0003022
17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures
US Congress
Regulation or Statute
Free
17 CFR Part 242
17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures
Not Defined
The document as a whole was last reviewed and released on 2019-09-19T00:00:00-0700.
0003022
Free
US Congress
Regulation or Statute
17 CFR Part 242
17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures
Not Defined
The document as a whole was last reviewed and released on 2019-09-19T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Integrate the risk management program with the organization's business activities. CC ID 13661 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. §242.1001(b)(2)(iv)] | Business Processes | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Establish Roles | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii)] | Business Processes | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Identify and define all critical roles. CC ID 00777 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Establish Roles | Preventive | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources Management | Preventive | |
Assign the role of security management to applicable controls. CC ID 06444 | Establish Roles | Preventive | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources Management | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Establish Roles | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Establish Roles | Preventive | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Establish Roles | Preventive | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Establish Roles | Preventive | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Establish Roles | Preventive | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Establish Roles | Preventive | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Establish Roles | Preventive | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Establish/Maintain Documentation | Preventive | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Establish Roles | Preventive | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Establish Roles | Preventive | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Establish Roles | Preventive | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Establish Roles | Preventive | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Establish Roles | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. §242.1001(b)(1)] | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in §240.17a-1 of this chapter. §242.1005(a) {is accessible} Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and §242.1005(b)(2) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. §242.1005(c) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 [For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). §242.1001(a)(4)] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Monitoring of such systems to identify potential SCI events. §242.1001(a)(2)(vii)] | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitor and Evaluate Occurrences | Preventive | |
Address operational anomalies within the incident management system. CC ID 11633 | Audits and Risk Management | Preventive | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Human Resources Management | Detective | |
Detect unauthorized access to systems. CC ID 06798 | Monitor and Evaluate Occurrences | Detective | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitor and Evaluate Occurrences | Detective | |
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Audits and Risk Management | Preventive | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitor and Evaluate Occurrences | Detective | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a testing program. CC ID 00654 [{internal threat} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; §242.1001(a)(2)(iv) {be efficient} {be timely}{be accurate} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; §242.1001(a)(2)(ii)] | Behavior | Preventive | |
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
Conduct Red Team exercises, as necessary. CC ID 12131 | Technical Security | Detective | |
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
Test security systems and associated security procedures, as necessary. CC ID 11901 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and §242.1003(b)(1)(ii)] | Technical Security | Detective | |
Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
Define the test requirements for each testing program. CC ID 13177 | Establish/Maintain Documentation | Preventive | |
Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
Scan organizational networks for rogue devices. CC ID 00536 | Testing | Detective | |
Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
Scan the network for wireless access points. CC ID 00370 | Testing | Detective | |
Document the business need justification for authorized wireless access points. CC ID 12044 | Establish/Maintain Documentation | Preventive | |
Scan wireless networks for rogue devices. CC ID 11623 | Technical Security | Detective | |
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Testing | Detective | |
Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Technical Security | Corrective | |
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitor and Evaluate Occurrences | Corrective | |
Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Configuration | Preventive | |
Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Configuration | Corrective | |
Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Communicate | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
Align the penetration test program with industry standards. CC ID 12469 | Establish/Maintain Documentation | Preventive | |
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Establish Roles | Preventive | |
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Testing | Preventive | |
Retain penetration test results according to internal policy. CC ID 10049 | Records Management | Preventive | |
Retain penetration test remediation action records according to internal policy. CC ID 11629 | Records Management | Preventive | |
Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
Perform penetration tests, as necessary. CC ID 00655 [Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and §242.1003(b)(1)(i)] | Testing | Detective | |
Perform internal penetration tests, as necessary. CC ID 12471 | Technical Security | Detective | |
Perform external penetration tests, as necessary. CC ID 12470 | Technical Security | Detective | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Testing | Detective | |
Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Testing | Detective | |
Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Technical Security | Detective | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
Repeat penetration testing, as necessary. CC ID 06860 | Testing | Detective | |
Test the system for covert channels. CC ID 10652 | Testing | Detective | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Establish/Maintain Documentation | Preventive | |
Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
Include electrical systems in the business line testing strategy. CC ID 13251 | Establish/Maintain Documentation | Preventive | |
Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
Include environmental controls in the business line testing strategy. CC ID 13246 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
Identify and document security vulnerabilities. CC ID 11857 | Technical Security | Detective | |
Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Technical Security | Preventive | |
Test the system for insecure cryptographic storage. CC ID 11635 | Technical Security | Detective | |
Perform self-tests on cryptographic modules within the system. CC ID 06537 | Testing | Detective | |
Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Testing | Detective | |
Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Testing | Detective | |
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Configuration | Detective | |
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Technical Security | Corrective | |
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
Recommend mitigation techniques based on penetration test results. CC ID 04881 | Establish/Maintain Documentation | Corrective | |
Correct or mitigate vulnerabilities. CC ID 12497 | Technical Security | Corrective | |
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Actionable Reports or Measurements | Detective | |
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and §242.1003(b)(2) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. §242.1003(b)(3)] | Actionable Reports or Measurements | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Establish/Maintain Documentation | Preventive | |
Establish and maintain the scope of the continuity framework. CC ID 11908 | Establish/Maintain Documentation | Preventive | |
Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Systems Continuity | Detective | |
Include network security in the scope of the continuity framework. CC ID 16327 | Establish/Maintain Documentation | Preventive | |
Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Establish/Maintain Documentation | Preventive | |
Refrain from including exclusions that could affect business continuity. CC ID 12740 | Records Management | Preventive | |
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Establish/Maintain Documentation | Preventive | |
Include business units in the scope of the continuity framework. CC ID 11898 | Establish/Maintain Documentation | Preventive | |
Include business functions in the scope of the continuity framework. CC ID 12699 | Establish/Maintain Documentation | Preventive | |
Include information security continuity in the scope of the continuity framework. CC ID 12009 | Systems Continuity | Preventive | |
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Systems Continuity | Preventive | |
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Establish/Maintain Documentation | Preventive | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Establish/Maintain Documentation | Preventive | |
Designate safe rooms in the shelter in place plan. CC ID 16276 | Establish/Maintain Documentation | Preventive | |
Include Quality Management in the continuity framework. CC ID 12239 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a system continuity plan philosophy. CC ID 00734 | Establish/Maintain Documentation | Preventive | |
Define the executive vision of the continuity planning process. CC ID 01243 | Establish/Maintain Documentation | Preventive | |
Include a pandemic plan in the continuity plan. CC ID 06800 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 | Establish Roles | Preventive | |
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Systems Continuity | Preventive | |
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Establish/Maintain Documentation | Preventive | |
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Systems Continuity | Corrective | |
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Monitor and Evaluate Occurrences | Detective | |
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Communicate | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Establish/Maintain Documentation | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
Include the protection of personnel in the continuity plan. CC ID 06378 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a critical personnel list. CC ID 00739 [{business continuity plan} {disaster recovery plan} {is necessary} Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; §242.1004 ¶ 1(a)] | Establish/Maintain Documentation | Detective | |
