Include management commitment in the compliance policy. CC ID 14808	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Establish/Maintain Documentation	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Communicate	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813	Business Processes	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Behavior	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3)]	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Actionable Reports or Measurements	Corrective
Review the relevance of information supporting internal controls. CC ID 12420	Business Processes	Detective
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Establish Roles	Preventive
Assign resources to implement the internal control framework. CC ID 00816	Business Processes	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Establish Roles	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Establish/Maintain Documentation	Preventive
Automate threat assessments, as necessary. CC ID 06877	Configuration	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Establish/Maintain Documentation	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Configuration	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Establish/Maintain Documentation	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Establish/Maintain Documentation	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Establish/Maintain Documentation	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Establish/Maintain Documentation	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Establish/Maintain Documentation	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Communicate	Preventive
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. §242.1001(a)(1)]	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)]	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215	Establish/Maintain Documentation	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Establish/Maintain Documentation	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Establish/Maintain Documentation	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Establish/Maintain Documentation	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Establish/Maintain Documentation	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Establish/Maintain Documentation	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Establish/Maintain Documentation	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Process or Activity	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Process or Activity	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Process or Activity	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Process or Activity	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Process or Activity	Preventive
Analyze the organizational culture. CC ID 12899	Process or Activity	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Process or Activity	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Process or Activity	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Process or Activity	Detective
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Behavior	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Business Processes	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Business Processes	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Business Processes	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Behavior	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Behavior	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Business Processes	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Behavior	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Behavior	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Process or Activity	Corrective
Comply with all implemented policies in the organization's compliance framework. CC ID 06384	Establish/Maintain Documentation	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Communicate	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Business Processes	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Behavior	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Establish/Maintain Documentation	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Respond to and triage when an incident is detected. CC ID 06942 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Monitor and Evaluate Occurrences	Detective
Document the incident and any relevant evidence in the incident report. CC ID 08659	Establish/Maintain Documentation	Detective
Escalate incidents, as necessary. CC ID 14861	Monitor and Evaluate Occurrences	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Process or Activity	Corrective
Respond to all alerts from security systems in a timely manner. CC ID 06434	Behavior	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Process or Activity	Corrective
Share incident information with interested personnel and affected parties. CC ID 01212 [Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). §242.1003(a)(2) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. §242.1002(c)(1)(iii) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; §242.1002(b)(3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3)]	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Behavior	Corrective
Delay sending incident response notifications under predetermined conditions. CC ID 00804 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)]	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Include information required by law in incident response notifications. CC ID 00802 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296 [When known, promptly further disseminate the following information about such SCI event: A detailed description of the SCI event; §242.1002(c)(1)(ii)(A)]	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)]	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and §242.1002(b)(4)(ii)(B)]	Communicate	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Create an incident response report following an incident response. CC ID 12700	Establish/Maintain Documentation	Preventive
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) When known, promptly further disseminate the following information about such SCI event: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and §242.1002(c)(1)(ii)(B) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Establish/Maintain Documentation	Preventive
Include losses due to the incident in the incident response report. CC ID 12724 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)]	Establish/Maintain Documentation	Preventive
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Establish/Maintain Documentation	Preventive
Include the scope of the incident in the incident response report. CC ID 12717 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: The system(s) affected by the SCI event; and §242.1002(c)(1)(i)(A) Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)]	Establish/Maintain Documentation	Preventive
Include the duration of the incident in the incident response report. CC ID 12716 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Establish/Maintain Documentation	Preventive
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C)]	Establish/Maintain Documentation	Preventive
Include where the incident occurred in the incident response report. CC ID 12710 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i)]	Establish/Maintain Documentation	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Establish/Maintain Documentation	Preventive
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Establish/Maintain Documentation	Preventive
Include an executive summary of the incident in the incident response report. CC ID 12702 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: A summary description of the SCI event; and §242.1002(c)(1)(i)(B)]	Establish/Maintain Documentation	Preventive
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. §242.1002(b)(4)(i)(B)(1) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. §242.1002(b)(5)(ii) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: §242.1002(b)(2)]	Communicate	Preventive
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Acquisition/Sale of Assets or Services	Preventive
Mitigate reported incidents. CC ID 12973 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain an incident response plan. CC ID 12056	Establish/Maintain Documentation	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349 [Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be n style="background-color:#CBD0E5;" class="term_secondary-verb">kept and preserved by it pursuant to paragraphs (b)(1) and (2) of this section §242.1005(b)(3)]	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; §242.1002(b)(1)]	Communicate	Corrective
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(A) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(B)(2)]	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A system of internal controls over changes to SCI systems; §242.1001(b)(2)(ii)]	Establish/Maintain Documentation	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920	Establish/Maintain Documentation	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Maintenance	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Technical Security	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627	Establish/Maintain Documentation	Corrective
Manage change requests. CC ID 00887 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Business Processes	Preventive
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Establish/Maintain Documentation	Preventive
Establish and maintain a change request approver list. CC ID 06795	Establish/Maintain Documentation	Preventive
Document all change requests in change request forms. CC ID 06794	Establish/Maintain Documentation	Preventive
Test proposed changes prior to their approval. CC ID 00548 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: Testing of all SCI systems and any changes to SCI systems prior to implementation; §242.1001(b)(2)(i)]	Testing	Detective
Examine all changes to ensure they correspond with the change request. CC ID 12345	Business Processes	Detective
Approve tested change requests. CC ID 11783	Data and Information Management	Preventive
Validate the system before implementing approved changes. CC ID 01510	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Behavior	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Perform risk assessments prior to approving change requests. CC ID 00888	Testing	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120 [Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896	Process or Activity	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Implement patch management software, as necessary. CC ID 12094	Technical Security	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Technical Security	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Perform a patch test prior to deploying a patch. CC ID 00898	Testing	Detective
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Business Processes	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch software. CC ID 11825	Technical Security	Corrective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Update computer firmware, as necessary. CC ID 11755	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Configuration	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Technical Security	Detective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Behavior	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Data and Information Management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Business Processes	Corrective
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Establish/Maintain Documentation	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Testing	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Testing	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Establish/Maintain Documentation	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration change log. CC ID 08710	Configuration	Detective
Document approved configuration deviations. CC ID 08711	Establish/Maintain Documentation	Corrective

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Determine how long to keep records and logs before disposing them. CC ID 11661	Process or Activity	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [Make, keep, and preserve records relating to all such SCI events; and §242.1002(b)(5)(i)]	Records Management	Preventive

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)]	Systems Design, Build, and Implementation	Preventive
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386	Establish/Maintain Documentation	Preventive
Perform a feasibility study for product requests. CC ID 06895	Acquisition/Sale of Assets or Services	Preventive
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069	Human Resources Management	Preventive
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045	Establish/Maintain Documentation	Preventive
Include information security throughout the system development life cycle. CC ID 12042	Systems Design, Build, and Implementation	Preventive
Protect confidential information during the system development life cycle program. CC ID 13479	Data and Information Management	Preventive
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469	Communicate	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security controls definition document. CC ID 01080	Establish/Maintain Documentation	Preventive
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Establish/Maintain Documentation	Preventive
Include naming conventions in system design guidelines. CC ID 13656	Establish/Maintain Documentation	Preventive
Implement manual override capability into automated systems. CC ID 14921	Systems Design, Build, and Implementation	Preventive
Define and assign the system development project team roles and responsibilities. CC ID 01061	Establish Roles	Preventive
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Establish Roles	Preventive
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Establish Roles	Preventive
Restrict system architects from being assigned as Administrators. CC ID 01064	Testing	Detective
Restrict the development team from having access to the production environment. CC ID 01066	Testing	Detective
Redesign business activities to support the system implementation. CC ID 01067	Systems Design, Build, and Implementation	Corrective
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Establish/Maintain Documentation	Preventive
Establish and maintain an input requirements definition document. CC ID 01071	Establish/Maintain Documentation	Preventive
Search for metadata during e-discovery. CC ID 01073	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain security design principles. CC ID 14718	Systems Design, Build, and Implementation	Preventive
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems Design, Build, and Implementation	Preventive
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752	Systems Design, Build, and Implementation	Preventive
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems Design, Build, and Implementation	Preventive
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems Design, Build, and Implementation	Preventive
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems Design, Build, and Implementation	Preventive
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Establish/Maintain Documentation	Preventive
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems Design, Build, and Implementation	Preventive
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems Design, Build, and Implementation	Preventive
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems Design, Build, and Implementation	Preventive
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744	Systems Design, Build, and Implementation	Preventive
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems Design, Build, and Implementation	Preventive
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems Design, Build, and Implementation	Preventive
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems Design, Build, and Implementation	Preventive
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems Design, Build, and Implementation	Preventive
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems Design, Build, and Implementation	Preventive
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems Design, Build, and Implementation	Preventive
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems Design, Build, and Implementation	Preventive
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems Design, Build, and Implementation	Preventive
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems Design, Build, and Implementation	Preventive
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems Design, Build, and Implementation	Preventive
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems Design, Build, and Implementation	Preventive
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems Design, Build, and Implementation	Preventive
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems Design, Build, and Implementation	Preventive
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems Design, Build, and Implementation	Preventive
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems Design, Build, and Implementation	Preventive
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems Design, Build, and Implementation	Preventive
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems Design, Build, and Implementation	Preventive
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems Design, Build, and Implementation	Preventive
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems Design, Build, and Implementation	Preventive
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems Design, Build, and Implementation	Preventive
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems Design, Build, and Implementation	Preventive
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems Design, Build, and Implementation	Preventive
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system use training plan. CC ID 01089	Establish/Maintain Documentation	Preventive
Train the affected users during system development life cycle projects. CC ID 01091	Behavior	Preventive
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Establish/Maintain Documentation	Preventive
Include the physical design characteristics in the system design specification. CC ID 06927	Establish/Maintain Documentation	Preventive
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems Design, Build, and Implementation	Preventive
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Testing	Detective
Establish, implement, and maintain a system testing policy. CC ID 01102 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)]	Establish/Maintain Documentation	Preventive
Configure the test environment similar to the production environment. CC ID 06837	Configuration	Preventive
Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473	Communicate	Preventive
Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107	Establish/Maintain Documentation	Preventive
Return test payment cards after their use. CC ID 06398	Behavior	Preventive

