Authority Document - Unified Compliance

Back

North America > US Federal Reserve

Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS

AD ID

0003700

AD STATUS

Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS

ORIGINATOR

US Federal Reserve

TYPE

Regulatory Directive or Guidance

AVAILABILITY

Free

SYNONYMS

Federal Reserve Banks Operating Circular No. 5

Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS

EFFECTIVE

2023-07-01

ADDED

The document as a whole was last reviewed and released on 2024-01-22T00:00:00-0800.

URL

Click here

AD ID

0003700

AD STATUS

Free

ORIGINATOR

US Federal Reserve

TYPE

Regulatory Directive or Guidance

AVAILABILITY

SYNONYMS

Federal Reserve Banks Operating Circular No. 5

Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS

EFFECTIVE

2023-07-01

ADDED

The document as a whole was last reviewed and released on 2024-01-22T00:00:00-0800.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 127 Mandated Controls - bold
128 Implied Controls - italic 1106 Implementation

Number of Controls

1361 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Business Processes	Preventive
Establish, implement, and maintain payment systems. CC ID 13539 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1]	Business Processes	Preventive
Document the business need justification for payment page scripts. CC ID 15480	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467	Business Processes	Preventive
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540	Business Processes	Preventive
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Business Processes	Preventive
Establish, implement, and maintain payment transaction security measures. CC ID 13088	Technical Security	Preventive
Restrict transaction activities, as necessary. CC ID 16334 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Business Processes	Preventive
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Notwithstanding any other provision of this Appendix, when a sender or a receiving bank (or a Service Provider) chooses to use one of the Security Procedures, it rejects other Security Procedures, and if any one of the rejected Security Procedures is commercially reasonable for such sender or receiving bank, the sender or receiving bank agrees to be bound by any payment order, whether or not authorized, if it was issued in the sender's or the receiving bank's name and accepted by a Reserve Bank in compliance with the Security Procedure selected, subject to Section 4A-203 of Article 4A of the Uniform Commercial Code. Appendix A 2.3(b)]	Behavior	Preventive
Acquire products or services. CC ID 11450	Acquisition/Sale of Assets or Services	Preventive
Discourage the modification of vendor-supplied software. CC ID 12016 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)]	Process or Activity	Preventive