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Human Resources Management | Preventive | |
Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Establish/Maintain Documentation | Preventive | |
Train personnel on the continuity plan. CC ID 00759 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Behavior | Preventive | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Behavior | Preventive | |
Incorporate simulated events into the continuity plan training. CC ID 01402 | Behavior | Preventive | |
Include cross-team coordination in continuity plan training. CC ID 16235 | Training | Preventive | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Training | Preventive | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Training | Preventive | |
Include personal protection in continuity plan training. CC ID 14394 | Training | Preventive | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Testing | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Testing | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Testing | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Testing | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Testing | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity plan} {disaster recovery plan} Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. §242.1004 ¶ 1(c)] | Testing | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 | Testing | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Actionable Reports or Measurements | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Testing | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a capacity management plan. CC ID 11751 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: The establishment of reasonable current and future technological infrastructure capacity planning estimates; §242.1001(a)(2)(i)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Behavior | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: §242.1003(b)(1)] | Process or Activity | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3)] | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. §242.1001(a)(1)] | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)] | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Establish/Maintain Documentation | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Respond to and triage when an incident is detected. CC ID 06942 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Monitor and Evaluate Occurrences | Detective | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Establish/Maintain Documentation | Detective | |
Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Behavior | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Process or Activity | Corrective | |
Share incident information with interested personnel and affected parties. CC ID 01212 [Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). §242.1003(a)(2) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. §242.1002(c)(1)(iii) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; §242.1002(b)(3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3)] | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)] | Behavior | Corrective | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
Include information required by law in incident response notifications. CC ID 00802 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Establish/Maintain Documentation | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Establish/Maintain Documentation | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Establish/Maintain Documentation | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Establish/Maintain Documentation | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Establish/Maintain Documentation | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Establish/Maintain Documentation | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Establish/Maintain Documentation | Preventive | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 [When known, promptly further disseminate the following information about such SCI event: A detailed description of the SCI event; §242.1002(c)(1)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)] | Establish/Maintain Documentation | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Establish/Maintain Documentation | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Establish/Maintain Documentation | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Establish/Maintain Documentation | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Establish/Maintain Documentation | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Establish/Maintain Documentation | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Establish/Maintain Documentation | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Establish/Maintain Documentation | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Establish/Maintain Documentation | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Establish/Maintain Documentation | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Establish/Maintain Documentation | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Establish/Maintain Documentation | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Establish/Maintain Documentation | Detective | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
Include contact information in incident response notifications. CC ID 04739 | Establish/Maintain Documentation | Preventive | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and §242.1002(b)(4)(ii)(B)] | Communicate | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Create an incident response report following an incident response. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) When known, promptly further disseminate the following information about such SCI event: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and §242.1002(c)(1)(ii)(B) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
Include losses due to the incident in the incident response report. CC ID 12724 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
Include the scope of the incident in the incident response report. CC ID 12717 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: The system(s) affected by the SCI event; and §242.1002(c)(1)(i)(A) Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
Include the duration of the incident in the incident response report. CC ID 12716 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C)] | Establish/Maintain Documentation | Preventive | |
Include where the incident occurred in the incident response report. CC ID 12710 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i)] | Establish/Maintain Documentation | Preventive | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Establish/Maintain Documentation | Preventive | |
Include an executive summary of the incident in the incident response report. CC ID 12702 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: A summary description of the SCI event; and §242.1002(c)(1)(i)(B)] | Establish/Maintain Documentation | Preventive | |
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. §242.1002(b)(4)(i)(B)(1) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. §242.1002(b)(5)(ii) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: §242.1002(b)(2)] | Communicate | Preventive | |
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Acquisition/Sale of Assets or Services | Preventive | |
Mitigate reported incidents. CC ID 12973 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain an incident response plan. CC ID 12056 | Establish/Maintain Documentation | Preventive | |
Include addressing information sharing in the incident response plan. CC ID 13349 [Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be | Establish/Maintain Documentation | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Establish Roles | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; §242.1002(b)(1)] | Communicate | Corrective | |
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(A) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(B)(2)] | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A system of internal controls over changes to SCI systems; §242.1001(b)(2)(ii)] | Establish/Maintain Documentation | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Establish/Maintain Documentation | Preventive | |
Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Maintenance | Preventive | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Establish/Maintain Documentation | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 | Establish/Maintain Documentation | Corrective | |
Manage change requests. CC ID 00887 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Business Processes | Preventive | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
Document all change requests in change request forms. CC ID 06794 | Establish/Maintain Documentation | Preventive | |
Test proposed changes prior to their approval. CC ID 00548 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: Testing of all SCI systems and any changes to SCI systems prior to implementation; §242.1001(b)(2)(i)] | Testing | Detective | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Business Processes | Detective | |
Approve tested change requests. CC ID 11783 | Data and Information Management | Preventive | |
Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Testing | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
Implement changes according to the change control program. CC ID 11776 | Business Processes | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 [Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
Patch software. CC ID 11825 | Technical Security | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
Review changes to computer firmware. CC ID 12226 | Testing | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Testing | Detective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Technical Security | Detective | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Business Processes | Corrective | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Testing | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [Make, keep, and preserve records relating to all such SCI events; and §242.1002(b)(5)(i)] | Records Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)] | Systems Design, Build, and Implementation | Preventive | |
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Establish/Maintain Documentation | Preventive | |
Perform a feasibility study for product requests. CC ID 06895 | Acquisition/Sale of Assets or Services | Preventive | |
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Acquisition/Sale of Assets or Services | Preventive | |
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Human Resources Management | Preventive | |
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Establish/Maintain Documentation | Preventive | |
Include information security throughout the system development life cycle. CC ID 12042 | Systems Design, Build, and Implementation | Preventive | |
Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Communicate | Preventive | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security controls definition document. CC ID 01080 | Establish/Maintain Documentation | Preventive | |
Include identified risks and legal requirements in the security controls definition document. CC ID 11743 | Establish/Maintain Documentation | Preventive | |
Include naming conventions in system design guidelines. CC ID 13656 | Establish/Maintain Documentation | Preventive | |
Implement manual override capability into automated systems. CC ID 14921 | Systems Design, Build, and Implementation | Preventive | |
Define and assign the system development project team roles and responsibilities. CC ID 01061 | Establish Roles | Preventive | |