Common Controls and
mandates by Type 59 Mandated Controls - bold
47 Implied Controls - italic 599 Implementation

Number of Controls

705 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Operational management	Preventive
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Operational management	Preventive
Perform a feasibility study for product requests. CC ID 06895	Systems design, build, and implementation	Preventive
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898	Systems design, build, and implementation	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Monitoring and measurement	Detective
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and §242.1003(b)(2) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. §242.1003(b)(3)]	Monitoring and measurement	Corrective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Operational and Systems Continuity	Preventive
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Corrective
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive
Mitigate reported incidents. CC ID 12973 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Operational management	Preventive
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(A) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(B)(2)]	Operational management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Address operational anomalies within the incident management system. CC ID 11633	Monitoring and measurement	Preventive
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Monitoring and measurement	Preventive
Verify segmentation controls are operational and effective. CC ID 12545	Monitoring and measurement	Detective
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Operational management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a testing program. CC ID 00654 [{internal threat} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; §242.1001(a)(2)(iv) {be efficient} {be timely}{be accurate} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; §242.1001(a)(2)(ii)]	Monitoring and measurement	Preventive
Establish, implement, and maintain a penetration test program. CC ID 01105	Monitoring and measurement	Preventive
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Monitoring and measurement	Corrective
Train personnel on the continuity plan. CC ID 00759 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Operational and Systems Continuity	Preventive
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387	Operational and Systems Continuity	Preventive
Incorporate simulated events into the continuity plan training. CC ID 01402	Operational and Systems Continuity	Preventive
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Operational management	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Preventive
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Preventive
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Preventive
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Preventive
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Preventive
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Preventive
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Operational management	Preventive
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Corrective
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Corrective
Delay sending incident response notifications under predetermined conditions. CC ID 00804 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)]	Operational management	Corrective
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Preventive
Train the affected users during system development life cycle projects. CC ID 01091	Systems design, build, and implementation	Preventive
Return test payment cards after their use. CC ID 06398	Systems design, build, and implementation	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Monitoring and measurement	Preventive
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Monitoring and measurement	Preventive
Integrate the risk management program with the organization's business activities. CC ID 13661 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. §242.1001(b)(2)(iv)]	Audits and risk management	Preventive
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii)]	Human Resources management	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813	Operational management	Preventive
Define the scope for the internal control framework. CC ID 16325	Operational management	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Detective
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Operational management	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Preventive
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Preventive
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Preventive
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Preventive
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Manage change requests. CC ID 00887 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Operational management	Preventive
Examine all changes to ensure they correspond with the change request. CC ID 12345	Operational management	Detective
Implement changes according to the change control program. CC ID 11776	Operational management	Preventive
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Operational management	Corrective

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Preventive
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218	Monitoring and measurement	Preventive
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224	Monitoring and measurement	Preventive
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Monitoring and measurement	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Monitoring and measurement	Preventive
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Monitoring and measurement	Preventive
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Monitoring and measurement	Preventive
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Monitoring and measurement	Preventive
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573	Operational and Systems Continuity	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Preventive
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Operational management	Preventive
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Operational management	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Preventive
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Operational management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Preventive
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Preventive
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and §242.1002(b)(4)(ii)(B)]	Operational management	Preventive
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. §242.1002(b)(4)(i)(B)(1) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. §242.1002(b)(5)(ii) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: §242.1002(b)(2)]	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; §242.1002(b)(1)]	Operational management	Corrective
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469	Systems design, build, and implementation	Preventive
Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473	Systems design, build, and implementation	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Deny network access to rogue devices until network access approval has been received. CC ID 11852	Monitoring and measurement	Preventive
Isolate rogue devices after a rogue device has been detected. CC ID 07061	Monitoring and measurement	Corrective
Update the vulnerability scanners' vulnerability list. CC ID 10634	Monitoring and measurement	Corrective
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Monitoring and measurement	Detective
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Monitoring and measurement	Corrective
Automate threat assessments, as necessary. CC ID 06877	Operational management	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Corrective
Remove outdated software after software has been updated. CC ID 11792	Operational management	Corrective
Update computer firmware, as necessary. CC ID 11755	Operational management	Corrective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Corrective
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Detective
Configure the test environment similar to the production environment. CC ID 06837	Systems design, build, and implementation	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Preventive
Identify the sender in all electronic messages. CC ID 13996	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). §242.1003(a)(2) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. §242.1002(c)(1)(iii) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; §242.1002(b)(3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3)]	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Approve tested change requests. CC ID 11783	Operational management	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Preventive
Protect confidential information during the system development life cycle program. CC ID 13479	Systems design, build, and implementation	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429	Monitoring and measurement	Preventive
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Monitoring and measurement	Preventive
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733	Operational and Systems Continuity	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Human Resources management	Preventive
Identify and define all critical roles. CC ID 00777 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Human Resources management	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Human Resources management	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Human Resources management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Human Resources management	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Human Resources management	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Human Resources management	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Human Resources management	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Human Resources management	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Human Resources management	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Human Resources management	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Human Resources management	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Human Resources management	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Human Resources management	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Human Resources management	Preventive
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Define and assign the system development project team roles and responsibilities. CC ID 01061	Systems design, build, and implementation	Preventive
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Systems design, build, and implementation	Preventive
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Systems design, build, and implementation	Preventive