Audits and risk management

162

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678	Establish Roles	Preventive
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Establish Roles	Preventive
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)]	Testing	Detective
Establish, implement, and maintain an audit program. CC ID 00684	Establish/Maintain Documentation	Preventive
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965	Establish/Maintain Documentation	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2]	Establish/Maintain Documentation	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Establish/Maintain Documentation	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Establish/Maintain Documentation	Preventive
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Establish/Maintain Documentation	Preventive
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Establish/Maintain Documentation	Preventive
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Establish/Maintain Documentation	Preventive
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Establish/Maintain Documentation	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Establish/Maintain Documentation	Preventive
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Establish/Maintain Documentation	Preventive
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Establish/Maintain Documentation	Preventive
Include the in scope procedures in the audit assertion. CC ID 06972	Establish/Maintain Documentation	Preventive
Include the in scope records produced in the audit assertion. CC ID 06968	Establish/Maintain Documentation	Preventive
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Establish/Maintain Documentation	Preventive
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Establish/Maintain Documentation	Preventive
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Establish/Maintain Documentation	Preventive
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Establish/Maintain Documentation	Preventive
Include in scope change controls in the audit assertion. CC ID 06976	Establish/Maintain Documentation	Preventive
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Establish/Maintain Documentation	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Business Processes	Preventive
Audit in scope audit items and compliance documents. CC ID 06730	Audits and Risk Management	Preventive
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001	Actionable Reports or Measurements	Preventive
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Records Management	Preventive
Audit policies, standards, and procedures. CC ID 12927 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2]	Audits and Risk Management	Preventive
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Investigate	Detective
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Testing	Detective
Document test plans for auditing in scope controls. CC ID 06985	Testing	Detective
Determine the effectiveness of in scope controls. CC ID 06984	Testing	Detective
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Audits and Risk Management	Detective
Establish and maintain organizational audit reports. CC ID 06731 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Establish/Maintain Documentation	Detective
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and Risk Management	Preventive
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and Risk Management	Preventive
Include audit subject matter in the audit report. CC ID 14882	Establish/Maintain Documentation	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Establish/Maintain Documentation	Preventive
Identify the audit team members in the audit report. CC ID 15259	Human Resources Management	Detective
Include that the auditee did not provide comments in the audit report. CC ID 16849	Establish/Maintain Documentation	Preventive
Write the audit report using clear and conspicuous language. CC ID 13948	Establish/Maintain Documentation	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Establish/Maintain Documentation	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Establish/Maintain Documentation	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Establish/Maintain Documentation	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Establish/Maintain Documentation	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Establish/Maintain Documentation	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Establish/Maintain Documentation	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Establish/Maintain Documentation	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Establish/Maintain Documentation	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Establish/Maintain Documentation	Preventive
Include the word independent in the title of audit reports. CC ID 07003 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii) {independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)]	Actionable Reports or Measurements	Preventive
Include the date of the audit in the audit report. CC ID 07024	Actionable Reports or Measurements	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Establish/Maintain Documentation	Preventive
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Actionable Reports or Measurements	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Establish/Maintain Documentation	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Establish/Maintain Documentation	Preventive
Include the audit criteria in the audit report. CC ID 13945	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Establish/Maintain Documentation	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Establish/Maintain Documentation	Preventive
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Actionable Reports or Measurements	Preventive
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Establish/Maintain Documentation	Preventive
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Establish/Maintain Documentation	Preventive
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Establish/Maintain Documentation	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A confirmation that the Institution has conducted a Self-Assessment within the time period requested by the Reserve Banks; Appendix A 3.2 ¶ 1(ii)]	Establish/Maintain Documentation	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Establish/Maintain Documentation	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Establish/Maintain Documentation	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)]	Establish/Maintain Documentation	Preventive
Include a statement of the character of the engagement in the audit report. CC ID 07166	Establish/Maintain Documentation	Preventive
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Establish/Maintain Documentation	Preventive
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Establish/Maintain Documentation	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Establish/Maintain Documentation	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Establish/Maintain Documentation	Preventive
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Establish/Maintain Documentation	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Establish/Maintain Documentation	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Establish/Maintain Documentation	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Establish/Maintain Documentation	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Establish/Maintain Documentation	Preventive
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and Risk Management	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Establish/Maintain Documentation	Preventive
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Establish/Maintain Documentation	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and Risk Management	Detective
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Establish/Maintain Documentation	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Establish/Maintain Documentation	Preventive
Include recommended corrective actions in the audit report. CC ID 16197 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)]	Establish/Maintain Documentation	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Establish/Maintain Documentation	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Establish/Maintain Documentation	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Establish/Maintain Documentation	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Establish/Maintain Documentation	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Establish/Maintain Documentation	Preventive
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and Risk Management	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Establish/Maintain Documentation	Preventive
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Establish/Maintain Documentation	Preventive
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Actionable Reports or Measurements	Preventive
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Establish/Maintain Documentation	Preventive
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Establish/Maintain Documentation	Preventive
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Establish/Maintain Documentation	Preventive
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Establish/Maintain Documentation	Preventive
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Establish/Maintain Documentation	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Establish/Maintain Documentation	Preventive
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and Risk Management	Preventive
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Establish/Maintain Documentation	Preventive
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Establish/Maintain Documentation	Preventive
Include the scope and work performed in the audit report. CC ID 11621	Audits and Risk Management	Preventive
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and Risk Management	Detective
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Establish/Maintain Documentation	Detective
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and Risk Management	Detective
Review past audit reports. CC ID 01155	Establish/Maintain Documentation	Detective
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Establish/Maintain Documentation	Detective
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Establish/Maintain Documentation	Detective
Resolve disputes before creating the audit summary. CC ID 08964	Behavior	Preventive
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Establish/Maintain Documentation	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Establish/Maintain Documentation	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Establish/Maintain Documentation	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Establish/Maintain Documentation	Corrective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Investigate	Detective
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Process or Activity	Detective
Include an audit opinion in the audit report. CC ID 07017	Establish/Maintain Documentation	Preventive
Include qualified opinions in the audit report. CC ID 13928	Establish/Maintain Documentation	Preventive
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Establish/Maintain Documentation	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Establish/Maintain Documentation	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Establish/Maintain Documentation	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Business Processes	Corrective
Include items that were excluded from the audit report in the audit report. CC ID 07007	Establish/Maintain Documentation	Preventive
Include the organization's privacy practices in the audit report. CC ID 07029	Establish/Maintain Documentation	Preventive
Include items that pertain to third parties in the audit report. CC ID 07008 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, an acknowledgement that the Institution is responsible for its Service Provider's compliance with the Security Requirements; Appendix A 3.2 ¶ 1(iv)]	Establish/Maintain Documentation	Preventive
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Establish/Maintain Documentation	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Establish/Maintain Documentation	Preventive
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Establish/Maintain Documentation	Preventive
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Establish/Maintain Documentation	Preventive
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Establish/Maintain Documentation	Preventive
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Establish/Maintain Documentation	Preventive
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Establish/Maintain Documentation	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Establish/Maintain Documentation	Corrective
Disclose any audit irregularities in the audit report. CC ID 06995	Actionable Reports or Measurements	Preventive
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Establish/Maintain Documentation	Preventive
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Establish/Maintain Documentation	Preventive
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Human Resources Management	Preventive
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Log Management	Detective
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Communicate	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Communicate	Preventive
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Behavior	Preventive
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Establish/Maintain Documentation	Preventive
Review the issues of non-compliance from past audit reports. CC ID 01148	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Establish/Maintain Documentation	Detective
Document the results of the gap analysis. CC ID 16271	Establish/Maintain Documentation	Preventive
Prioritize and select controls based on the risk assessment findings. CC ID 00707	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601	Testing	Detective
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and Risk Management	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Establish/Maintain Documentation	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources Management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Behavior	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4]	Behavior	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Business Processes	Preventive
Establish, implement, and maintain communication protocols. CC ID 12245	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) When a Settlement Instruction is issued, the Offline Security Procedure involves a telephone call initiated by an authorized employee of the Settlement Agent followed by the transmission by e-mail or facsimile of a Settlement Instruction signed (in the case of a facsimile) by an authorized employee of the Settlement Agent or sent from the e-mail address of an authorized employee of the Settlement Agent. Appendix A 2.3(c) ¶ 5]	Establish/Maintain Documentation	Preventive
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Monitor and Evaluate Occurrences	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Monitor and Evaluate Occurrences	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601 ["Confidential Information" shall include all information, provided in writing, electronically or orally, which is designated by Reserve Bank herein or by other means as "Confidential." All security-related information, including information regarding Access Control Features and security procedures, whether or not it is labeled as "Confidential," is hereby designated as "Confidential," unless a Reserve Bank makes any such information generally available to the public (i.e., places it on its unrestricted public Web site or otherwise publishes it to the general public). Confidential Information contains trade secrets, proprietary information or security information of Reserve Banks or others. Unauthorized disclosure of Confidential Information likely would cause a Reserve Bank immediate and irreparable damage for which there may be no adequate remedy at law. 5.4 ¶ 1]	Establish/Maintain Documentation	Preventive
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Data and Information Management	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Data and Information Management	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Data and Information Management	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Data and Information Management	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Data and Information Management	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Data and Information Management	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Data and Information Management	Preventive
Classify the value of information in the information classification standard. CC ID 11995	Data and Information Management	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994	Data and Information Management	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement of the Institution's responsibility to adhere to the Security Requirements; Appendix A 3.2 ¶ 1(i)]	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Configuration	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitor and Evaluate Occurrences	Detective
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitor and Evaluate Occurrences	Detective
Detect unauthorized access to systems. CC ID 06798 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Monitor and Evaluate Occurrences	Detective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Establish/Maintain Documentation	Preventive
Identify all stakeholders in the continuity plan. CC ID 13256	Establish/Maintain Documentation	Preventive
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Systems Continuity	Corrective
Report changes in the continuity plan to senior management. CC ID 12757	Communicate	Corrective
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Communicate	Preventive
Maintain normal security levels when an emergency occurs. CC ID 06377	Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Systems Continuity	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Establish/Maintain Documentation	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Human Resources Management	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Establish/Maintain Documentation	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Human Resources Management	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Systems Continuity	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Configuration	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Behavior	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Establish/Maintain Documentation	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Establish/Maintain Documentation	Preventive
Restore systems and environments to be operational. CC ID 13476	Systems Continuity	Corrective
Document and use the lessons learned to update the continuity plan. CC ID 10037	Establish/Maintain Documentation	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Technical Security	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Establish/Maintain Documentation	Preventive
Monitor and evaluate business continuity management system performance. CC ID 12410	Monitor and Evaluate Occurrences	Detective
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Process or Activity	Preventive
Record business continuity management system performance for posterity. CC ID 12411	Monitor and Evaluate Occurrences	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Process or Activity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Establish/Maintain Documentation	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Establish/Maintain Documentation	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Establish/Maintain Documentation	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Establish/Maintain Documentation	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Establish Roles	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Establish/Maintain Documentation	Corrective
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Communicate	Preventive
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Establish/Maintain Documentation	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Configuration	Preventive
Install a generator sized to support the facility. CC ID 06709	Configuration	Preventive
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Acquisition/Sale of Assets or Services	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Establish/Maintain Documentation	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Establish/Maintain Documentation	Preventive
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the organization's call tree. CC ID 01167	Testing	Detective
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Include restoration procedures in the continuity plan. CC ID 01169	Establish Roles	Preventive
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Establish/Maintain Documentation	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Establish/Maintain Documentation	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Communicate	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Systems Continuity	Corrective
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Testing	Preventive
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Testing	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Testing	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Testing	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Testing	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Testing	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Testing	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Testing	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Testing	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Testing	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Testing	Detective
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Establish/Maintain Documentation	Preventive
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Testing	Preventive
Review all third party's continuity plan test results. CC ID 01365	Testing	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Testing	Detective
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Actionable Reports or Measurements	Preventive
Approve the continuity plan test results. CC ID 15718	Systems Continuity	Preventive
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Testing	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Testing	Detective