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 | Establish Roles | Preventive | |
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 | Establish Roles | Preventive | |
Restrict system architects from being assigned as Administrators. CC ID 01064 | Testing | Detective | |
Restrict the development team from having access to the production environment. CC ID 01066 | Testing | Detective | |
Redesign business activities to support the system implementation. CC ID 01067 | Systems Design, Build, and Implementation | Corrective | |
Establish, implement, and maintain a source data collection design specification. CC ID 01070 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an input requirements definition document. CC ID 01071 | Establish/Maintain Documentation | Preventive | |
Search for metadata during e-discovery. CC ID 01073 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain security design principles. CC ID 14718 | Systems Design, Build, and Implementation | Preventive | |
Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems Design, Build, and Implementation | Preventive | |
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems Design, Build, and Implementation | Preventive | |
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems Design, Build, and Implementation | Preventive | |
Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems Design, Build, and Implementation | Preventive | |
Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems Design, Build, and Implementation | Preventive | |
Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Establish/Maintain Documentation | Preventive | |
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems Design, Build, and Implementation | Preventive | |
Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems Design, Build, and Implementation | Preventive | |
Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems Design, Build, and Implementation | Preventive | |
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems Design, Build, and Implementation | Preventive | |
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems Design, Build, and Implementation | Preventive | |
Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems Design, Build, and Implementation | Preventive | |
Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems Design, Build, and Implementation | Preventive | |
Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems Design, Build, and Implementation | Preventive | |
Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems Design, Build, and Implementation | Preventive | |
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems Design, Build, and Implementation | Preventive | |
Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems Design, Build, and Implementation | Preventive | |
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems Design, Build, and Implementation | Preventive | |
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems Design, Build, and Implementation | Preventive | |
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems Design, Build, and Implementation | Preventive | |
Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems Design, Build, and Implementation | Preventive | |
Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems Design, Build, and Implementation | Preventive | |
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems Design, Build, and Implementation | Preventive | |
Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems Design, Build, and Implementation | Preventive | |
Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems Design, Build, and Implementation | Preventive | |
Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems Design, Build, and Implementation | Preventive | |
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems Design, Build, and Implementation | Preventive | |
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems Design, Build, and Implementation | Preventive | |
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems Design, Build, and Implementation | Preventive | |
Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems Design, Build, and Implementation | Preventive | |
Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems Design, Build, and Implementation | Preventive | |
Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems Design, Build, and Implementation | Preventive | |
Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system use training plan. CC ID 01089 | Establish/Maintain Documentation | Preventive | |
Train the affected users during system development life cycle projects. CC ID 01091 | Behavior | Preventive | |
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963 | Establish/Maintain Documentation | Preventive | |
Include the physical design characteristics in the system design specification. CC ID 06927 | Establish/Maintain Documentation | Preventive | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Testing | Detective | |
Establish, implement, and maintain a system testing policy. CC ID 01102 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)] | Establish/Maintain Documentation | Preventive | |
Configure the test environment similar to the production environment. CC ID 06837 | Configuration | Preventive | |
Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Communicate | Preventive | |
Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107 | Establish/Maintain Documentation | Preventive | |
Return test payment cards after their use. CC ID 06398 | Behavior | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Preventive | |
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Operational management | Preventive | |
Perform a feasibility study for product requests. CC ID 06895 | Systems design, build, and implementation | Preventive | |
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Monitoring and measurement | Detective | |
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and §242.1003(b)(2) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. §242.1003(b)(3)] | Monitoring and measurement | Corrective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Operational and Systems Continuity | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Mitigate reported incidents. CC ID 12973 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Operational management | Preventive | |
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(A) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(B)(2)] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Preventive | |
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Preventive | |
Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a testing program. CC ID 00654 [{internal threat} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; §242.1001(a)(2)(iv) {be efficient} {be timely}{be accurate} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; §242.1001(a)(2)(ii)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
Train personnel on the continuity plan. CC ID 00759 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Operational and Systems Continuity | Preventive | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Preventive | |
Incorporate simulated events into the continuity plan training. CC ID 01402 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)] | Operational management | Corrective | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive | |
Train the affected users during system development life cycle projects. CC ID 01091 | Systems design, build, and implementation | Preventive | |
Return test payment cards after their use. CC ID 06398 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
Integrate the risk management program with the organization's business activities. CC ID 13661 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. §242.1001(b)(2)(iv)] | Audits and risk management | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii)] | Human Resources management | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
Manage change requests. CC ID 00887 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Operational management | Preventive | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Detective | |
Implement changes according to the change control program. CC ID 11776 | Operational management | Preventive | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Preventive | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Monitoring and measurement | Preventive | |
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and §242.1002(b)(4)(ii)(B)] | Operational management | Preventive | |
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. §242.1002(b)(4)(i)(B)(1) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. §242.1002(b)(5)(ii) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: §242.1002(b)(2)] | Operational management | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; §242.1002(b)(1)] | Operational management | Corrective | |
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Preventive | |
Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Preventive | |
Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Corrective | |
Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Detective | |
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
Update computer firmware, as necessary. CC ID 11755 | Operational management | Corrective | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Corrective | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
Configure the test environment similar to the production environment. CC ID 06837 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 [Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). §242.1003(a)(2) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. §242.1002(c)(1)(iii) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; §242.1002(b)(3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3)] | Operational management | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
Approve tested change requests. CC ID 11783 | Operational management | Preventive | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Preventive | |
Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Preventive | |
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Human Resources management | Preventive | |
Identify and define all critical roles. CC ID 00777 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Human Resources management | Preventive | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Preventive | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Preventive | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Preventive | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Preventive | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Preventive | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Preventive | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Preventive | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Preventive | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Preventive | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Preventive | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Preventive | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Preventive | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
Define and assign the system development project team roles and responsibilities. CC ID 01061 | Systems design, build, and implementation | Preventive | |
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 | Systems design, build, and implementation | Preventive | |