Establish/Maintain Documentation

305

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. §242.1001(b)(1)]	Leadership and high level objectives	Detective
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in §240.17a-1 of this chapter. §242.1005(a) {is accessible} Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and §242.1005(b)(2) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. §242.1005(c) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1)]	Leadership and high level objectives	Preventive
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Preventive
Align the Authority Document list with external requirements. CC ID 06288 [For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). §242.1001(a)(4)]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031	Monitoring and measurement	Preventive
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Monitoring and measurement	Preventive
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222	Monitoring and measurement	Preventive
Include the scope in the security assessment and authorization policy. CC ID 14220	Monitoring and measurement	Preventive
Include the purpose in the security assessment and authorization policy. CC ID 14219	Monitoring and measurement	Preventive
Include management commitment in the security assessment and authorization policy. CC ID 14189	Monitoring and measurement	Preventive
Include compliance requirements in the security assessment and authorization policy. CC ID 14183	Monitoring and measurement	Preventive
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179	Monitoring and measurement	Preventive
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056	Monitoring and measurement	Preventive
Document improvement actions based on test results and exercises. CC ID 16840	Monitoring and measurement	Preventive
Define the test requirements for each testing program. CC ID 13177	Monitoring and measurement	Preventive
Include mechanisms for emergency stops in the testing program. CC ID 14398	Monitoring and measurement	Preventive
Document the business need justification for authorized wireless access points. CC ID 12044	Monitoring and measurement	Preventive
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Monitoring and measurement	Preventive
Create technical documentation assessment certificates in an official language. CC ID 15110	Monitoring and measurement	Preventive
Define the test frequency for each testing program. CC ID 13176	Monitoring and measurement	Preventive
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Monitoring and measurement	Detective
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Monitoring and measurement	Preventive
Align the penetration test program with industry standards. CC ID 12469	Monitoring and measurement	Preventive
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Monitoring and measurement	Preventive
Include facilities in the business line testing strategy. CC ID 13253	Monitoring and measurement	Preventive
Include electrical systems in the business line testing strategy. CC ID 13251	Monitoring and measurement	Preventive
Include mechanical systems in the business line testing strategy. CC ID 13250	Monitoring and measurement	Preventive
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Monitoring and measurement	Preventive
Include emergency power supplies in the business line testing strategy. CC ID 13247	Monitoring and measurement	Preventive
Include environmental controls in the business line testing strategy. CC ID 13246	Monitoring and measurement	Preventive
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Monitoring and measurement	Preventive
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Monitoring and measurement	Preventive
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Monitoring and measurement	Preventive
Recommend mitigation techniques based on penetration test results. CC ID 04881	Monitoring and measurement	Corrective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity framework. CC ID 00732 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Operational and Systems Continuity	Preventive
Establish and maintain the scope of the continuity framework. CC ID 11908	Operational and Systems Continuity	Preventive
Include network security in the scope of the continuity framework. CC ID 16327	Operational and Systems Continuity	Preventive
Explain any exclusions to the scope of the continuity framework. CC ID 12236	Operational and Systems Continuity	Preventive
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235	Operational and Systems Continuity	Preventive
Include business units in the scope of the continuity framework. CC ID 11898	Operational and Systems Continuity	Preventive
Include business functions in the scope of the continuity framework. CC ID 12699	Operational and Systems Continuity	Preventive
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242	Operational and Systems Continuity	Preventive
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a shelter in place plan. CC ID 16260	Operational and Systems Continuity	Preventive
Designate safe rooms in the shelter in place plan. CC ID 16276	Operational and Systems Continuity	Preventive
Include Quality Management in the continuity framework. CC ID 12239	Operational and Systems Continuity	Preventive
Establish and maintain a system continuity plan philosophy. CC ID 00734	Operational and Systems Continuity	Preventive
Define the executive vision of the continuity planning process. CC ID 01243	Operational and Systems Continuity	Preventive
Include a pandemic plan in the continuity plan. CC ID 06800	Operational and Systems Continuity	Preventive
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752	Operational and Systems Continuity	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Operational and Systems Continuity	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Operational and Systems Continuity	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Preventive
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Detective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Preventive
Include the protection of personnel in the continuity plan. CC ID 06378	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a critical personnel list. CC ID 00739 [{business continuity plan} {disaster recovery plan} {is necessary} Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; §242.1004 ¶ 1(a)]	Operational and Systems Continuity	Detective
Define the triggering events for when to activate the pandemic plan. CC ID 06801	Operational and Systems Continuity	Preventive
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368	Human Resources management	Preventive
Establish, implement, and maintain a capacity management plan. CC ID 11751	Operational management	Preventive
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: The establishment of reasonable current and future technological infrastructure capacity planning estimates; §242.1001(a)(2)(i)]	Operational management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2)]	Operational management	Preventive
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Operational management	Preventive
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Operational management	Preventive
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Operational management	Preventive
Establish, implement, and maintain a compliance policy. CC ID 14807	Operational management	Preventive
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Operational management	Preventive
Include the scope in the compliance policy. CC ID 14812	Operational management	Preventive
Include roles and responsibilities in the compliance policy. CC ID 14811	Operational management	Preventive
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Operational management	Preventive
Include management commitment in the compliance policy. CC ID 14808	Operational management	Preventive
Establish, implement, and maintain a governance policy. CC ID 15587	Operational management	Preventive
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Operational management	Preventive
Include roles and responsibilities in the governance policy. CC ID 15594	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3)]	Operational management	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Preventive
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. §242.1001(a)(1)]	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Preventive
Include system development in the information security program. CC ID 12389	Operational management	Preventive
Include system maintenance in the information security program. CC ID 12388	Operational management	Preventive
Include system acquisition in the information security program. CC ID 12387	Operational management	Preventive
Include access control in the information security program. CC ID 12386	Operational management	Preventive
Include operations management in the information security program. CC ID 12385 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)]	Operational management	Preventive
Include communication management in the information security program. CC ID 12384	Operational management	Preventive
Include environmental security in the information security program. CC ID 12383	Operational management	Preventive
Include physical security in the information security program. CC ID 12382	Operational management	Preventive
Include human resources security in the information security program. CC ID 12381	Operational management	Preventive
Include asset management in the information security program. CC ID 12380	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Preventive
Include risk management in the information security program. CC ID 12378	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Preventive
Include startup processes in operational control procedures. CC ID 00833	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Corrective
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536	Operational management	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215	Operational management	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Operational management	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Operational management	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Operational management	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Operational management	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Operational management	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Include information required by law in incident response notifications. CC ID 00802 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296 [When known, promptly further disseminate the following information about such SCI event: A detailed description of the SCI event; §242.1002(c)(1)(ii)(A)]	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)]	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Create an incident response report following an incident response. CC ID 12700	Operational management	Preventive
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) When known, promptly further disseminate the following information about such SCI event: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and §242.1002(c)(1)(ii)(B) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Preventive
Include losses due to the incident in the incident response report. CC ID 12724 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)]	Operational management	Preventive
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Preventive
Include the scope of the incident in the incident response report. CC ID 12717 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: The system(s) affected by the SCI event; and §242.1002(c)(1)(i)(A) Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)]	Operational management	Preventive
Include the duration of the incident in the incident response report. CC ID 12716 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Preventive
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C)]	Operational management	Preventive
Include where the incident occurred in the incident response report. CC ID 12710 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i)]	Operational management	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Preventive
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Preventive
Include an executive summary of the incident in the incident response report. CC ID 12702 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: A summary description of the SCI event; and §242.1002(c)(1)(i)(B)]	Operational management	Preventive
Establish, implement, and maintain an incident response plan. CC ID 12056	Operational management	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349 [Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be n style="background-color:#CBD0E5;" class="term_secondary-verb">kept and preserved by it pursuant to paragraphs (b)(1) and (2) of this section §242.1005(b)(3)]	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A system of internal controls over changes to SCI systems; §242.1001(b)(2)(ii)]	Operational management	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Operational management	Preventive
Include version control in the change control program. CC ID 13119	Operational management	Preventive
Include service design and transition in the change control program. CC ID 13920	Operational management	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Operational management	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Preventive
Approve back-out plans, as necessary. CC ID 13627	Operational management	Corrective
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Operational management	Preventive
Establish and maintain a change request approver list. CC ID 06795	Operational management	Preventive
Document all change requests in change request forms. CC ID 06794	Operational management	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Preventive
Log emergency changes after they have been performed. CC ID 12733	Operational management	Preventive
Provide audit trails for all approved changes. CC ID 13120 [Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Operational management	Preventive
Document the sources of all software updates. CC ID 13316	Operational management	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Preventive
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Preventive
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Preventive
Document approved configuration deviations. CC ID 08711	Operational management	Corrective
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386	Systems design, build, and implementation	Preventive
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045	Systems design, build, and implementation	Preventive
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a security controls definition document. CC ID 01080	Systems design, build, and implementation	Preventive
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Systems design, build, and implementation	Preventive
Include naming conventions in system design guidelines. CC ID 13656	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Systems design, build, and implementation	Preventive
Establish and maintain an input requirements definition document. CC ID 01071	Systems design, build, and implementation	Preventive
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system use training plan. CC ID 01089	Systems design, build, and implementation	Preventive
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Systems design, build, and implementation	Preventive
Include the physical design characteristics in the system design specification. CC ID 06927	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system testing policy. CC ID 01102 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107	Systems design, build, and implementation	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Monitoring and measurement	Detective
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Monitoring and measurement	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Preventive
Identify alternate personnel for each person on the critical personnel list. CC ID 12771	Operational and Systems Continuity	Preventive
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources management	Preventive
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources management	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources management	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Preventive
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Operational management	Preventive
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Operational management	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Preventive
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069	Systems design, build, and implementation	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Rank discovered vulnerabilities. CC ID 11940	Monitoring and measurement	Detective
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Detective
Perform social network analysis, as necessary. CC ID 14864	Operational management	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Monitoring of such systems to identify potential SCI events. §242.1001(a)(2)(vii)]	Monitoring and measurement	Detective
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitoring and measurement	Detective
Monitor systems for Denial of Service attacks. CC ID 01222	Monitoring and measurement	Detective
Monitor systems for unauthorized data transfers. CC ID 12971	Monitoring and measurement	Preventive
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitoring and measurement	Detective
Detect unauthorized access to systems. CC ID 06798	Monitoring and measurement	Detective
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitoring and measurement	Detective
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitoring and measurement	Detective
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitoring and measurement	Detective
Monitor systems for unauthorized mobile code. CC ID 10034	Monitoring and measurement	Preventive
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428	Monitoring and measurement	Corrective
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373	Operational and Systems Continuity	Detective
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Preventive
Respond to and triage when an incident is detected. CC ID 06942 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Operational management	Detective
Escalate incidents, as necessary. CC ID 14861	Operational management	Corrective