Operational management

219

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Business Processes	Detective
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Actionable Reports or Measurements	Corrective
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Establish Roles	Preventive
Assign resources to implement the internal control framework. CC ID 00816	Business Processes	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Establish Roles	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Establish/Maintain Documentation	Preventive
Automate threat assessments, as necessary. CC ID 06877	Configuration	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Establish/Maintain Documentation	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Configuration	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Establish/Maintain Documentation	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Establish/Maintain Documentation	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Establish/Maintain Documentation	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Establish/Maintain Documentation	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Establish/Maintain Documentation	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b) The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2]	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3]	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2]	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Software includes trade secrets and proprietary information of the Reserve Banks and others, which may be copyrighted or patented, and must be handled in accordance with the requirements applicable to Confidential Information as set forth in Paragraph 5.4. 4.6 ¶ 1]	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 [{refrain from removing} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: remove any copyright or trademark notice contained in the Software. 4.4 ¶ 1(d)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Establish/Maintain Documentation	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Establish/Maintain Documentation	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Establish/Maintain Documentation	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Establish/Maintain Documentation	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Establish/Maintain Documentation	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Establish/Maintain Documentation	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Establish/Maintain Documentation	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 Each Institution must at all times comply with the measures, protections, and requirements established under the Reserve Bank Program described in Section 1.1 of this Appendix A, the Institution Program described in Section 1.2 of this Appendix A, and any applicable Security Procedures (collectively, the "Security Requirements"). Appendix A 3.1 ¶ 1 In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Establish/Maintain Documentation	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Establish/Maintain Documentation	Preventive
Define confidentiality controls. CC ID 01908	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Establish/Maintain Documentation	Preventive
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Process or Activity	Preventive
Define integrity controls. CC ID 01909	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Establish/Maintain Documentation	Preventive
Define availability controls. CC ID 01911	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software license management procedures. CC ID 06639 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c) {refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Automate software license monitoring, as necessary. CC ID 07057	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Establish/Maintain Documentation	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1]	Behavior	Preventive
Restart systems on a periodic basis. CC ID 16498	Maintenance	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Maintenance	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Technical Security	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Technical Security	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Human Resources Management	Preventive
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Respond to and triage when an incident is detected. CC ID 06942	Monitor and Evaluate Occurrences	Detective
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Process or Activity	Corrective
Contain the incident to prevent further loss. CC ID 01751	Process or Activity	Corrective
Isolate compromised systems from the network. CC ID 01753 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)]	Technical Security	Corrective
Share incident information with interested personnel and affected parties. CC ID 01212 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 {breach notification} Each Institution and any Service Provider shall include within its security breach related notification procedures and processes (e.g., within disaster recovery, hazard, business continuity, cyber security, and other appropriate procedures and processes) the obligation to immediately notify Federal Reserve Financial Services by telephone at (888) 333-7010, with written confirmation via email at ccc.technical.support@kc.frb.org, in the event of a known, suspected, or threatened compromise, cyber event, fraud, malware detection, or other security incident or breach that would render the Electronic Connection vulnerable to misconduct. Appendix A 1.2(c)]	Communicate	Corrective
Establish, implement, and maintain a change control program. CC ID 00886	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896	Process or Activity	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Patch the operating system, as necessary. CC ID 11824 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Technical Security	Corrective