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. §242.1001(b)(1)] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in §240.17a-1 of this chapter. §242.1005(a) {is accessible} Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and §242.1005(b)(2) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. §242.1005(c) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1)] | Leadership and high level objectives | Preventive | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 [For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). §242.1001(a)(4)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Preventive | |
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Preventive | |
Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Preventive | |
Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Preventive | |
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Preventive | |
Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Preventive | |
Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Corrective | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Operational and Systems Continuity | Preventive | |
Establish and maintain the scope of the continuity framework. CC ID 11908 | Operational and Systems Continuity | Preventive | |
Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Preventive | |
Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Operational and Systems Continuity | Preventive | |
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Operational and Systems Continuity | Preventive | |
Include business units in the scope of the continuity framework. CC ID 11898 | Operational and Systems Continuity | Preventive | |
Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Preventive | |
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Operational and Systems Continuity | Preventive | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Preventive | |
Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Preventive | |
Include Quality Management in the continuity framework. CC ID 12239 | Operational and Systems Continuity | Preventive | |
Establish and maintain a system continuity plan philosophy. CC ID 00734 | Operational and Systems Continuity | Preventive | |
Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Preventive | |
Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Preventive | |
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Operational and Systems Continuity | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Operational and Systems Continuity | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a critical personnel list. CC ID 00739 [{business continuity plan} {disaster recovery plan} {is necessary} Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; §242.1004 ¶ 1(a)] | Operational and Systems Continuity | Detective | |
Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Preventive | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Preventive | |
Establish, implement, and maintain a capacity management plan. CC ID 11751 | Operational management | Preventive | |
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: The establishment of reasonable current and future technological infrastructure capacity planning estimates; §242.1001(a)(2)(i)] | Operational management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2)] | Operational management | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3)] | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. §242.1001(a)(1)] | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)] | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Detective | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
Include information required by law in incident response notifications. CC ID 00802 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Detective | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Preventive | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Preventive | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Preventive | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Preventive | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Preventive | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Preventive | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
Include details of the investigation in incident response notifications. CC ID 12296 [When known, promptly further disseminate the following information about such SCI event: A detailed description of the SCI event; §242.1002(c)(1)(ii)(A)] | Operational management | Preventive | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)] | Operational management | Preventive | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Preventive | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Preventive | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Preventive | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Preventive | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Preventive | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Preventive | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Preventive | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Preventive | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Preventive | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Preventive | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Preventive | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Detective | |
Include contact information in incident response notifications. CC ID 04739 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
Create an incident response report following an incident response. CC ID 12700 | Operational management | Preventive | |
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) When known, promptly further disseminate the following information about such SCI event: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and §242.1002(c)(1)(ii)(B) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Preventive | |
Include losses due to the incident in the incident response report. CC ID 12724 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)] | Operational management | Preventive | |
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Preventive | |
Include the scope of the incident in the incident response report. CC ID 12717 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: The system(s) affected by the SCI event; and §242.1002(c)(1)(i)(A) Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)] | Operational management | Preventive | |
Include the duration of the incident in the incident response report. CC ID 12716 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Preventive | |
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C)] | Operational management | Preventive | |
Include where the incident occurred in the incident response report. CC ID 12710 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i)] | Operational management | Preventive | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Preventive | |
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Preventive | |
Include an executive summary of the incident in the incident response report. CC ID 12702 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: A summary description of the SCI event; and §242.1002(c)(1)(i)(B)] | Operational management | Preventive | |
Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Preventive | |
Include addressing information sharing in the incident response plan. CC ID 13349 [Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be | Operational management | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A system of internal controls over changes to SCI systems; §242.1001(b)(2)(ii)] | Operational management | Preventive | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Preventive | |
Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Preventive | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Preventive | |
Approve back-out plans, as necessary. CC ID 13627 | Operational management | Corrective | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Preventive | |
Establish and maintain a change request approver list. CC ID 06795 | Operational management | Preventive | |
Document all change requests in change request forms. CC ID 06794 | Operational management | Preventive | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Preventive | |
Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
Provide audit trails for all approved changes. CC ID 13120 [Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Operational management | Preventive | |
Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Preventive | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Corrective | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Preventive | |
Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Preventive | |
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a security controls definition document. CC ID 01080 | Systems design, build, and implementation | Preventive | |
Include identified risks and legal requirements in the security controls definition document. CC ID 11743 | Systems design, build, and implementation | Preventive | |
Include naming conventions in system design guidelines. CC ID 13656 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a source data collection design specification. CC ID 01070 | Systems design, build, and implementation | Preventive | |
Establish and maintain an input requirements definition document. CC ID 01071 | Systems design, build, and implementation | Preventive | |
Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a system use training plan. CC ID 01089 | Systems design, build, and implementation | Preventive | |
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963 | Systems design, build, and implementation | Preventive | |
Include the physical design characteristics in the system design specification. CC ID 06927 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a system testing policy. CC ID 01102 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Detective | |
Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Preventive | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Preventive | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Monitoring of such systems to identify potential SCI events. §242.1001(a)(2)(vii)] | Monitoring and measurement | Detective | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Detective | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Detective | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Preventive | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Detective | |
Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Detective | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Detective | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Detective | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Detective | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Preventive | |
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Corrective | |
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Detective | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
Respond to and triage when an incident is detected. CC ID 06942 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Operational management | Detective | |
Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Detective | |
Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: §242.1003(b)(1)] | Operational management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Corrective | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Preventive | |
Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Preventive | |
Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [Make, keep, and preserve records relating to all such SCI events; and §242.1002(b)(5)(i)] | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Detective | |
Include information security continuity in the scope of the continuity framework. CC ID 12009 | Operational and Systems Continuity | Preventive | |
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Preventive | |