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify risk management measures when testing in scope systems. CC ID 14960	Monitoring and measurement	Detective
Ensure protocols are free from injection flaws. CC ID 16401	Monitoring and measurement	Preventive
Approve the vulnerability management program. CC ID 15722	Monitoring and measurement	Preventive
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Operational management	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: §242.1003(b)(1)]	Operational management	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Preventive
Review and approve access controls, as necessary. CC ID 13074	Operational management	Detective
Provide management direction and support for the information security program. CC ID 11999	Operational management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Preventive
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Preventive
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Preventive
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Preventive
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Preventive
Analyze the organizational culture. CC ID 12899	Operational management	Preventive
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Detective
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Detective
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Detective
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Corrective
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Corrective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Perform emergency changes, as necessary. CC ID 12707	Operational management	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Detective
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Preventive
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Retain penetration test results according to internal policy. CC ID 10049	Monitoring and measurement	Preventive
Retain penetration test remediation action records according to internal policy. CC ID 11629	Monitoring and measurement	Preventive
Maintain vulnerability scan reports as organizational records. CC ID 12092	Monitoring and measurement	Preventive
Refrain from including exclusions that could affect business continuity. CC ID 12740	Operational and Systems Continuity	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [Make, keep, and preserve records relating to all such SCI events; and §242.1002(b)(5)(i)]	Records management	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Operational and Systems Continuity	Detective
Include information security continuity in the scope of the continuity framework. CC ID 12009	Operational and Systems Continuity	Preventive
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Operational and Systems Continuity	Preventive
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386	Operational and Systems Continuity	Preventive
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246	Operational and Systems Continuity	Corrective
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374	Operational and Systems Continuity	Detective
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053	Operational and Systems Continuity	Preventive
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Validate the system before implementing approved changes. CC ID 01510	Operational management	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Preventive
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)]	Systems design, build, and implementation	Preventive
Include information security throughout the system development life cycle. CC ID 12042	Systems design, build, and implementation	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Preventive
Implement manual override capability into automated systems. CC ID 14921	Systems design, build, and implementation	Preventive
Redesign business activities to support the system implementation. CC ID 01067	Systems design, build, and implementation	Corrective
Search for metadata during e-discovery. CC ID 01073	Systems design, build, and implementation	Preventive
Establish, implement, and maintain security design principles. CC ID 14718	Systems design, build, and implementation	Preventive
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems design, build, and implementation	Preventive
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752	Systems design, build, and implementation	Preventive
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems design, build, and implementation	Preventive
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems design, build, and implementation	Preventive
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems design, build, and implementation	Preventive
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems design, build, and implementation	Preventive
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems design, build, and implementation	Preventive
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems design, build, and implementation	Preventive
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744	Systems design, build, and implementation	Preventive
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems design, build, and implementation	Preventive
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems design, build, and implementation	Preventive
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems design, build, and implementation	Preventive
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems design, build, and implementation	Preventive
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems design, build, and implementation	Preventive
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems design, build, and implementation	Preventive
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems design, build, and implementation	Preventive
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems design, build, and implementation	Preventive
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems design, build, and implementation	Preventive
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems design, build, and implementation	Preventive
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems design, build, and implementation	Preventive
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems design, build, and implementation	Preventive
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems design, build, and implementation	Preventive
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems design, build, and implementation	Preventive
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems design, build, and implementation	Preventive
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems design, build, and implementation	Preventive
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems design, build, and implementation	Preventive
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems design, build, and implementation	Preventive
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems design, build, and implementation	Preventive
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems design, build, and implementation	Preventive
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems design, build, and implementation	Preventive
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems design, build, and implementation	Preventive
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems design, build, and implementation	Preventive
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Conduct Red Team exercises, as necessary. CC ID 12131	Monitoring and measurement	Detective
Test security systems and associated security procedures, as necessary. CC ID 11901 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and §242.1003(b)(1)(ii)]	Monitoring and measurement	Detective
Scan wireless networks for rogue devices. CC ID 11623	Monitoring and measurement	Detective
Implement incident response procedures when rogue devices are discovered. CC ID 11880	Monitoring and measurement	Corrective
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Monitoring and measurement	Detective
Perform internal penetration tests, as necessary. CC ID 12471	Monitoring and measurement	Detective
Perform external penetration tests, as necessary. CC ID 12470	Monitoring and measurement	Detective
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Monitoring and measurement	Detective
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Monitoring and measurement	Detective
Estimate the maximum bandwidth of any covert channels. CC ID 10653	Monitoring and measurement	Detective
Reduce the maximum bandwidth of covert channels. CC ID 10655	Monitoring and measurement	Corrective
Perform vulnerability scans, as necessary. CC ID 11637	Monitoring and measurement	Detective
Identify and document security vulnerabilities. CC ID 11857	Monitoring and measurement	Detective
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Monitoring and measurement	Preventive
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Monitoring and measurement	Detective
Correlate vulnerability scan reports from the various systems. CC ID 10636	Monitoring and measurement	Detective
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Monitoring and measurement	Detective
Implement scanning tools, as necessary. CC ID 14282	Monitoring and measurement	Detective
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Monitoring and measurement	Detective
Perform external vulnerability scans, as necessary. CC ID 11624	Monitoring and measurement	Detective
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Monitoring and measurement	Detective
Perform vulnerability assessments, as necessary. CC ID 11828	Monitoring and measurement	Corrective
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Monitoring and measurement	Detective
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Monitoring and measurement	Preventive
Test the system for insecure cryptographic storage. CC ID 11635	Monitoring and measurement	Detective
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639	Monitoring and measurement	Corrective
Correct or mitigate vulnerabilities. CC ID 12497	Monitoring and measurement	Corrective
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Monitoring and measurement	Corrective
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Preventive
Implement patch management software, as necessary. CC ID 12094	Operational management	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Preventive
Review the patch log for missing patches. CC ID 13186	Operational management	Detective
Patch software. CC ID 11825	Operational management	Corrective
Patch the operating system, as necessary. CC ID 11824	Operational management	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Detective

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Monitoring and measurement	Detective
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Monitoring and measurement	Preventive
Test the in scope system in accordance with its intended purpose. CC ID 14961	Monitoring and measurement	Preventive
Perform network testing in accordance with organizational standards. CC ID 16448	Monitoring and measurement	Preventive
Test user accounts in accordance with organizational standards. CC ID 16421	Monitoring and measurement	Preventive
Scan organizational networks for rogue devices. CC ID 00536	Monitoring and measurement	Detective
Scan the network for wireless access points. CC ID 00370	Monitoring and measurement	Detective
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Monitoring and measurement	Detective
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Monitoring and measurement	Preventive
Perform conformity assessments, as necessary. CC ID 15095	Monitoring and measurement	Detective
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Monitoring and measurement	Preventive
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Monitoring and measurement	Detective
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Monitoring and measurement	Corrective
Perform penetration tests, as necessary. CC ID 00655 [Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and §242.1003(b)(1)(i)]	Monitoring and measurement	Detective
Include coverage of all in scope systems during penetration testing. CC ID 11957	Monitoring and measurement	Detective
Test the system for broken access controls. CC ID 01319	Monitoring and measurement	Detective
Test the system for broken authentication and session management. CC ID 01320	Monitoring and measurement	Detective
Test the system for insecure communications. CC ID 00535	Monitoring and measurement	Detective
Test the system for cross-site scripting attacks. CC ID 01321	Monitoring and measurement	Detective
Test the system for buffer overflows. CC ID 01322	Monitoring and measurement	Detective
Test the system for injection flaws. CC ID 01323	Monitoring and measurement	Detective
Test the system for Denial of Service. CC ID 01326	Monitoring and measurement	Detective
Test the system for insecure configuration management. CC ID 01327	Monitoring and measurement	Detective
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Monitoring and measurement	Detective
Test the system for cross-site request forgery. CC ID 06296	Monitoring and measurement	Detective
Repeat penetration testing, as necessary. CC ID 06860	Monitoring and measurement	Detective
Test the system for covert channels. CC ID 10652	Monitoring and measurement	Detective
Test systems to determine which covert channels might be exploited. CC ID 10654	Monitoring and measurement	Detective
Repeat vulnerability scanning, as necessary. CC ID 11646	Monitoring and measurement	Detective
Perform internal vulnerability scans, as necessary. CC ID 00656	Monitoring and measurement	Detective
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Monitoring and measurement	Preventive
Test the system for unvalidated input. CC ID 01318	Monitoring and measurement	Detective
Test the system for proper error handling. CC ID 01324	Monitoring and measurement	Detective
Test the system for insecure data storage. CC ID 01325	Monitoring and measurement	Detective
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Monitoring and measurement	Detective
Perform self-tests on cryptographic modules within the system. CC ID 06537	Monitoring and measurement	Detective
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Monitoring and measurement	Detective
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Monitoring and measurement	Detective
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Detective
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Detective
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Operational and Systems Continuity	Preventive
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Operational and Systems Continuity	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Operational and Systems Continuity	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Detective
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity plan} {disaster recovery plan} Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. §242.1004 ¶ 1(c)]	Operational and Systems Continuity	Preventive
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Detective
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Operational and Systems Continuity	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Detective
Test proposed changes prior to their approval. CC ID 00548 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: Testing of all SCI systems and any changes to SCI systems prior to implementation; §242.1001(b)(2)(i)]	Operational management	Detective
Perform risk assessments prior to approving change requests. CC ID 00888	Operational management	Preventive
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Detective
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Detective
Review changes to computer firmware. CC ID 12226	Operational management	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Operational management	Detective
Restrict system architects from being assigned as Administrators. CC ID 01064	Systems design, build, and implementation	Detective
Restrict the development team from having access to the production environment. CC ID 01066	Systems design, build, and implementation	Detective
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Systems design, build, and implementation	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include cross-team coordination in continuity plan training. CC ID 16235	Operational and Systems Continuity	Preventive
Include stay at home order training in the continuity plan training. CC ID 14382	Operational and Systems Continuity	Preventive
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Operational and Systems Continuity	Preventive
Include personal protection in continuity plan training. CC ID 14394	Operational and Systems Continuity	Preventive