Physical and environmental protection

322

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain physical security plans. CC ID 13307	Establish/Maintain Documentation	Preventive
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309	Establish/Maintain Documentation	Preventive
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315	Establish/Maintain Documentation	Preventive
Conduct external audits of the physical security plan. CC ID 13314	Audits and Risk Management	Detective
Establish, implement, and maintain physical security procedures. CC ID 13076	Establish/Maintain Documentation	Preventive
Analyze and evaluate engineering systems. CC ID 13080	Physical and Environmental Protection	Preventive
Analyze and evaluate facilities and their structural elements. CC ID 13079	Physical and Environmental Protection	Preventive
Analyze and evaluate mechanical systems, as necessary. CC ID 13078	Physical and Environmental Protection	Preventive
Report damaged property to interested personnel and affected parties. CC ID 13702	Communicate	Corrective
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638	Monitor and Evaluate Occurrences	Detective
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211	Configuration	Preventive
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215	Configuration	Preventive
Monitor for evidence of when tampering indicators are being identified. CC ID 11905	Monitor and Evaluate Occurrences	Detective
Inspect device surfaces to detect tampering. CC ID 11868	Investigate	Detective
Inspect device surfaces to detect unauthorized substitution. CC ID 11869	Investigate	Detective
Inspect for tampering, as necessary. CC ID 10640	Monitor and Evaluate Occurrences	Detective
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319	Communicate	Preventive
Protect assets from tampering or unapproved substitution. CC ID 11902	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Establish/Maintain Documentation	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Establish/Maintain Documentation	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Behavior	Preventive
Protect the facility from crime. CC ID 06347	Physical and Environmental Protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Establish/Maintain Documentation	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Establish/Maintain Documentation	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and Environmental Protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and Environmental Protection	Detective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Technical Security	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Establish/Maintain Documentation	Preventive
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and Environmental Protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and Environmental Protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and Environmental Protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and Environmental Protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Establish/Maintain Documentation	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Establish/Maintain Documentation	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Communicate	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Establish/Maintain Documentation	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and Environmental Protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and Environmental Protection	Preventive
Detect anomalies in physical barriers. CC ID 13533	Investigate	Detective
Maintain all security alarm systems. CC ID 11669	Physical and Environmental Protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Establish/Maintain Documentation	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and Environmental Protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and Environmental Protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Establish/Maintain Documentation	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Establish/Maintain Documentation	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and Environmental Protection	Preventive
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Testing	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Behavior	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Establish/Maintain Documentation	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Establish/Maintain Documentation	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Establish/Maintain Documentation	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and Environmental Protection	Corrective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Testing	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Behavior	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and Environmental Protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Behavior	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and Environmental Protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Behavior	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Establish/Maintain Documentation	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Process or Activity	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Process or Activity	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Establish/Maintain Documentation	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and Environmental Protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Establish/Maintain Documentation	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Establish/Maintain Documentation	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Establish/Maintain Documentation	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Configuration	Preventive
Install emergency doors to permit egress only. CC ID 06688	Configuration	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Configuration	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and Environmental Protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Configuration	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Testing	Detective
Secure unissued access mechanisms. CC ID 06713	Technical Security	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Establish/Maintain Documentation	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Technical Security	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Establish/Maintain Documentation	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Configuration	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Configuration	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Establish/Maintain Documentation	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and Environmental Protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and Environmental Protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and Environmental Protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and Environmental Protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and Environmental Protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and Environmental Protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and Environmental Protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and Environmental Protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and Environmental Protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and Environmental Protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Establish/Maintain Documentation	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and Environmental Protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and Environmental Protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and Environmental Protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and Environmental Protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and Environmental Protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Establish/Maintain Documentation	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Establish/Maintain Documentation	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Communicate	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Monitor and Evaluate Occurrences	Detective
Establish and maintain a visitor log. CC ID 00715	Log Management	Preventive
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Establish/Maintain Documentation	Preventive
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Investigate	Detective
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Behavior	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Log Management	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Log Management	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Log Management	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Establish/Maintain Documentation	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Establish/Maintain Documentation	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Log Management	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080	Establish/Maintain Documentation	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Log Management	Preventive
Log when the vault is accessed. CC ID 06725	Log Management	Detective
Log when the cabinet is accessed. CC ID 11674	Log Management	Detective
Store facility access logs in off-site storage. CC ID 06958	Log Management	Preventive
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Monitor and Evaluate Occurrences	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Monitor and Evaluate Occurrences	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Monitor and Evaluate Occurrences	Detective
Configure video cameras to cover all physical entry points. CC ID 06302	Configuration	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Configuration	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Records Management	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and Environmental Protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Monitor and Evaluate Occurrences	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain physical security threat reports. CC ID 02207	Establish/Maintain Documentation	Preventive
Build and maintain fencing, as necessary. CC ID 02235	Physical and Environmental Protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and Environmental Protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and Environmental Protection	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Establish Roles	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Establish/Maintain Documentation	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and Environmental Protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Configuration	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Behavior	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Behavior	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Business Processes	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Behavior	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Behavior	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Physical and Environmental Protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Records Management	Preventive
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321	Log Management	Preventive
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Technical Security	Preventive
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964	Records Management	Preventive
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and Environmental Protection	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777	Business Processes	Preventive
Track restricted storage media while it is in transit. CC ID 00967	Data and Information Management	Detective
Restrict physical access to distributed assets. CC ID 11865 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Physical and Environmental Protection	Preventive
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and Environmental Protection	Preventive
Protect electronic storage media with physical access controls. CC ID 00720	Physical and Environmental Protection	Preventive
Protect physical assets with earthquake-resistant mechanisms. CC ID 06360	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a media protection policy. CC ID 14029	Establish/Maintain Documentation	Preventive
Include compliance requirements in the media protection policy. CC ID 14185	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the media protection policy. CC ID 14184	Establish/Maintain Documentation	Preventive
Include management commitment in the media protection policy. CC ID 14182	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the media protection policy. CC ID 14180	Establish/Maintain Documentation	Preventive
Include the scope in the media protection policy. CC ID 14167	Establish/Maintain Documentation	Preventive
Include the purpose in the media protection policy. CC ID 14166	Establish/Maintain Documentation	Preventive
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165	Communicate	Preventive
Establish, implement, and maintain media protection procedures. CC ID 14062	Establish/Maintain Documentation	Preventive
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186	Communicate	Preventive
Establish, implement, and maintain removable storage media controls. CC ID 06680	Data and Information Management	Preventive
Control access to restricted storage media. CC ID 04889	Data and Information Management	Preventive
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664	Physical and Environmental Protection	Preventive
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961	Records Management	Preventive
Treat archive media as evidence. CC ID 00960	Records Management	Preventive
Log the transfer of removable storage media. CC ID 12322	Log Management	Preventive
Establish, implement, and maintain storage media access control procedures. CC ID 00959	Establish/Maintain Documentation	Preventive
Require removable storage media be in the custody of an authorized individual. CC ID 12319	Behavior	Preventive
Control the storage of restricted storage media. CC ID 00965	Records Management	Preventive
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717	Physical and Environmental Protection	Preventive
Protect the combinations for all combination locks. CC ID 02199	Physical and Environmental Protection	Preventive
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200	Establish/Maintain Documentation	Preventive
Establish and maintain eavesdropping protection for vaults. CC ID 02231	Physical and Environmental Protection	Preventive
Serialize all removable storage media. CC ID 00949	Configuration	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and Environmental Protection	Preventive
Include Information Technology assets in the asset removal policy. CC ID 13162	Establish/Maintain Documentation	Preventive
Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160	Communicate	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Establish/Maintain Documentation	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027	Process or Activity	Preventive
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441	Physical and Environmental Protection	Preventive
Control the removal of assets through physical entry points and physical exit points. CC ID 11681	Physical and Environmental Protection	Preventive
Maintain records of all system components entering and exiting the facility. CC ID 14304	Log Management	Preventive
Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682	Technical Security	Preventive
Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683	Technical Security	Preventive
Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820	Physical and Environmental Protection	Preventive
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539	Physical and Environmental Protection	Preventive
Establish, implement, and maintain missing asset reporting procedures. CC ID 06336	Establish/Maintain Documentation	Preventive
Attach asset location technologies to distributed assets. CC ID 10626	Physical and Environmental Protection	Detective
Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627	Physical and Environmental Protection	Preventive
Monitor the location of distributed assets. CC ID 11684	Monitor and Evaluate Occurrences	Detective
Remote lock any distributed assets reported lost or stolen. CC ID 14008	Technical Security	Corrective
Remote wipe any distributed asset reported lost or stolen. CC ID 12197	Process or Activity	Corrective
Unpair missing Bluetooth devices. CC ID 12428	Physical and Environmental Protection	Corrective
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a locking screen saver policy. CC ID 06717	Establish/Maintain Documentation	Preventive
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Data and Information Management	Preventive
Secure workstations to desks with security cables. CC ID 04724	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a mobile device management program. CC ID 15212	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a mobile device management policy. CC ID 15214	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723	Establish/Maintain Documentation	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Business Processes	Preventive
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Establish/Maintain Documentation	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Data and Information Management	Preventive
Include legal requirements in the mobile device security guidelines. CC ID 12291	Establish/Maintain Documentation	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and Environmental Protection	Preventive
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Establish/Maintain Documentation	Preventive
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Establish/Maintain Documentation	Preventive
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Establish/Maintain Documentation	Preventive
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and Environmental Protection	Preventive
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429	Physical and Environmental Protection	Preventive
Encrypt information stored on mobile devices. CC ID 01422	Data and Information Management	Preventive
Remove dormant systems from the network, as necessary. CC ID 13727	Process or Activity	Corrective
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722	Physical and Environmental Protection	Preventive
Secure system components from unauthorized viewing. CC ID 01437	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678	Behavior	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679	Behavior	Preventive
Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598	Behavior	Preventive
Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354	Behavior	Preventive
Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597	Behavior	Preventive
Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706	Configuration	Preventive
Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707	Investigate	Detective
Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708	Monitor and Evaluate Occurrences	Corrective
Establish, implement, and maintain open storage container procedures. CC ID 02198	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a clean desk policy. CC ID 06534	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a clear screen policy. CC ID 12436	Technical Security	Preventive
Establish, implement, and maintain contact card reader security guidelines. CC ID 06588	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590	Establish/Maintain Documentation	Preventive
Identify customer property within the organizational facility. CC ID 06612	Physical and Environmental Protection	Preventive
Protect customer property under the care of the organization. CC ID 11685	Physical and Environmental Protection	Preventive
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768	Technical Security	Preventive
Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769	Configuration	Preventive
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647	Technical Security	Preventive
Provide storage media shelving capable of bearing all potential loads. CC ID 11400	Physical and Environmental Protection	Preventive
Establish, implement, and maintain proper aircraft security. CC ID 02213	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a vehicle access program. CC ID 02216	Establish/Maintain Documentation	Preventive
Establish parking requirements for vehicles. CC ID 02218	Physical and Environmental Protection	Preventive
Establish, implement, and maintain proper container security. CC ID 02208	Physical and Environmental Protection	Preventive
Inspect the physical integrity of all containers before loading the containers. CC ID 02209	Physical and Environmental Protection	Detective
Lock closable storage containers. CC ID 06307	Physical and Environmental Protection	Preventive
Establish, implement, and maintain returned card procedures. CC ID 13567	Establish/Maintain Documentation	Preventive
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572	Business Processes	Preventive
Establish and maintain the physical security of non-issued payment cards. CC ID 06402	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain payment card disposal procedures. CC ID 16137	Establish/Maintain Documentation	Preventive
Control the issuance of payment cards. CC ID 06403	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a mailing control log. CC ID 16136	Establish/Maintain Documentation	Preventive
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134	Establish Roles	Preventive
Inventory payment cards, as necessary. CC ID 13547	Records Management	Preventive
Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404	Physical and Environmental Protection	Preventive
Deliver payment cards to customers using secure methods. CC ID 06405	Physical and Environmental Protection	Preventive
Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052	Business Processes	Preventive
Establish, implement, and maintain payment card usage security measures. CC ID 06406	Establish/Maintain Documentation	Preventive
Notify customers about payment card usage security measures. CC ID 06407	Behavior	Preventive
Establish, implement, and maintain payment card disposal procedures. CC ID 16135	Establish/Maintain Documentation	Preventive
Establish and maintain physical security of assets used for publicity. CC ID 06724	Physical and Environmental Protection	Preventive
Install and protect network cabling. CC ID 08624	Physical and Environmental Protection	Preventive
Control physical access to network cables. CC ID 00723	Process or Activity	Preventive
Install and protect fiber optic cable, as necessary. CC ID 08625	Physical and Environmental Protection	Preventive
Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628	Physical and Environmental Protection	Preventive
Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639	Physical and Environmental Protection	Detective
Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640	Physical and Environmental Protection	Preventive
Install network cable in a way that allows ease of inspecting. CC ID 08626	Physical and Environmental Protection	Preventive
Inspect network cabling at distances determined by security classification. CC ID 08644	Physical and Environmental Protection	Detective
Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649	Physical and Environmental Protection	Preventive
Establish and maintain security classifications for network cabling. CC ID 08627	Establish/Maintain Documentation	Preventive
Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630	Physical and Environmental Protection	Preventive
Label each end of a network cable run. CC ID 08632	Physical and Environmental Protection	Preventive
Terminate approved network cables on the patch panel. CC ID 08633	Physical and Environmental Protection	Preventive
Color code cables in accordance with organizational standards. CC ID 16422	Physical and Environmental Protection	Preventive
Establish and maintain documentation for network cabling schemes. CC ID 08641	Establish/Maintain Documentation	Preventive
Prevent installing network cabling inside walls shared with third parties. CC ID 08648	Physical and Environmental Protection	Preventive
Install network cabling specifically for maintenance purposes. CC ID 10613	Physical and Environmental Protection	Preventive
Install and maintain network jacks and outlet boxes. CC ID 08635	Physical and Environmental Protection	Preventive
Color code outlet boxes in accordance with organizational standards. CC ID 16451	Physical and Environmental Protection	Preventive
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142	Physical and Environmental Protection	Preventive
Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989	Physical and Environmental Protection	Preventive
Label network cabling outlet boxes. CC ID 08631	Physical and Environmental Protection	Preventive
Enable network jacks at the patch panel, as necessary. CC ID 06305	Configuration	Preventive
Implement logical controls to enable network jacks, as necessary. CC ID 11934	Physical and Environmental Protection	Preventive
Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634	Physical and Environmental Protection	Preventive
Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643	Physical and Environmental Protection	Preventive
Install and maintain network patch panels. CC ID 08636	Physical and Environmental Protection	Preventive
Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637	Physical and Environmental Protection	Preventive
Assign access to network patch panels on a need to know basis. CC ID 08638	Physical and Environmental Protection	Preventive
Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647	Physical and Environmental Protection	Preventive
Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646	Physical and Environmental Protection	Preventive
Seal data conduit couplings and data conduit fitting bodies. CC ID 08629	Physical and Environmental Protection	Preventive
Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642	Physical and Environmental Protection	Preventive
Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645	Physical and Environmental Protection	Preventive