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Operational and Systems Continuity | Preventive | |
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Corrective | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Operational and Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)] | Systems design, build, and implementation | Preventive | |
Include information security throughout the system development life cycle. CC ID 12042 | Systems design, build, and implementation | Preventive | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
Implement manual override capability into automated systems. CC ID 14921 | Systems design, build, and implementation | Preventive | |
Redesign business activities to support the system implementation. CC ID 01067 | Systems design, build, and implementation | Corrective | |
Search for metadata during e-discovery. CC ID 01073 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain security design principles. CC ID 14718 | Systems design, build, and implementation | Preventive | |
Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Preventive | |
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Preventive | |
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Preventive | |
Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Preventive | |
Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Preventive | |
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Preventive | |
Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems design, build, and implementation | Preventive | |
Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Preventive | |
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Preventive | |
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Preventive | |
Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems design, build, and implementation | Preventive | |
Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Preventive | |
Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Preventive | |
Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Preventive | |
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Preventive | |
Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Preventive | |
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Preventive | |
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Preventive | |
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Preventive | |
Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Preventive | |
Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Preventive | |
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Preventive | |
Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Preventive | |
Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Preventive | |
Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Preventive | |
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Preventive | |
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Preventive | |
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Preventive | |
Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Preventive | |
Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Preventive | |
Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Preventive | |
Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Preventive | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Detective | |
Test security systems and associated security procedures, as necessary. CC ID 11901 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and §242.1003(b)(1)(ii)] | Monitoring and measurement | Detective | |
Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Detective | |
Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Corrective | |
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Detective | |
Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Detective | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Detective | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Detective | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Detective | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Corrective | |
Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Detective | |
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Corrective | |
Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Monitoring and measurement | Preventive | |
Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Detective | |
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Corrective | |
Correct or mitigate vulnerabilities. CC ID 12497 | Monitoring and measurement | Corrective | |
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Preventive | |
Implement patch management software, as necessary. CC ID 12094 | Operational management | Preventive | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Preventive | |
Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
Patch software. CC ID 11825 | Operational management | Corrective | |
Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Detective | |
Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Detective | |
Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Detective | |
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Detective | |
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Preventive | |
Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
Perform penetration tests, as necessary. CC ID 00655 [Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and §242.1003(b)(1)(i)] | Monitoring and measurement | Detective | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Detective | |
Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Detective | |
Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Detective | |
Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Detective | |
Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Detective | |
Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Detective | |
Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Detective | |
Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Detective | |
Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Detective | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Detective | |
Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Detective | |
Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Detective | |
Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Detective | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Detective | |
Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Detective | |
Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Detective | |
Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Detective | |
Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Operational and Systems Continuity | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity plan} {disaster recovery plan} Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. §242.1004 ¶ 1(c)] | Operational and Systems Continuity | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Detective | |
Test proposed changes prior to their approval. CC ID 00548 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: Testing of all SCI systems and any changes to SCI systems prior to implementation; §242.1001(b)(2)(i)] | Operational management | Detective | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Preventive | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Detective | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
Review changes to computer firmware. CC ID 12226 | Operational management | Detective | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Detective | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Detective | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Detective | |
Restrict system architects from being assigned as Administrators. CC ID 01064 | Systems design, build, and implementation | Detective | |
Restrict the development team from having access to the production environment. CC ID 01066 | Systems design, build, and implementation | Detective | |
Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Preventive | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Preventive | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Preventive | |
Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Preventive |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Technical Security | |
Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Configuration | |
Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Technical Security | |
Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Technical Security | |
Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Technical Security | |
Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Establish/Maintain Documentation | |
Correct or mitigate vulnerabilities. CC ID 12497 | Monitoring and measurement | Technical Security | |
Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and §242.1003(b)(2) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. §242.1003(b)(3)] | Monitoring and measurement | Actionable Reports or Measurements | |
Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 | Operational and Systems Continuity | Systems Continuity | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
Respond to all alerts from security systems in a timely manner. CC ID 06434 | Operational management | Behavior | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 | Operational management | Process or Activity | |
Share incident information with interested personnel and affected parties. CC ID 01212 [Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). §242.1003(a)(2) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. §242.1002(c)(1)(iii) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; §242.1002(b)(3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3)] | Operational management | Data and Information Management | |
Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
Delay sending incident response notifications under predetermined conditions. CC ID 00804 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)] | Operational management | Behavior | |
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; §242.1002(b)(1)] | Operational management | Communicate | |
Approve back-out plans, as necessary. CC ID 13627 | Operational management | Establish/Maintain Documentation | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
Patch software. CC ID 11825 | Operational management | Technical Security | |
Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
Update computer firmware, as necessary. CC ID 11755 | Operational management | Configuration | |
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Configuration | |
Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Business Processes | |
Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Establish/Maintain Documentation | |
Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
Redesign business activities to support the system implementation. CC ID 01067 | Systems design, build, and implementation | Systems Design, Build, and Implementation |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Map in scope assets and in scope records to external requirements. CC ID 12189 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. §242.1001(b)(1)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Monitoring of such systems to identify potential SCI events. §242.1001(a)(2)(vii)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for blended attacks and multiple component incidents. CC ID 01225 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for Denial of Service attacks. CC ID 01222 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 | Monitoring and measurement | Human Resources Management | |