Common Controls and
mandates by Classification 59 Mandated Controls - bold
47 Implied Controls - italic 599 Implementation

Number of Controls

705 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement incident response procedures when rogue devices are discovered. CC ID 11880	Monitoring and measurement	Technical Security
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428	Monitoring and measurement	Monitor and Evaluate Occurrences
Isolate rogue devices after a rogue device has been detected. CC ID 07061	Monitoring and measurement	Configuration
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729	Monitoring and measurement	Testing
Reduce the maximum bandwidth of covert channels. CC ID 10655	Monitoring and measurement	Technical Security
Update the vulnerability scanners' vulnerability list. CC ID 10634	Monitoring and measurement	Configuration
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748	Monitoring and measurement	Behavior
Perform vulnerability assessments, as necessary. CC ID 11828	Monitoring and measurement	Technical Security
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639	Monitoring and measurement	Technical Security
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188	Monitoring and measurement	Configuration
Recommend mitigation techniques based on penetration test results. CC ID 04881	Monitoring and measurement	Establish/Maintain Documentation
Correct or mitigate vulnerabilities. CC ID 12497	Monitoring and measurement	Technical Security
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859	Monitoring and measurement	Technical Security
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and §242.1003(b)(2) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. §242.1003(b)(3)]	Monitoring and measurement	Actionable Reports or Measurements
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246	Operational and Systems Continuity	Systems Continuity
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Actionable Reports or Measurements
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Establish/Maintain Documentation
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747	Operational management	Process or Activity
Escalate incidents, as necessary. CC ID 14861	Operational management	Monitor and Evaluate Occurrences
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197	Operational management	Process or Activity
Respond to all alerts from security systems in a timely manner. CC ID 06434	Operational management	Behavior
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196	Operational management	Process or Activity
Share incident information with interested personnel and affected parties. CC ID 01212 [Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). §242.1003(a)(2) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. §242.1002(c)(1)(iii) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; §242.1002(b)(3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3)]	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)]	Operational management	Behavior
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; §242.1002(b)(1)]	Operational management	Communicate
Approve back-out plans, as necessary. CC ID 13627	Operational management	Establish/Maintain Documentation
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Configuration
Patch software. CC ID 11825	Operational management	Technical Security
Patch the operating system, as necessary. CC ID 11824	Operational management	Technical Security
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Configuration
Remove outdated software after software has been updated. CC ID 11792	Operational management	Configuration
Update computer firmware, as necessary. CC ID 11755	Operational management	Configuration
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Configuration
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Operational management	Business Processes
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Establish/Maintain Documentation
Document approved configuration deviations. CC ID 08711	Operational management	Establish/Maintain Documentation
Redesign business activities to support the system implementation. CC ID 01067	Systems design, build, and implementation	Systems Design, Build, and Implementation

Detective

115

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Map in scope assets and in scope records to external requirements. CC ID 12189 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. §242.1001(b)(1)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Monitoring of such systems to identify potential SCI events. §242.1001(a)(2)(vii)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for blended attacks and multiple component incidents. CC ID 01225	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for Denial of Service attacks. CC ID 01222	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitoring and measurement	Monitor and Evaluate Occurrences
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950	Monitoring and measurement	Human Resources Management
Detect unauthorized access to systems. CC ID 06798	Monitoring and measurement	Monitor and Evaluate Occurrences
Incorporate potential red flags into the organization's incident management system. CC ID 04652	Monitoring and measurement	Monitor and Evaluate Occurrences
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430	Monitoring and measurement	Monitor and Evaluate Occurrences
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808	Monitoring and measurement	Monitor and Evaluate Occurrences
Conduct Red Team exercises, as necessary. CC ID 12131	Monitoring and measurement	Technical Security
Test security systems and associated security procedures, as necessary. CC ID 11901 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and §242.1003(b)(1)(ii)]	Monitoring and measurement	Technical Security
Test in scope systems for segregation of duties, as necessary. CC ID 13906	Monitoring and measurement	Testing
Identify risk management measures when testing in scope systems. CC ID 14960	Monitoring and measurement	Process or Activity
Scan organizational networks for rogue devices. CC ID 00536	Monitoring and measurement	Testing
Scan the network for wireless access points. CC ID 00370	Monitoring and measurement	Testing
Scan wireless networks for rogue devices. CC ID 11623	Monitoring and measurement	Technical Security
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859	Monitoring and measurement	Testing
Perform conformity assessments, as necessary. CC ID 15095	Monitoring and measurement	Testing
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134	Monitoring and measurement	Technical Security
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162	Monitoring and measurement	Establish/Maintain Documentation
Use dedicated user accounts when conducting penetration testing. CC ID 13728	Monitoring and measurement	Testing
Perform penetration tests, as necessary. CC ID 00655 [Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and §242.1003(b)(1)(i)]	Monitoring and measurement	Testing
Perform internal penetration tests, as necessary. CC ID 12471	Monitoring and measurement	Technical Security
Perform external penetration tests, as necessary. CC ID 12470	Monitoring and measurement	Technical Security
Include coverage of all in scope systems during penetration testing. CC ID 11957	Monitoring and measurement	Testing
Test the system for broken access controls. CC ID 01319	Monitoring and measurement	Testing
Test the system for broken authentication and session management. CC ID 01320	Monitoring and measurement	Testing
Test the system for insecure communications. CC ID 00535	Monitoring and measurement	Testing
Test the system for cross-site scripting attacks. CC ID 01321	Monitoring and measurement	Testing
Test the system for buffer overflows. CC ID 01322	Monitoring and measurement	Testing
Test the system for injection flaws. CC ID 01323	Monitoring and measurement	Testing
Test the system for Denial of Service. CC ID 01326	Monitoring and measurement	Testing
Test the system for insecure configuration management. CC ID 01327	Monitoring and measurement	Testing
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277	Monitoring and measurement	Testing
Test the system for cross-site request forgery. CC ID 06296	Monitoring and measurement	Testing
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630	Monitoring and measurement	Technical Security
Perform penetration testing on segmentation controls, as necessary. CC ID 12498	Monitoring and measurement	Technical Security
Verify segmentation controls are operational and effective. CC ID 12545	Monitoring and measurement	Audits and Risk Management
Repeat penetration testing, as necessary. CC ID 06860	Monitoring and measurement	Testing
Test the system for covert channels. CC ID 10652	Monitoring and measurement	Testing
Estimate the maximum bandwidth of any covert channels. CC ID 10653	Monitoring and measurement	Technical Security
Test systems to determine which covert channels might be exploited. CC ID 10654	Monitoring and measurement	Testing
Perform vulnerability scans, as necessary. CC ID 11637	Monitoring and measurement	Technical Security
Repeat vulnerability scanning, as necessary. CC ID 11646	Monitoring and measurement	Testing
Identify and document security vulnerabilities. CC ID 11857	Monitoring and measurement	Technical Security
Rank discovered vulnerabilities. CC ID 11940	Monitoring and measurement	Investigate
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638	Monitoring and measurement	Technical Security
Correlate vulnerability scan reports from the various systems. CC ID 10636	Monitoring and measurement	Technical Security
Perform internal vulnerability scans, as necessary. CC ID 00656	Monitoring and measurement	Testing
Perform vulnerability scans prior to installing payment applications. CC ID 12192	Monitoring and measurement	Technical Security
Implement scanning tools, as necessary. CC ID 14282	Monitoring and measurement	Technical Security
Repeat vulnerability scanning after an approved change occurs. CC ID 12468	Monitoring and measurement	Technical Security
Perform external vulnerability scans, as necessary. CC ID 11624	Monitoring and measurement	Technical Security
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635	Monitoring and measurement	Technical Security
Review applications for security vulnerabilities after the application is updated. CC ID 11938	Monitoring and measurement	Technical Security
Test the system for unvalidated input. CC ID 01318	Monitoring and measurement	Testing
Test the system for proper error handling. CC ID 01324	Monitoring and measurement	Testing
Test the system for insecure data storage. CC ID 01325	Monitoring and measurement	Testing
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297	Monitoring and measurement	Testing
Test the system for insecure cryptographic storage. CC ID 11635	Monitoring and measurement	Technical Security
Perform self-tests on cryptographic modules within the system. CC ID 06537	Monitoring and measurement	Testing
Perform power-up tests on cryptographic modules within the system. CC ID 06538	Monitoring and measurement	Testing
Perform conditional tests on cryptographic modules within the system. CC ID 06539	Monitoring and measurement	Testing
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130	Monitoring and measurement	Configuration
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Monitoring and measurement	Actionable Reports or Measurements
Identify all stakeholders critical to the continuity of operations. CC ID 12741	Operational and Systems Continuity	Systems Continuity
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374	Operational and Systems Continuity	Systems Continuity
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Investigate
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Testing
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Testing
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a critical personnel list. CC ID 00739 [{business continuity plan} {disaster recovery plan} {is necessary} Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; §242.1004 ¶ 1(a)]	Operational and Systems Continuity	Establish/Maintain Documentation
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Operational and Systems Continuity	Testing
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Testing
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Testing
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Testing
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Testing
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Testing
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Testing
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Operational and Systems Continuity	Testing
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Testing
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Business Processes
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Establish/Maintain Documentation
Review and approve access controls, as necessary. CC ID 13074	Operational management	Process or Activity
Perform social network analysis, as necessary. CC ID 14864	Operational management	Investigate
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922	Operational management	Process or Activity
Include the organizational climate in the analysis of the organizational culture. CC ID 12921	Operational management	Process or Activity
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920	Operational management	Process or Activity
Respond to and triage when an incident is detected. CC ID 06942 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Operational management	Monitor and Evaluate Occurrences
Document the incident and any relevant evidence in the incident report. CC ID 08659	Operational management	Establish/Maintain Documentation
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Include information required by law in incident response notifications. CC ID 00802 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Test proposed changes prior to their approval. CC ID 00548 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: Testing of all SCI systems and any changes to SCI systems prior to implementation; §242.1001(b)(2)(i)]	Operational management	Testing
Examine all changes to ensure they correspond with the change request. CC ID 12345	Operational management	Business Processes
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Process or Activity
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Investigate
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Investigate
Review the patch log for missing patches. CC ID 13186	Operational management	Technical Security
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Testing
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Testing
Review changes to computer firmware. CC ID 12226	Operational management	Testing
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Testing
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Technical Security
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Establish/Maintain Documentation
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Testing
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Operational management	Testing
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Configuration
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation
Restrict system architects from being assigned as Administrators. CC ID 01064	Systems design, build, and implementation	Testing
Restrict the development team from having access to the production environment. CC ID 01066	Systems design, build, and implementation	Testing
Perform Quality Management on all newly developed or modified systems. CC ID 01100	Systems design, build, and implementation	Testing