Privacy protection for information and data

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Communicate	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2]	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Records Management	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Establish/Maintain Documentation	Preventive
Limit data leakage. CC ID 00356	Data and Information Management	Preventive
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)]	Monitor and Evaluate Occurrences	Corrective
Establish, implement, and maintain data handling procedures. CC ID 11756 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2]	Establish/Maintain Documentation	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Establish/Maintain Documentation	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Data and Information Management	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Data and Information Management	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Data and Information Management	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Data and Information Management	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Data and Information Management	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Data and Information Management	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Data and Information Management	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Data and Information Management	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Data and Information Management	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Data and Information Management	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Data and Information Management	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Data and Information Management	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Data and Information Management	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Data and Information Management	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Data and Information Management	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Data and Information Management	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Data and Information Management	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Data and Information Management	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Data and Information Management	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Data and Information Management	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Data and Information Management	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Data and Information Management	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Data and Information Management	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Data and Information Management	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Data and Information Management	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Data and Information Management	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Data and Information Management	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Data and Information Management	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Data and Information Management	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Data and Information Management	Preventive
Define an out of scope privacy breach. CC ID 04677	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Business Processes	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Monitor and Evaluate Occurrences	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Monitor and Evaluate Occurrences	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Monitor and Evaluate Occurrences	Preventive
Conduct internal data processing audits. CC ID 00374	Testing	Detective
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Communicate	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Define the organization's liability based on the applicable law. CC ID 00504 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's disposition requirements for records and logs. CC ID 11651	Process or Activity	Preventive
Establish, implement, and maintain records disposition procedures. CC ID 00971	Establish/Maintain Documentation	Preventive
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Records Management	Preventive
Place printed records awaiting destruction into secure containers. CC ID 12464	Physical and Environmental Protection	Preventive
Destroy printed records so they cannot be reconstructed. CC ID 11779	Physical and Environmental Protection	Preventive
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082	Data and Information Management	Preventive
Maintain disposal records or redeployment records. CC ID 01644 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Include the name of the signing officer in the disposal record. CC ID 15710	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Label restricted storage media appropriately. CC ID 00966	Data and Information Management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records Management	Detective
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Establish/Maintain Documentation	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Establish/Maintain Documentation	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Establish/Maintain Documentation	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Establish/Maintain Documentation	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Establish/Maintain Documentation	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Establish/Maintain Documentation	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Data and Information Management	Preventive

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Configuration Management program. CC ID 00867	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system tracking documentation. CC ID 15266	Establish/Maintain Documentation	Preventive
Include contact information in the system tracking documentation. CC ID 15280 [The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain network parameter modification procedures. CC ID 01517	Establish/Maintain Documentation	Preventive
Review and restrict network addresses and network protocols. CC ID 01518	Configuration	Preventive
Define the location requirements for network elements and network devices. CC ID 16379 [{refrain from situating} {unapproved location} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: situate any VPN device used in conjunction with an Electronic Connection in any location other than the Institution's or its Service Provider's premises within the United States or its territories; 4.4 ¶ 1(a)]	Process or Activity	Preventive
Configure security and protection software according to Organizational Standards. CC ID 11917 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Configuration	Preventive
Configure security and protection software to automatically run at startup. CC ID 12443	Configuration	Preventive
Configure security and protection software to check for up-to-date signature files. CC ID 00576	Testing	Detective
Configure security and protection software to enable automatic updates. CC ID 11945 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Configuration	Preventive
Configure security and protection software to check e-mail messages. CC ID 00578	Testing	Preventive
Configure security and protection software to check e-mail attachments. CC ID 11860	Configuration	Preventive
Configure security and protection software to check for phishing attacks. CC ID 04569	Technical Security	Detective
Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515	Configuration	Preventive
Configure Windows Defender Credential Guard to organizational standards. CC ID 16514	Configuration	Preventive

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain system design requirements. CC ID 06618	Establish/Maintain Documentation	Preventive
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system design project management framework. CC ID 00990	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system requirements specification. CC ID 01035 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Systems Design, Build, and Implementation	Preventive
Include relevant resources needed for the system design project in the system requirements specification. CC ID 01036	Systems Design, Build, and Implementation	Detective
Include system interoperability in the system requirements specification. CC ID 16256	Systems Design, Build, and Implementation	Preventive
Include pertinent legal requirements in the system requirements specification. CC ID 01037	Systems Design, Build, and Implementation	Detective
Include recordkeeping documentation standards in the system requirements specification. CC ID 01038	Records Management	Detective
Include archives and record management standards in the system requirements specification. CC ID 01039	Records Management	Detective
Include privacy requirements in the system requirements specification. CC ID 01040	Systems Design, Build, and Implementation	Detective
Include file format standards in the system requirements specification. CC ID 01041	Records Management	Detective
Include equipment interoperability in the system requirements specification. CC ID 16257	Acquisition/Sale of Assets or Services	Preventive
Include record retention requirements in the system requirements specification. CC ID 01042	Records Management	Detective
Assign senior management to approve functional requirements in the system requirements specification. CC ID 13067	Human Resources Management	Preventive
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems Design, Build, and Implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems Design, Build, and Implementation	Preventive
Develop new products based on best practices. CC ID 01095	Systems Design, Build, and Implementation	Preventive
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)]	Technical Security	Preventive