Detect unauthorized access to systems. CC ID 06798 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Incorporate potential red flags into the organization's incident management system. CC ID 04652 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Technical Security | |
Test security systems and associated security procedures, as necessary. CC ID 11901 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and §242.1003(b)(1)(ii)] | Monitoring and measurement | Technical Security | |
Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Testing | |
Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Process or Activity | |
Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Testing | |
Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Testing | |
Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Technical Security | |
Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Testing | |
Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Establish/Maintain Documentation | |
Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
Perform penetration tests, as necessary. CC ID 00655 [Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and §242.1003(b)(1)(i)] | Monitoring and measurement | Testing | |
Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Technical Security | |
Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Technical Security | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Testing | |
Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Testing | |
Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Testing | |
Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Testing | |
Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Testing | |
Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Testing | |
Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Testing | |
Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Testing | |
Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Testing | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Testing | |
Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Testing | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Technical Security | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Technical Security | |
Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Audits and Risk Management | |
Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Testing | |
Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Testing | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Technical Security | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Testing | |
Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Technical Security | |
Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Technical Security | |
Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Testing | |
Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Testing | |
Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Testing | |
Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Configuration | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Monitoring and measurement | Actionable Reports or Measurements | |
Identify all stakeholders critical to the continuity of operations. CC ID 12741 | Operational and Systems Continuity | Systems Continuity | |
Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 | Operational and Systems Continuity | Systems Continuity | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a critical personnel list. CC ID 00739 [{business continuity plan} {disaster recovery plan} {is necessary} Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; §242.1004 ¶ 1(a)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Operational and Systems Continuity | Testing | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Testing | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Testing | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Testing | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Testing | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Respond to and triage when an incident is detected. CC ID 06942 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Operational management | Monitor and Evaluate Occurrences | |
Document the incident and any relevant evidence in the incident report. CC ID 08659 | Operational management | Establish/Maintain Documentation | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Include information required by law in incident response notifications. CC ID 00802 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. §242.1002(c)(3) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738 | Operational management | Establish/Maintain Documentation | |
Test proposed changes prior to their approval. CC ID 00548 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: Testing of all SCI systems and any changes to SCI systems prior to implementation; §242.1001(b)(2)(i)] | Operational management | Testing | |
Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Business Processes | |
Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Testing | |
Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
Review changes to computer firmware. CC ID 12226 | Operational management | Testing | |
Certify changes to computer firmware are free of malicious logic. CC ID 12227 | Operational management | Testing | |
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 | Operational management | Technical Security | |
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Testing | |
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Testing | |
Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
Restrict system architects from being assigned as Administrators. CC ID 01064 | Systems design, build, and implementation | Testing | |
Restrict the development team from having access to the production environment. CC ID 01066 | Systems design, build, and implementation | Testing | |
Perform Quality Management on all newly developed or modified systems. CC ID 01100 | Systems design, build, and implementation | Testing |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in §240.17a-1 of this chapter. §242.1005(a) {is accessible} Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and §242.1005(b)(2) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. §242.1005(c) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the Authority Document list with external requirements. CC ID 06288 [For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). §242.1001(a)(4)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for unauthorized data transfers. CC ID 12971 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Address operational anomalies within the incident management system. CC ID 11633 | Monitoring and measurement | Audits and Risk Management | |
Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 | Monitoring and measurement | Audits and Risk Management | |
Monitor systems for unauthorized mobile code. CC ID 10034 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a testing program. CC ID 00654 [{internal threat} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; §242.1001(a)(2)(iv) {be efficient} {be timely}{be accurate} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; §242.1001(a)(2)(ii)] | Monitoring and measurement | Behavior | |
Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Establish/Maintain Documentation | |
Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Human Resources Management | |
Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Establish/Maintain Documentation | |
Define the test requirements for each testing program. CC ID 13177 | Monitoring and measurement | Establish/Maintain Documentation | |
Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Establish/Maintain Documentation | |
Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Configuration | |
Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Behavior | |
Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 | Monitoring and measurement | Communicate | |
Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Establish/Maintain Documentation | |
Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Establish Roles | |
Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Testing | |
Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Records Management | |
Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Records Management | |
Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
Establish, implement, and maintain a business line testing strategy. CC ID 13245 | Monitoring and measurement | Establish/Maintain Documentation | |
Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Establish/Maintain Documentation | |
Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Monitoring and measurement | Technical Security | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Integrate the risk management program with the organization's business activities. CC ID 13661 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. §242.1001(b)(2)(iv)] | Audits and risk management | Business Processes | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity framework. CC ID 00732 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish and maintain the scope of the continuity framework. CC ID 11908 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include network security in the scope of the continuity framework. CC ID 16327 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Explain any exclusions to the scope of the continuity framework. CC ID 12236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Refrain from including exclusions that could affect business continuity. CC ID 12740 | Operational and Systems Continuity | Records Management | |
Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include business units in the scope of the continuity framework. CC ID 11898 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include business functions in the scope of the continuity framework. CC ID 12699 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include information security continuity in the scope of the continuity framework. CC ID 12009 | Operational and Systems Continuity | Systems Continuity | |
Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 | Operational and Systems Continuity | Systems Continuity | |
Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a shelter in place plan. CC ID 16260 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Designate safe rooms in the shelter in place plan. CC ID 16276 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include Quality Management in the continuity framework. CC ID 12239 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish and maintain a system continuity plan philosophy. CC ID 00734 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Define the executive vision of the continuity planning process. CC ID 01243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include a pandemic plan in the continuity plan. CC ID 06800 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 | Operational and Systems Continuity | Establish Roles | |
Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 | Operational and Systems Continuity | Systems Continuity | |
Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 | Operational and Systems Continuity | Communicate | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 [{business continuity plan} Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; §242.1001(a)(2)(v)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the protection of personnel in the continuity plan. CC ID 06378 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Identify alternate personnel for each person on the critical personnel list. CC ID 12771 | Operational and Systems Continuity | Human Resources Management | |