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone

Preventive

537

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in §240.17a-1 of this chapter. §242.1005(a) {is accessible} Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and §242.1005(b)(2) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. §242.1005(c) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1)]	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Communicate
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Establish/Maintain Documentation
Align the Authority Document list with external requirements. CC ID 06288 [For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). §242.1001(a)(4)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for unauthorized data transfers. CC ID 12971	Monitoring and measurement	Monitor and Evaluate Occurrences
Address operational anomalies within the incident management system. CC ID 11633	Monitoring and measurement	Audits and Risk Management
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634	Monitoring and measurement	Audits and Risk Management
Monitor systems for unauthorized mobile code. CC ID 10034	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain a testing program. CC ID 00654 [{internal threat} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; §242.1001(a)(2)(iv) {be efficient} {be timely}{be accurate} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; §242.1001(a)(2)(ii)]	Monitoring and measurement	Behavior
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031	Monitoring and measurement	Establish/Maintain Documentation
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136	Monitoring and measurement	Establish/Maintain Documentation
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the security assessment and authorization policy. CC ID 14220	Monitoring and measurement	Establish/Maintain Documentation
Include the purpose in the security assessment and authorization policy. CC ID 14219	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218	Monitoring and measurement	Communicate
Include management commitment in the security assessment and authorization policy. CC ID 14189	Monitoring and measurement	Establish/Maintain Documentation
Include compliance requirements in the security assessment and authorization policy. CC ID 14183	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224	Monitoring and measurement	Communicate
Employ third parties to carry out testing programs, as necessary. CC ID 13178	Monitoring and measurement	Human Resources Management
Document improvement actions based on test results and exercises. CC ID 16840	Monitoring and measurement	Establish/Maintain Documentation
Define the test requirements for each testing program. CC ID 13177	Monitoring and measurement	Establish/Maintain Documentation
Include test requirements for the use of human subjects in the testing program. CC ID 16222	Monitoring and measurement	Testing
Test the in scope system in accordance with its intended purpose. CC ID 14961	Monitoring and measurement	Testing
Perform network testing in accordance with organizational standards. CC ID 16448	Monitoring and measurement	Testing
Test user accounts in accordance with organizational standards. CC ID 16421	Monitoring and measurement	Testing
Include mechanisms for emergency stops in the testing program. CC ID 14398	Monitoring and measurement	Establish/Maintain Documentation
Document the business need justification for authorized wireless access points. CC ID 12044	Monitoring and measurement	Establish/Maintain Documentation
Deny network access to rogue devices until network access approval has been received. CC ID 11852	Monitoring and measurement	Configuration
Establish, implement, and maintain conformity assessment procedures. CC ID 15032	Monitoring and measurement	Establish/Maintain Documentation
Share conformity assessment results with affected parties and interested personnel. CC ID 15113	Monitoring and measurement	Communicate
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112	Monitoring and measurement	Communicate
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111	Monitoring and measurement	Communicate
Create technical documentation assessment certificates in an official language. CC ID 15110	Monitoring and measurement	Establish/Maintain Documentation
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096	Monitoring and measurement	Testing
Define the test frequency for each testing program. CC ID 13176	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a penetration test program. CC ID 01105	Monitoring and measurement	Behavior
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871	Monitoring and measurement	Communicate
Align the penetration test program with industry standards. CC ID 12469	Monitoring and measurement	Establish/Maintain Documentation
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429	Monitoring and measurement	Establish Roles
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958	Monitoring and measurement	Testing
Retain penetration test results according to internal policy. CC ID 10049	Monitoring and measurement	Records Management
Retain penetration test remediation action records according to internal policy. CC ID 11629	Monitoring and measurement	Records Management
Ensure protocols are free from injection flaws. CC ID 16401	Monitoring and measurement	Process or Activity
Establish, implement, and maintain a business line testing strategy. CC ID 13245	Monitoring and measurement	Establish/Maintain Documentation
Include facilities in the business line testing strategy. CC ID 13253	Monitoring and measurement	Establish/Maintain Documentation
Include electrical systems in the business line testing strategy. CC ID 13251	Monitoring and measurement	Establish/Maintain Documentation
Include mechanical systems in the business line testing strategy. CC ID 13250	Monitoring and measurement	Establish/Maintain Documentation
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248	Monitoring and measurement	Establish/Maintain Documentation
Include emergency power supplies in the business line testing strategy. CC ID 13247	Monitoring and measurement	Establish/Maintain Documentation
Include environmental controls in the business line testing strategy. CC ID 13246	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a vulnerability management program. CC ID 15721	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636	Monitoring and measurement	Establish/Maintain Documentation
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098	Monitoring and measurement	Technical Security
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418	Monitoring and measurement	Communicate
Maintain vulnerability scan reports as organizational records. CC ID 12092	Monitoring and measurement	Records Management
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467	Monitoring and measurement	Business Processes
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039	Monitoring and measurement	Testing
Approve the vulnerability management program. CC ID 15722	Monitoring and measurement	Process or Activity
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723	Monitoring and measurement	Establish Roles
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111	Monitoring and measurement	Technical Security
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059	Monitoring and measurement	Business Processes
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Integrate the risk management program with the organization's business activities. CC ID 13661 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. §242.1001(b)(2)(iv)]	Audits and risk management	Business Processes
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a continuity framework. CC ID 00732 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish and maintain the scope of the continuity framework. CC ID 11908	Operational and Systems Continuity	Establish/Maintain Documentation
Include network security in the scope of the continuity framework. CC ID 16327	Operational and Systems Continuity	Establish/Maintain Documentation
Explain any exclusions to the scope of the continuity framework. CC ID 12236	Operational and Systems Continuity	Establish/Maintain Documentation
Refrain from including exclusions that could affect business continuity. CC ID 12740	Operational and Systems Continuity	Records Management
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235	Operational and Systems Continuity	Establish/Maintain Documentation
Include business units in the scope of the continuity framework. CC ID 11898	Operational and Systems Continuity	Establish/Maintain Documentation
Include business functions in the scope of the continuity framework. CC ID 12699	Operational and Systems Continuity	Establish/Maintain Documentation
Include information security continuity in the scope of the continuity framework. CC ID 12009	Operational and Systems Continuity	Systems Continuity
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698	Operational and Systems Continuity	Systems Continuity
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242	Operational and Systems Continuity	Establish/Maintain Documentation
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a shelter in place plan. CC ID 16260	Operational and Systems Continuity	Establish/Maintain Documentation
Designate safe rooms in the shelter in place plan. CC ID 16276	Operational and Systems Continuity	Establish/Maintain Documentation
Include Quality Management in the continuity framework. CC ID 12239	Operational and Systems Continuity	Establish/Maintain Documentation
Establish and maintain a system continuity plan philosophy. CC ID 00734	Operational and Systems Continuity	Establish/Maintain Documentation
Define the executive vision of the continuity planning process. CC ID 01243	Operational and Systems Continuity	Establish/Maintain Documentation
Include a pandemic plan in the continuity plan. CC ID 06800	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733	Operational and Systems Continuity	Establish Roles
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386	Operational and Systems Continuity	Systems Continuity
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573	Operational and Systems Continuity	Communicate
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain a continuity plan. CC ID 00752	Operational and Systems Continuity	Establish/Maintain Documentation
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Communicate
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Human Resources Management
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Establish/Maintain Documentation
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)]	Operational and Systems Continuity	Establish/Maintain Documentation
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Communicate
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Establish/Maintain Documentation
Include the protection of personnel in the continuity plan. CC ID 06378	Operational and Systems Continuity	Establish/Maintain Documentation
Identify alternate personnel for each person on the critical personnel list. CC ID 12771	Operational and Systems Continuity	Human Resources Management
Define the triggering events for when to activate the pandemic plan. CC ID 06801	Operational and Systems Continuity	Establish/Maintain Documentation
Train personnel on the continuity plan. CC ID 00759 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)]	Operational and Systems Continuity	Behavior
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387	Operational and Systems Continuity	Behavior
Incorporate simulated events into the continuity plan training. CC ID 01402	Operational and Systems Continuity	Behavior
Include cross-team coordination in continuity plan training. CC ID 16235	Operational and Systems Continuity	Training
Include stay at home order training in the continuity plan training. CC ID 14382	Operational and Systems Continuity	Training
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388	Operational and Systems Continuity	Training
Include personal protection in continuity plan training. CC ID 14394	Operational and Systems Continuity	Training
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Operational and Systems Continuity	Testing
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Testing
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Testing
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Testing
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Operational and Systems Continuity	Testing
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Testing
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity plan} {disaster recovery plan} Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. §242.1004 ¶ 1(c)]	Operational and Systems Continuity	Testing
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Operational and Systems Continuity	Actionable Reports or Measurements
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Human Resources management	Establish Roles
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii)]	Human Resources management	Business Processes
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143	Human Resources management	Human Resources Management
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152	Human Resources management	Human Resources Management
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Human Resources management	Establish Roles
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Establish Roles
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources management	Human Resources Management
Assign the role of security management to applicable controls. CC ID 06444	Human Resources management	Establish Roles
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Human Resources Management
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Human Resources Management
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources management	Human Resources Management
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Communicate
Define and assign the data controller's roles and responsibilities. CC ID 00471	Human Resources management	Establish Roles
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Human Resources Management
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Human Resources Management