Technical security

304

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the access control policy. CC ID 14006	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Establish/Maintain Documentation	Preventive
Include management commitment in the access control policy. CC ID 14004	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Establish/Maintain Documentation	Preventive
Include the scope in the access control policy. CC ID 14002	Establish/Maintain Documentation	Preventive
Include the purpose in the access control policy. CC ID 14001	Establish/Maintain Documentation	Preventive
Document the business need justification for user accounts. CC ID 15490	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Control access rights to organizational assets. CC ID 00004	Technical Security	Preventive
Enable access control for objects and users on each system. CC ID 04553 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Configuration	Preventive
Include all system components in the access control system. CC ID 11939	Technical Security	Preventive
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Process or Activity	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical Security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical Security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical Security	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Data and Information Management	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514	Technical Security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Establish/Maintain Documentation	Preventive
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical Security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663	Establish/Maintain Documentation	Preventive
Grant access to authorized personnel or systems. CC ID 12186	Configuration	Preventive
Document approving and granting access in the access control log. CC ID 06786 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Communicate	Preventive
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Communicate	Preventive
Identify and control all network access controls. CC ID 00529 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1]	Technical Security	Preventive
Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589	Technical Security	Detective
Establish, implement, and maintain a network configuration standard. CC ID 00530	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain network segmentation requirements. CC ID 16380	Establish/Maintain Documentation	Preventive
Enforce the network segmentation requirements. CC ID 16381	Process or Activity	Preventive
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385	Technical Security	Preventive
Establish, implement, and maintain a network security policy. CC ID 06440	Establish/Maintain Documentation	Preventive
Include compliance requirements in the network security policy. CC ID 14205	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the network security policy. CC ID 14204	Establish/Maintain Documentation	Preventive
Include management commitment in the network security policy. CC ID 14203	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the network security policy. CC ID 14202	Establish/Maintain Documentation	Preventive
Include the scope in the network security policy. CC ID 14201	Establish/Maintain Documentation	Preventive
Include the purpose in the network security policy. CC ID 14200	Establish/Maintain Documentation	Preventive
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Communicate	Preventive
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Communicate	Preventive
Establish, implement, and maintain a wireless networking policy. CC ID 06732	Establish/Maintain Documentation	Preventive
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Establish/Maintain Documentation	Preventive
Maintain up-to-date network diagrams. CC ID 00531	Establish/Maintain Documentation	Preventive
Include the date of the most recent update on the network diagram. CC ID 14319	Establish/Maintain Documentation	Preventive
Include virtual systems in the network diagram. CC ID 16324	Data and Information Management	Preventive
Include the organization's name in the network diagram. CC ID 14318	Establish/Maintain Documentation	Preventive
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735	Process or Activity	Detective
Include Internet Protocol addresses in the network diagram. CC ID 16244	Establish/Maintain Documentation	Preventive
Include Domain Name System names in the network diagram. CC ID 16240	Establish/Maintain Documentation	Preventive
Accept, by formal signature, the security implications of the network topology. CC ID 12323	Establish/Maintain Documentation	Preventive
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137	Communicate	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059	Establish/Maintain Documentation	Preventive
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Process or Activity	Detective
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Establish/Maintain Documentation	Detective
Include information flows to third parties in the data flow diagram. CC ID 13185	Establish/Maintain Documentation	Preventive
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Communicate	Preventive
Manage all internal network connections. CC ID 06329	Technical Security	Preventive
Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109	Technical Security	Preventive
Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124	Technical Security	Preventive
Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095	Technical Security	Preventive
Plan for and approve all network changes. CC ID 00534	Technical Security	Preventive
Manage all external network connections. CC ID 11842	Technical Security	Preventive
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116	Technical Security	Preventive
Prohibit systems from connecting directly to external networks. CC ID 08709	Configuration	Preventive
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical Security	Preventive
Secure the Domain Name System. CC ID 00540	Configuration	Preventive
Implement a fault-tolerant architecture. CC ID 01626	Technical Security	Preventive
Implement segregation of duties. CC ID 11843	Technical Security	Preventive
Configure the network to limit zone transfers to trusted servers. CC ID 01876	Configuration	Preventive
Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210	Testing	Detective
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Establish/Maintain Documentation	Preventive
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891	Technical Security	Preventive
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034	Communicate	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical Security	Preventive
Implement gateways between security domains. CC ID 16493	Systems Design, Build, and Implementation	Preventive
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical Security	Preventive
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical Security	Preventive
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical Security	Preventive
Design Demilitarized Zones with proper isolation rules. CC ID 00532	Technical Security	Preventive
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881	Technical Security	Preventive
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285	Data and Information Management	Preventive
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998	Technical Security	Preventive
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993	Technical Security	Preventive
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289	Data and Information Management	Preventive
Establish, implement, and maintain a network access control standard. CC ID 00546	Establish/Maintain Documentation	Preventive
Include assigned roles and responsibilities in the network access control standard. CC ID 06410	Establish Roles	Preventive
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical Security	Preventive
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821	Technical Security	Preventive
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274	Configuration	Preventive
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293	Configuration	Preventive
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784	Configuration	Preventive
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588	Technical Security	Preventive
Include configuration management and rulesets in the network access control standard. CC ID 11845	Establish/Maintain Documentation	Preventive
Secure the network access control standard against unauthorized changes. CC ID 11920	Establish/Maintain Documentation	Preventive
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540	Technical Security	Preventive
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541	Configuration	Preventive
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270	Process or Activity	Detective
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948	Establish/Maintain Documentation	Preventive
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903	Technical Security	Corrective
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960	Establish/Maintain Documentation	Preventive
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961	Establish/Maintain Documentation	Preventive
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435	Establish/Maintain Documentation	Preventive
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434	Establish/Maintain Documentation	Preventive
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426	Establish/Maintain Documentation	Preventive
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847	Configuration	Preventive
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537	Establish/Maintain Documentation	Preventive
Configure network ports to organizational standards. CC ID 14007	Configuration	Preventive
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Establish/Maintain Documentation	Preventive
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539	Establish/Maintain Documentation	Preventive
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280	Establish/Maintain Documentation	Preventive
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033	Establish/Maintain Documentation	Preventive
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032	Establish/Maintain Documentation	Preventive
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550	Configuration	Preventive
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420	Technical Security	Preventive
Configure network access and control points to protect restricted data or restricted information. CC ID 01284	Configuration	Preventive
Protect data stored at external locations. CC ID 16333	Data and Information Management	Preventive
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Configuration	Detective
Protect the firewall's network connection interfaces. CC ID 01955	Technical Security	Preventive
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547	Configuration	Preventive
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Configuration	Preventive
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Configuration	Preventive
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Configuration	Preventive
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Configuration	Preventive
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Configuration	Preventive
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Configuration	Preventive
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Configuration	Preventive
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Configuration	Preventive
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Configuration	Preventive
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Configuration	Preventive
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Configuration	Preventive
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Configuration	Preventive
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Testing	Detective
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical Security	Preventive
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical Security	Preventive
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Data and Information Management	Preventive
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Data and Information Management	Preventive
Synchronize and secure all router configuration files. CC ID 01291	Configuration	Preventive
Synchronize and secure all firewall configuration files. CC ID 11851	Configuration	Preventive
Configure firewalls to generate an audit log. CC ID 12038	Audits and Risk Management	Preventive
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Configuration	Preventive
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Establish/Maintain Documentation	Preventive
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Establish/Maintain Documentation	Preventive
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Establish/Maintain Documentation	Preventive
Configure network access and control points to organizational standards. CC ID 12442 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Configuration	Detective
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450	Configuration	Preventive
Update application layer firewalls to the most current version. CC ID 12037	Process or Activity	Preventive
Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854	Establish/Maintain Documentation	Preventive
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751	Configuration	Preventive
Remove all unauthorized Wireless Local Area Networks. CC ID 06309	Configuration	Preventive
Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646	Establish/Maintain Documentation	Preventive
Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647	Technical Security	Preventive
Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648	Configuration	Preventive
Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605	Technical Security	Preventive
Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830	Configuration	Preventive
Remove all unauthorized wireless access points. CC ID 11856	Configuration	Preventive
Enforce information flow control. CC ID 11781	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Establish/Maintain Documentation	Preventive
Constrain the information flow of restricted data or restricted information. CC ID 06763	Data and Information Management	Preventive
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Data and Information Management	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii)]	Establish/Maintain Documentation	Preventive
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Data and Information Management	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Establish/Maintain Documentation	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542	Establish/Maintain Documentation	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Data and Information Management	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Data and Information Management	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782 [An Institution or its Service Provider must manage its Electronic Connection(s) so as to permit the Reserve Banks to send data to the Institution or the Service Provider, and to permit the Institution or the Service Provider to receive data from the Reserve Banks, on a timely basis throughout the day. A Reserve Bank is not responsible for any delay in sending data (or for notifying any party of such a delay), if the delay results from the Institution's or its Service Provider's failure to so manage its connection(s), or from any cause other than the Reserve Bank's failure to exercise ordinary care or to act in good faith. The Reserve Bank's records shall be determinative of when data has been received by a Reserve Bank or when a Reserve Bank sends data to, or makes it retrievable by, the Institution or its Service Provider. 5.5(a)]	Establish/Maintain Documentation	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Data and Information Management	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Data and Information Management	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Data and Information Management	Preventive
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Data and Information Management	Preventive
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Data and Information Management	Preventive
Review and approve information exchange system connections. CC ID 07143	Technical Security	Preventive
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Log Management	Preventive
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical Security	Preventive
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical Security	Preventive
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Establish/Maintain Documentation	Preventive
Revoke membership in the whitelist, as necessary. CC ID 13827	Establish/Maintain Documentation	Corrective
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Configuration	Preventive
Block uncategorized sites using URL filtering. CC ID 12140	Technical Security	Preventive
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical Security	Detective
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Data and Information Management	Preventive
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780	Establish/Maintain Documentation	Preventive
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Behavior	Preventive
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Technical Security	Preventive
Comply with the encryption laws of the local country. CC ID 16377	Business Processes	Preventive
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Establish/Maintain Documentation	Preventive
Define the cryptographic boundaries. CC ID 06543	Establish/Maintain Documentation	Preventive
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Establish/Maintain Documentation	Preventive
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Establish/Maintain Documentation	Preventive
Implement the documented cryptographic module security functions. CC ID 06755	Data and Information Management	Preventive
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Establish/Maintain Documentation	Preventive
Document the operation of the cryptographic module. CC ID 06546	Establish/Maintain Documentation	Preventive
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical Security	Preventive
Establish, implement, and maintain digital signatures. CC ID 13828	Data and Information Management	Preventive
Include the expiration date in digital signatures. CC ID 13833	Data and Information Management	Preventive
Include audience restrictions in digital signatures. CC ID 13834	Data and Information Management	Preventive
Include the subject in digital signatures. CC ID 13832	Data and Information Management	Preventive
Include the issuer in digital signatures. CC ID 13831	Data and Information Management	Preventive
Include identifiers in the digital signature. CC ID 13829	Data and Information Management	Preventive
Generate and protect a secret random number for each digital signature. CC ID 06577	Establish/Maintain Documentation	Preventive
Establish the security strength requirements for the digital signature process. CC ID 06578	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546	Establish/Maintain Documentation	Preventive
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Configuration	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Data and Information Management	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Data and Information Management	Preventive
Make key usage for data fields unique for each device. CC ID 04828	Technical Security	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Data and Information Management	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Data and Information Management	Preventive
Accept only trusted keys and/or certificates. CC ID 11988	Technical Security	Preventive
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Data and Information Management	Preventive
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Process or Activity	Preventive
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Process or Activity	Preventive
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Communicate	Preventive
Define the format of the biometric data on identification cards or badges. CC ID 06586	Process or Activity	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Data and Information Management	Preventive
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Establish/Maintain Documentation	Preventive
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Communicate	Preventive
Establish, implement, and maintain encryption management procedures. CC ID 15475	Establish/Maintain Documentation	Preventive
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Establish Roles	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Communicate	Preventive
Bind keys to each identity. CC ID 12337	Technical Security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Establish/Maintain Documentation	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Establish/Maintain Documentation	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Data and Information Management	Preventive
Generate strong cryptographic keys. CC ID 01299	Data and Information Management	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical Security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Data and Information Management	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical Security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Data and Information Management	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Data and Information Management	Preventive
Store cryptographic keys securely. CC ID 01298	Data and Information Management	Preventive
Restrict access to cryptographic keys. CC ID 01297	Data and Information Management	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Data and Information Management	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical Security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Establish/Maintain Documentation	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Data and Information Management	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Data and Information Management	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Data and Information Management	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Data and Information Management	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical Security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Data and Information Management	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Data and Information Management	Corrective
Archive outdated cryptographic keys. CC ID 06884	Data and Information Management	Preventive
Archive revoked cryptographic keys. CC ID 11819	Data and Information Management	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Establish/Maintain Documentation	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Human Resources Management	Preventive
Test cryptographic key management applications, as necessary. CC ID 04829	Testing	Detective
Manage the digital signature cryptographic key pair. CC ID 06576	Data and Information Management	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Establish/Maintain Documentation	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Establish Roles	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Establish/Maintain Documentation	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Establish/Maintain Documentation	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Establish/Maintain Documentation	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Establish/Maintain Documentation	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Establish/Maintain Documentation	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical Security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical Security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Establish/Maintain Documentation	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Establish/Maintain Documentation	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Establish/Maintain Documentation	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Establish/Maintain Documentation	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical Security	Preventive
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Records Management	Preventive
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical Security	Preventive
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical Security	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564	Technical Security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Configuration	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical Security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical Security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Establish/Maintain Documentation	Preventive
Implement non-repudiation for transactions. CC ID 00567	Testing	Detective
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical Security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical Security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical Security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical Security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Establish/Maintain Documentation	Preventive
Install security and protection software, as necessary. CC ID 00575 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Configuration	Preventive
Install and maintain container security solutions. CC ID 16178	Technical Security	Preventive
Scan for malicious code, as necessary. CC ID 11941 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Investigate	Detective
Test all removable storage media for viruses and malicious code. CC ID 11861	Testing	Detective
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Testing	Detective
Remove malware when malicious code is discovered. CC ID 13691	Process or Activity	Corrective
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Communicate	Corrective