Define the triggering events for when to activate the pandemic plan. CC ID 06801 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Train personnel on the continuity plan. CC ID 00759 [{business continuity plan} {disaster recovery plan} Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and §242.1004 ¶ 1(b)] | Operational and Systems Continuity | Behavior | |
Utilize automated mechanisms for more realistic continuity plan training. CC ID 01387 | Operational and Systems Continuity | Behavior | |
Incorporate simulated events into the continuity plan training. CC ID 01402 | Operational and Systems Continuity | Behavior | |
Include cross-team coordination in continuity plan training. CC ID 16235 | Operational and Systems Continuity | Training | |
Include stay at home order training in the continuity plan training. CC ID 14382 | Operational and Systems Continuity | Training | |
Include avoiding unnecessary travel in the stay at home order training. CC ID 14388 | Operational and Systems Continuity | Training | |
Include personal protection in continuity plan training. CC ID 14394 | Operational and Systems Continuity | Training | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Testing | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Testing | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Testing | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 [{business continuity plan} {disaster recovery plan} Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. §242.1004 ¶ 1(c)] | Operational and Systems Continuity | Testing | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Operational and Systems Continuity | Actionable Reports or Measurements | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Human Resources management | Establish Roles | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and §242.1001(b)(2)(iii)] | Human Resources management | Business Processes | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
Identify and define all critical roles. CC ID 00777 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Human Resources management | Establish Roles | |
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Human Resources Management | |
Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Establish Roles | |
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Human Resources Management | |
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Establish Roles | |
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Establish Roles | |
Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Establish Roles | |
Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Establish Roles | |
Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Establish Roles | |
Assign the role of the Quality Management committee to applicable controls. CC ID 00769 | Human Resources management | Establish Roles | |
Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Establish Roles | |
Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Establish/Maintain Documentation | |
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Establish Roles | |
Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Establish Roles | |
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Establish Roles | |
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Establish Roles | |
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Establish Roles | |
Establish, implement, and maintain a capacity management plan. CC ID 11751 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a capacity planning baseline. CC ID 13492 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: The establishment of reasonable current and future technological infrastructure capacity planning estimates; §242.1001(a)(2)(i)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(a)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(c)(2)] | Operational management | Establish/Maintain Documentation | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: §242.1003(b)(1)] | Operational management | Process or Activity | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. §242.1001(b)(3)] | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 [Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. §242.1001(a)(1)] | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)] | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include incident escalation procedures in the Incident Management program. CC ID 00856 [Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. §242.1001(c)(1)] | Operational management | Establish/Maintain Documentation | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
Title breach notifications "Notice of Data Breach". CC ID 12977 | Operational management | Establish/Maintain Documentation | |
Display titles of incident response notifications clearly and conspicuously. CC ID 12986 | Operational management | Establish/Maintain Documentation | |
Display headings in incident response notifications clearly and conspicuously. CC ID 12987 | Operational management | Establish/Maintain Documentation | |
Design the incident response notification to call attention to its nature and significance. CC ID 12984 | Operational management | Establish/Maintain Documentation | |
Use plain language to write incident response notifications. CC ID 12976 | Operational management | Establish/Maintain Documentation | |
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983 | Operational management | Establish/Maintain Documentation | |
Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
Include details of the investigation in incident response notifications. CC ID 12296 [When known, promptly further disseminate the following information about such SCI event: A detailed description of the SCI event; §242.1002(c)(1)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
Include a general description of the data loss event in incident response notifications. CC ID 04734 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2)] | Operational management | Establish/Maintain Documentation | |
Include time information in incident response notifications. CC ID 04745 | Operational management | Establish/Maintain Documentation | |
Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 | Operational management | Establish/Maintain Documentation | |
Include the type of information that was lost in incident response notifications. CC ID 04735 | Operational management | Establish/Maintain Documentation | |
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 | Operational management | Establish/Maintain Documentation | |
Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736 | Operational management | Establish/Maintain Documentation | |
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737 | Operational management | Establish/Maintain Documentation | |
Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
Include details of the companies and persons involved in incident response notifications. CC ID 12295 | Operational management | Establish/Maintain Documentation | |
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 | Operational management | Establish/Maintain Documentation | |
Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
Include any consequences in the incident response notifications. CC ID 12604 | Operational management | Establish/Maintain Documentation | |
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746 | Operational management | Establish/Maintain Documentation | |
Include a "What You Can Do" heading in the breach notification. CC ID 12980 | Operational management | Establish/Maintain Documentation | |
Include contact information in incident response notifications. CC ID 04739 | Operational management | Establish/Maintain Documentation | |
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and §242.1002(b)(4)(ii)(B)] | Operational management | Communicate | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
Create an incident response report following an incident response. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
Include the number of customers that were affected by the incident in the incident response report. CC ID 12727 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) When known, promptly further disseminate the following information about such SCI event: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and §242.1002(c)(1)(ii)(B) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include losses due to the incident in the incident response report. CC ID 12724 [Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)] | Operational management | Establish/Maintain Documentation | |
Include breaches of regulatory requirements due to the incident in the incident response report. CC ID 12719 [Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include the scope of the incident in the incident response report. CC ID 12717 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: The system(s) affected by the SCI event; and §242.1002(c)(1)(i)(A) Written notifications required by paragraph (b)(4)(i) of this section shall include: An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. §242.1002(b)(4)(ii)(C)] | Operational management | Establish/Maintain Documentation | |
Include the duration of the incident in the incident response report. CC ID 12716 [Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C)] | Operational management | Establish/Maintain Documentation | |
Include where the incident occurred in the incident response report. CC ID 12710 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: A description of the SCI event, including the system(s) affected; and §242.1002(b)(2)(i)] | Operational management | Establish/Maintain Documentation | |
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [When known, promptly further disseminate the following information about such SCI event: A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and §242.1002(c)(1)(ii)(C) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. §242.1002(c)(2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(2)(ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; §242.1002(b)(4)(ii)(A)] | Operational management | Establish/Maintain Documentation | |
Include an executive summary of the incident in the incident response report. CC ID 12702 [Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: A summary description of the SCI event; and §242.1002(c)(1)(i)(B)] | Operational management | Establish/Maintain Documentation | |
Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. §242.1002(b)(4)(i)(B)(1) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. §242.1002(b)(5)(ii) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: §242.1002(b)(2)] | Operational management | Communicate | |
Employ tools and mechanisms to support the organization's Incident Response program. CC ID 13182 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Operational management | Acquisition/Sale of Assets or Services | |
Mitigate reported incidents. CC ID 12973 [Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. §242.1002(a)] | Operational management | Actionable Reports or Measurements | |
Establish, implement, and maintain an incident response plan. CC ID 12056 | Operational management | Establish/Maintain Documentation | |
Include addressing information sharing in the incident response plan. CC ID 13349 [Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be | Operational management | Establish/Maintain Documentation | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Establish Roles | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(A) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. §242.1002(b)(4)(i)(B)(2)] | Operational management | Actionable Reports or Measurements | |
Establish, implement, and maintain a change control program. CC ID 00886 [Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: A system of internal controls over changes to SCI systems; §242.1001(b)(2)(ii)] | Operational management | Establish/Maintain Documentation | |
Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Establish/Maintain Documentation | |
Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Maintenance | |
Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Technical Security | |
Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Establish/Maintain Documentation | |
Manage change requests. CC ID 00887 [Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Operational management | Business Processes | |
Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a change request approver list. CC ID 06795 | Operational management | Establish/Maintain Documentation | |
Document all change requests in change request forms. CC ID 06794 | Operational management | Establish/Maintain Documentation | |
Approve tested change requests. CC ID 11783 | Operational management | Data and Information Management | |
Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Establish/Maintain Documentation | |
Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Testing | |
Implement changes according to the change control program. CC ID 11776 | Operational management | Business Processes | |
Provide audit trails for all approved changes. CC ID 13120 [Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; §242.1005(b)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. §242.1003(a)(1)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
Implement patch management software, as necessary. CC ID 12094 | Operational management | Technical Security | |
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Technical Security | |
Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Establish/Maintain Documentation | |
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Business Processes | |
Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Behavior | |
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Data and Information Management | |
Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
Retain records in accordance with applicable requirements. CC ID 00968 [Make, keep, and preserve records relating to all such SCI events; and §242.1002(b)(5)(i)] | Records management | Records Management | |
Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include management commitment to secure development in the System Development Life Cycle program. CC ID 16386 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Perform a feasibility study for product requests. CC ID 06895 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
Prioritize opportunities to improve the product and service lifecycle process. CC ID 06898 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
Assign senior management to approve the cost benefit analysis in the feasibility study. CC ID 13069 | Systems design, build, and implementation | Human Resources Management | |
Update the system design, build, and implementation methodology to incorporate emerging standards. CC ID 07045 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include information security throughout the system development life cycle. CC ID 12042 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
Disseminate and communicate the System Development Life Cycle program to all interested personnel and affected parties. CC ID 15469 | Systems design, build, and implementation | Communicate | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain system design principles and system design guidelines. CC ID 01057 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and §242.1001(a)(2)(vi)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a security controls definition document. CC ID 01080 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include identified risks and legal requirements in the security controls definition document. CC ID 11743 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include naming conventions in system design guidelines. CC ID 13656 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Implement manual override capability into automated systems. CC ID 14921 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Define and assign the system development project team roles and responsibilities. CC ID 01061 | Systems design, build, and implementation | Establish Roles | |
Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties. CC ID 01062 | Systems design, build, and implementation | Establish Roles | |
Disseminate and communicate system development roles and responsibilities to business unit leaders. CC ID 01063 | Systems design, build, and implementation | Establish Roles | |
Establish, implement, and maintain a source data collection design specification. CC ID 01070 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish and maintain an input requirements definition document. CC ID 01071 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Search for metadata during e-discovery. CC ID 01073 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain security design principles. CC ID 14718 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include reduced complexity of systems or system components in the security design principles. CC ID 14753 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include self-reliant trustworthiness of systems or system components in the security design principles. CC ID 14752 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include partially ordered dependencies of systems or system components in the security design principles. CC ID 14751 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include modularity and layering of systems or system components in the security design principles. CC ID 14750 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include secure evolvability of systems or system components in the security design principles. CC ID 14749 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include continuous protection of systems or system components in the security design principles. CC ID 14748 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include least common mechanisms between systems or system components in the security design principles. CC ID 14747 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include secure system modification of systems or system components in the security design principles. CC ID 14746 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include clear abstractions of systems or system components in the security design principles. CC ID 14745 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include secure failure and recovery of systems or system components in the security design principles. CC ID 14744 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include repeatable and documented procedures for systems or system components in the security design principles. CC ID 14743 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include least privilege of systems or system components in the security design principles. CC ID 14742 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include minimized sharing of systems or system components in the security design principles. CC ID 14741 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include acceptable security of systems or system components in the security design principles. CC ID 14740 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include minimized security elements in systems or system components in the security design principles. CC ID 14739 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include hierarchical protection in systems or system components in the security design principles. CC ID 14738 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include self-analysis of systems or system components in the security design principles. CC ID 14737 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include inverse modification thresholds in systems or system components in the security design principles. CC ID 14736 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include efficiently mediated access to systems or system components in the security design principles. CC ID 14735 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include secure distributed composition of systems or system components in the security design principles. CC ID 14734 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include minimization of systems or system components in the security design principles. CC ID 14733 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include secure defaults in systems or system components in the security design principles. CC ID 14732 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include trusted communications channels for systems or system components in the security design principles. CC ID 14731 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include economic security in systems or system components in the security design principles. CC ID 14730 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include trusted components of systems or system components in the security design principles. CC ID 14729 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include procedural rigor in systems or system components in the security design principles. CC ID 14728 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include accountability and traceability of systems or system components in the security design principles. CC ID 14727 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include hierarchical trust in systems or system components in the security design principles. CC ID 14726 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include sufficient documentation for systems or system components in the security design principles. CC ID 14725 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include performance security of systems or system components in the security design principles. CC ID 14724 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include human factored security in systems or system components in the security design principles. CC ID 14723 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include secure metadata management of systems or system components in the security design principles. CC ID 14722 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include predicate permission of systems or system components in the security design principles. CC ID 14721 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system use training plan. CC ID 01089 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Train the affected users during system development life cycle projects. CC ID 01091 | Systems design, build, and implementation | Behavior | |
Establish and maintain access rights to the system use training plan based on least privilege. CC ID 06963 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include the physical design characteristics in the system design specification. CC ID 06927 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system testing policy. CC ID 01102 [Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: A program to review and keep current systems development and testing methodology for such systems; §242.1001(a)(2)(iii)] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Configure the test environment similar to the production environment. CC ID 06837 | Systems design, build, and implementation | Configuration | |
Disseminate and communicate the system testing policy to interested personnel and affected parties. CC ID 15473 | Systems design, build, and implementation | Communicate | |
Establish, implement, and maintain parallel testing criteria and pilot testing criteria. CC ID 01107 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Return test payment cards after their use. CC ID 06398 | Systems design, build, and implementation | Behavior |