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Human Resources Management
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Establish Roles
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Human Resources Management
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Establish Roles
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Human Resources management	Establish Roles
Assign the role of logical access control to applicable controls. CC ID 00772	Human Resources management	Establish Roles
Assign the role of asset physical security to applicable controls. CC ID 00770	Human Resources management	Establish Roles
Assign the role of data custodian to applicable controls. CC ID 04789	Human Resources management	Establish Roles
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Human Resources management	Establish Roles
Assign interested personnel to the Quality Management committee. CC ID 07193	Human Resources management	Establish Roles
Assign the roles and responsibilities for the asset management system. CC ID 14368	Human Resources management	Establish/Maintain Documentation
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Human Resources management	Establish Roles
Assign the role of fire protection management to applicable controls. CC ID 04891	Human Resources management	Establish Roles
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Human Resources management	Establish Roles
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Human Resources management	Establish Roles
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Human Resources management	Establish Roles
Establish, implement, and maintain a capacity management plan. CC ID 11751	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: The establishment of reasonable current and future technological infrastructure capacity planning estimates; §242.1001(a)(2)(i)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2)]	Operational management	Establish/Maintain Documentation
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266	Operational management	Establish/Maintain Documentation
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955	Operational management	Behavior
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283	Operational management	Establish/Maintain Documentation
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861	Operational management	Acquisition/Sale of Assets or Services
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915	Operational management	Process or Activity
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853	Operational management	Establish/Maintain Documentation
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: §242.1003(b)(1)]	Operational management	Process or Activity
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809	Operational management	Audits and Risk Management
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523	Operational management	Human Resources Management
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524	Operational management	Human Resources Management
Establish, implement, and maintain a compliance policy. CC ID 14807	Operational management	Establish/Maintain Documentation
Include the standard of conduct and accountability in the compliance policy. CC ID 14813	Operational management	Establish/Maintain Documentation
Include the scope in the compliance policy. CC ID 14812	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the compliance policy. CC ID 14811	Operational management	Establish/Maintain Documentation
Include a commitment to continual improvement in the compliance policy. CC ID 14810	Operational management	Establish/Maintain Documentation
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809	Operational management	Communicate
Include management commitment in the compliance policy. CC ID 14808	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a governance policy. CC ID 15587	Operational management	Establish/Maintain Documentation
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625	Operational management	Communicate
Include a commitment to continuous improvement in the governance policy. CC ID 15595	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the governance policy. CC ID 15594	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a positive information control environment. CC ID 00813	Operational management	Business Processes
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Behavior
Establish, implement, and maintain an internal control framework. CC ID 00820 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3)]	Operational management	Establish/Maintain Documentation
Define the scope for the internal control framework. CC ID 16325	Operational management	Business Processes
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Establish Roles
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Business Processes
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Establish Roles
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Operational management	Business Processes
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Establish/Maintain Documentation
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Establish/Maintain Documentation
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Business Processes
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Establish/Maintain Documentation
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Establish/Maintain Documentation
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Establish/Maintain Documentation
Automate threat assessments, as necessary. CC ID 06877	Operational management	Configuration
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Establish/Maintain Documentation
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Configuration
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Establish/Maintain Documentation
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Establish/Maintain Documentation
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Establish/Maintain Documentation
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Establish/Maintain Documentation
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Communicate
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Process or Activity
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Establish/Maintain Documentation
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Establish/Maintain Documentation
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Establish/Maintain Documentation
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Establish/Maintain Documentation
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Communicate
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835	Operational management	Communicate
Establish, implement, and maintain a cybersecurity policy. CC ID 16833	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. §242.1001(a)(1)]	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Establish/Maintain Documentation
Include system development in the information security program. CC ID 12389	Operational management	Establish/Maintain Documentation
Include system maintenance in the information security program. CC ID 12388	Operational management	Establish/Maintain Documentation
Include system acquisition in the information security program. CC ID 12387	Operational management	Establish/Maintain Documentation
Include access control in the information security program. CC ID 12386	Operational management	Establish/Maintain Documentation
Include operations management in the information security program. CC ID 12385 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)]	Operational management	Establish/Maintain Documentation
Include communication management in the information security program. CC ID 12384	Operational management	Establish/Maintain Documentation
Include environmental security in the information security program. CC ID 12383	Operational management	Establish/Maintain Documentation
Include physical security in the information security program. CC ID 12382	Operational management	Establish/Maintain Documentation
Include human resources security in the information security program. CC ID 12381	Operational management	Establish/Maintain Documentation
Include asset management in the information security program. CC ID 12380	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Establish/Maintain Documentation
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Establish/Maintain Documentation
Include risk management in the information security program. CC ID 12378	Operational management	Establish/Maintain Documentation
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Provide management direction and support for the information security program. CC ID 11999	Operational management	Process or Activity
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Process or Activity
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Establish Roles
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Human Resources Management
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Establish/Maintain Documentation
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Human Resources Management
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Communicate
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Establish/Maintain Documentation
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Business Processes
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Business Processes
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Behavior
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Establish/Maintain Documentation
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Establish/Maintain Documentation
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Establish/Maintain Documentation
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Establish/Maintain Documentation
Include startup processes in operational control procedures. CC ID 00833	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Business Processes
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Communicate
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Establish/Maintain Documentation
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Establish/Maintain Documentation
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Establish/Maintain Documentation
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Establish/Maintain Documentation
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Establish/Maintain Documentation
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Establish/Maintain Documentation
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Establish/Maintain Documentation
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Technical Security
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Establish/Maintain Documentation
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Data and Information Management
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Establish/Maintain Documentation
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Establish/Maintain Documentation
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Establish/Maintain Documentation
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Establish/Maintain Documentation
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Establish/Maintain Documentation
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Communicate
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Business Processes
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Establish/Maintain Documentation
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Establish/Maintain Documentation
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Establish/Maintain Documentation
Identify the sender in all electronic messages. CC ID 13996	Operational management	Data and Information Management
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain nondisclosure agreements. CC ID 04536	Operational management	Establish/Maintain Documentation
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Communicate
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a use of information agreement. CC ID 06215	Operational management	Establish/Maintain Documentation
Include use limitations in the use of information agreement. CC ID 06244	Operational management	Establish/Maintain Documentation
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Establish/Maintain Documentation
Include information recipients in the use of information agreement. CC ID 06245	Operational management	Establish/Maintain Documentation
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Establish/Maintain Documentation
Include disclosure of information in the use of information agreement. CC ID 11830	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Establish/Maintain Documentation
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Operational management	Establish/Maintain Documentation
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821	Operational management	Process or Activity
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819	Operational management	Process or Activity
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818	Operational management	Process or Activity
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817	Operational management	Process or Activity
Analyze the Governance, Risk, and Compliance approach. CC ID 12816	Operational management	Process or Activity
Analyze the organizational culture. CC ID 12899	Operational management	Process or Activity
Include employee engagement in the analysis of the organizational culture. CC ID 12914	Operational management	Behavior
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674	Operational management	Business Processes
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673	Operational management	Business Processes
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675	Operational management	Business Processes
Include skill development in the analysis of the organizational culture. CC ID 12913	Operational management	Behavior
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912	Operational management	Behavior
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671	Operational management	Business Processes
Include employee loyalty in the analysis of the organizational culture. CC ID 12911	Operational management	Behavior