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Process or Activity	Detective
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Establish/Maintain Documentation	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Establish/Maintain Documentation	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019 [{be liable} A Reserve Bank's fees relating to Electronic Connections (including, for example, installation support and training) are published separately and are subject to change on thirty (30) calendar days' prior notice. A Reserve Bank charges these fees to the Institution's (or its correspondent's) account on a Reserve Bank's books. By designating a Service Provider, an Institution agrees that the Service Provider may be billed directly by the Reserve Bank for any fees related to the Service Provider's Electronic Connection. Notwithstanding any such direct billing, the Institution shall remain liable for any unpaid fees. 6.1 ¶ 1 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1]	Establish/Maintain Documentation	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Establish/Maintain Documentation	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Business Processes	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2 {business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Establish/Maintain Documentation	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a) Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Establish/Maintain Documentation	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Establish/Maintain Documentation	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i)]	Establish/Maintain Documentation	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Establish/Maintain Documentation	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Establish/Maintain Documentation	Preventive
Include a termination provision clause in third party contracts. CC ID 01367 [An Institution may terminate its agreement to use Reserve Bank services and/or applications through an Electronic Connection and its agreement to the terms of this Circular by giving not less than thirty (30) calendar days' prior written notice to the Reserve Bank(s) with which it has Electronic Connections. A Reserve Bank may terminate an Institution's or its Service Provider's authority to use an Electronic Connection on similar notice. In addition, a Reserve Bank immediately may terminate an Institution's or its Service Provider's Electronic Connection if the Reserve Bank, in its sole discretion, determines that continued use of the Electronic Connection poses a risk to the Reserve Bank or others, or the Reserve Bank believes that the Institution or its Service Provider is in violation of this Circular. 7.1 ¶ 1]	Establish/Maintain Documentation	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Establish/Maintain Documentation	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Establish/Maintain Documentation	Preventive
Include termination costs in third party contracts. CC ID 10023	Establish/Maintain Documentation	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Establish/Maintain Documentation	Preventive
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Testing	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Testing	Detective
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Establish/Maintain Documentation	Preventive
Establish the third party's service continuity. CC ID 00797	Testing	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Testing	Detective
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i) The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Data and Information Management	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Testing	Detective
Include disclosure requirements in third party contracts. CC ID 08825 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Business Processes	Preventive
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2 In addition, before sending a National Settlement Service settlement file to a Reserve Bank, a Settlement Agent must execute a security procedure agreement with the Host Reserve Bank (as defined in Operating Circular 12) in the form attached as Appendix B-1 to Operating Circular 12. Appendix A 2.3(a) ¶ 3]	Establish/Maintain Documentation	Preventive
Include technical processes in operational level agreements, as necessary. CC ID 13639	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2]	Process or Activity	Preventive
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842	Establish/Maintain Documentation	Detective
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Establish Roles	Preventive
Approve all Service Level Agreements. CC ID 00843	Establish/Maintain Documentation	Detective
Track all chargeable items in Service Level Agreements. CC ID 11616	Business Processes	Detective
Document all chargeable items in Service Level Agreements. CC ID 00844	Establish/Maintain Documentation	Detective
Enforce third party Service Level Agreements, as necessary. CC ID 07098	Business Processes	Corrective
Conduct all parts of the supply chain due diligence process. CC ID 08854	Business Processes	Preventive
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Business Processes	Detective
Review third parties' backup policies. CC ID 13043	Systems Continuity	Detective
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Testing	Detective
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)]	Establish/Maintain Documentation	Preventive
Assess third parties' compliance environment during due diligence. CC ID 13134	Process or Activity	Detective
Request attestation of compliance from third parties. CC ID 12067 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1]	Establish/Maintain Documentation	Detective
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2]	Business Processes	Detective
Require individual attestations of compliance from each location a third party operates in. CC ID 12228	Business Processes	Preventive
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075	Business Processes	Detective
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Technical Security	Detective
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Business Processes	Preventive
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Establish/Maintain Documentation	Preventive
Define timeliness factors for third party reporting requirements. CC ID 13304	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a third party payment system. CC ID 08903 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1]	Business Processes	Preventive
Disclose payments made to third parties. CC ID 08904	Data and Information Management	Preventive
Document payments to third parties. CC ID 08905	Establish/Maintain Documentation	Preventive
Make third party payments freely and proportionate to the furnished services. CC ID 08906	Business Processes	Preventive
Establish a trust to pay for supply chain security forces. CC ID 08907	Business Processes	Preventive
Notify third parties of revenue collection weaknesses. CC ID 08909	Business Processes	Preventive
Avoid cash purchases of supplies from third parties. CC ID 08910	Business Processes	Preventive
Pay third parties through official banking channels. CC ID 08911	Business Processes	Preventive
Disclose payments made to supply chain security forces. CC ID 10031	Data and Information Management	Preventive
Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d)]	Business Processes	Preventive
Assign unique reference numbers to all products and their subcomponents. CC ID 08932	Business Processes	Preventive
Implement physical security controls at all supply chain member locations. CC ID 08933	Business Processes	Detective