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910	Operational management	Behavior
Comply with all implemented policies in the organization's compliance framework. CC ID 06384	Operational management	Establish/Maintain Documentation
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788	Operational management	Communicate
Review systems for compliance with organizational information security policies. CC ID 12004	Operational management	Business Processes
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815	Operational management	Behavior
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)]	Operational management	Establish/Maintain Documentation
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296 [When known, promptly further disseminate the following information about such SCI event: A detailed description of the SCI event; §242.1002(c)(1)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)]	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and §242.1002(b)(4)(ii)(B)]	Operational management	Communicate
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Create an incident response report following an incident response. CC ID 12700	Operational management	Establish/Maintain Documentation
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) When known, promptly further disseminate the following information about such SCI event: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and §242.1002(c)(1)(ii)(B) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include losses due to the incident in the incident response report. CC ID 12724 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)]	Operational management	Establish/Maintain Documentation
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include the scope of the incident in the incident response report. CC ID 12717 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: The system(s) affected by the SCI event; and §242.1002(c)(1)(i)(A) Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)]	Operational management	Establish/Maintain Documentation
Include the duration of the incident in the incident response report. CC ID 12716 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C)]	Operational management	Establish/Maintain Documentation
Include where the incident occurred in the incident response report. CC ID 12710 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i)]	Operational management	Establish/Maintain Documentation
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)]	Operational management	Establish/Maintain Documentation
Include an executive summary of the incident in the incident response report. CC ID 12702 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: A summary description of the SCI event; and §242.1002(c)(1)(i)(B)]	Operational management	Establish/Maintain Documentation
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. §242.1002(b)(4)(i)(B)(1) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. §242.1002(b)(5)(ii) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: §242.1002(b)(2)]	Operational management	Communicate
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Operational management	Acquisition/Sale of Assets or Services
Mitigate reported incidents. CC ID 12973 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)]	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain an incident response plan. CC ID 12056	Operational management	Establish/Maintain Documentation
Include addressing information sharing in the incident response plan. CC ID 13349 [Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be n style="background-color:#CBD0E5;" class="term_secondary-verb">kept and preserved by it pursuant to paragraphs (b)(1) and (2) of this section §242.1005(b)(3)]	Operational management	Establish/Maintain Documentation
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(A) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(B)(2)]	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain a change control program. CC ID 00886 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A system of internal controls over changes to SCI systems; §242.1001(b)(2)(ii)]	Operational management	Establish/Maintain Documentation
Include potential consequences of unintended changes in the change control program. CC ID 12243	Operational management	Establish/Maintain Documentation
Include version control in the change control program. CC ID 13119	Operational management	Establish/Maintain Documentation
Include service design and transition in the change control program. CC ID 13920	Operational management	Establish/Maintain Documentation
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Maintenance
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Technical Security
Establish, implement, and maintain a back-out plan. CC ID 13623	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Establish/Maintain Documentation
Manage change requests. CC ID 00887 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Operational management	Business Processes
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Operational management	Establish/Maintain Documentation
Establish and maintain a change request approver list. CC ID 06795	Operational management	Establish/Maintain Documentation
Document all change requests in change request forms. CC ID 06794	Operational management	Establish/Maintain Documentation
Approve tested change requests. CC ID 11783	Operational management	Data and Information Management
Validate the system before implementing approved changes. CC ID 01510	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Behavior
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Establish/Maintain Documentation
Perform emergency changes, as necessary. CC ID 12707	Operational management	Process or Activity
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Process or Activity
Log emergency changes after they have been performed. CC ID 12733	Operational management	Establish/Maintain Documentation
Perform risk assessments prior to approving change requests. CC ID 00888	Operational management	Testing
Implement changes according to the change control program. CC ID 11776	Operational management	Business Processes
Provide audit trails for all approved changes. CC ID 13120 [Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Process or Activity
Document the sources of all software updates. CC ID 13316	Operational management	Establish/Maintain Documentation
Implement patch management software, as necessary. CC ID 12094	Operational management	Technical Security
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Technical Security
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Establish/Maintain Documentation
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Business Processes
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Behavior
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Data and Information Management
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Process or Activity
Retain records in accordance with applicable requirements. CC ID 00968 [Make, keep, and preserve records relating to all such SCI events; and §242.1002(b)(5)(i)]	Records management	Records Management
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386	Systems design, build, and implementation	Establish/Maintain Documentation
Perform a feasibility study for product requests. CC ID 06895	Systems design, build, and implementation	Acquisition/Sale of Assets or Services
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898	Systems design, build, and implementation	Acquisition/Sale of Assets or Services
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069	Systems design, build, and implementation	Human Resources Management
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045	Systems design, build, and implementation	Establish/Maintain Documentation
Include information security throughout the system development life cycle. CC ID 12042	Systems design, build, and implementation	Systems Design, Build, and Implementation
Protect confidential information during the system development life cycle program. CC ID 13479	Systems design, build, and implementation	Data and Information Management
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469	Systems design, build, and implementation	Communicate
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)]	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a security controls definition document. CC ID 01080	Systems design, build, and implementation	Establish/Maintain Documentation
Include identified risks and legal requirements in the security controls definition document. CC ID 11743	Systems design, build, and implementation	Establish/Maintain Documentation
Include naming conventions in system design guidelines. CC ID 13656	Systems design, build, and implementation	Establish/Maintain Documentation
Implement manual override capability into automated systems. CC ID 14921	Systems design, build, and implementation	Systems Design, Build, and Implementation
Define and assign the system development project team roles and responsibilities. CC ID 01061	Systems design, build, and implementation	Establish Roles
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062	Systems design, build, and implementation	Establish Roles
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063	Systems design, build, and implementation	Establish Roles
Establish, implement, and maintain a source data collection design specification. CC ID 01070	Systems design, build, and implementation	Establish/Maintain Documentation
Establish and maintain an input requirements definition document. CC ID 01071	Systems design, build, and implementation	Establish/Maintain Documentation
Search for metadata during e-discovery. CC ID 01073	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain security design principles. CC ID 14718	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include reduced complexity of systems or system components in the security design principles. CC ID 14753	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include modularity and layering of systems or system components in the security design principles. CC ID 14750	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure evolvability of systems or system components in the security design principles. CC ID 14749	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include continuous protection of systems or system components in the security design principles. CC ID 14748	Systems design, build, and implementation	Establish/Maintain Documentation
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure system modification of systems or system components in the security design principles. CC ID 14746	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include clear abstractions of systems or system components in the security design principles. CC ID 14745	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include least privilege of systems or system components in the security design principles. CC ID 14742	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include minimized sharing of systems or system components in the security design principles. CC ID 14741	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include acceptable security of systems or system components in the security design principles. CC ID 14740	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include minimized security elements in systems or system components in the security design principles. CC ID 14739	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include self-analysis of systems or system components in the security design principles. CC ID 14737	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include minimization of systems or system components in the security design principles. CC ID 14733	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure defaults in systems or system components in the security design principles. CC ID 14732	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include economic security in systems or system components in the security design principles. CC ID 14730	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include trusted components of systems or system components in the security design principles. CC ID 14729	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include procedural rigor in systems or system components in the security design principles. CC ID 14728	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include performance security of systems or system components in the security design principles. CC ID 14724	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include human factored security in systems or system components in the security design principles. CC ID 14723	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include secure metadata management of systems or system components in the security design principles. CC ID 14722	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include predicate permission of systems or system components in the security design principles. CC ID 14721	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system use training plan. CC ID 01089	Systems design, build, and implementation	Establish/Maintain Documentation
Train the affected users during system development life cycle projects. CC ID 01091	Systems design, build, and implementation	Behavior
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963	Systems design, build, and implementation	Establish/Maintain Documentation
Include the physical design characteristics in the system design specification. CC ID 06927	Systems design, build, and implementation	Establish/Maintain Documentation
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system testing policy. CC ID 01102 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)]	Systems design, build, and implementation	Establish/Maintain Documentation
Configure the test environment similar to the production environment. CC ID 06837	Systems design, build, and implementation	Configuration
Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473	Systems design, build, and implementation	Communicate
Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107	Systems design, build, and implementation	Establish/Maintain Documentation
Return test payment cards after their use. CC ID 06398	Systems design, build, and implementation	Behavior