Common Controls and
mandates by Type 127 Mandated Controls - bold
128 Implied Controls - italic 1106 Implementation

Number of Controls

1361 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Preventive
Include equipment interoperability in the system requirements specification. CC ID 16257	Systems design, build, and implementation	Preventive
Acquire products or services. CC ID 11450	Acquisition or sale of facilities, technology, and services	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001	Audits and risk management	Preventive
Include the word independent in the title of audit reports. CC ID 07003 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii) {independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)]	Audits and risk management	Preventive
Include the date of the audit in the audit report. CC ID 07024	Audits and risk management	Preventive
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Audits and risk management	Preventive
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Audits and risk management	Preventive
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Audits and risk management	Preventive
Disclose any audit irregularities in the audit report. CC ID 06995	Audits and risk management	Preventive
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Operational and Systems Continuity	Preventive
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Corrective

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audit in scope audit items and compliance documents. CC ID 06730	Audits and risk management	Preventive
Audit policies, standards, and procedures. CC ID 12927 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2]	Audits and risk management	Preventive
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Audits and risk management	Detective
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and risk management	Preventive
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and risk management	Preventive
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and risk management	Preventive
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and risk management	Detective
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and risk management	Preventive
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and risk management	Preventive
Include the scope and work performed in the audit report. CC ID 11621	Audits and risk management	Preventive
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and risk management	Detective
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and risk management	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707	Audits and risk management	Preventive
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Preventive
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and risk management	Preventive
Configure firewalls to generate an audit log. CC ID 12038	Technical security	Preventive
Conduct external audits of the physical security plan. CC ID 13314	Physical and environmental protection	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Resolve disputes before creating the audit summary. CC ID 08964	Audits and risk management	Preventive
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Audits and risk management	Preventive
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Technical security	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Preventive
Require removable storage media be in the custody of an authorized individual. CC ID 12319	Physical and environmental protection	Preventive
Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678	Physical and environmental protection	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679	Physical and environmental protection	Preventive
Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598	Physical and environmental protection	Preventive
Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354	Physical and environmental protection	Preventive
Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597	Physical and environmental protection	Preventive
Notify customers about payment card usage security measures. CC ID 06407	Physical and environmental protection	Preventive
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4]	Human Resources management	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Preventive
Perform periodic maintenance according to organizational standards. CC ID 01435 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1]	Operational management	Preventive
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Notwithstanding any other provision of this Appendix, when a sender or a receiving bank (or a Service Provider) chooses to use one of the Security Procedures, it rejects other Security Procedures, and if any one of the rejected Security Procedures is commercially reasonable for such sender or receiving bank, the sender or receiving bank agrees to be bound by any payment order, whether or not authorized, if it was issued in the sender's or the receiving bank's name and accepted by a Reserve Bank in compliance with the Security Procedure selected, subject to Section 4A-203 of Article 4A of the Uniform Commercial Code. Appendix A 2.3(b)]	Acquisition or sale of facilities, technology, and services	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Preventive
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Preventive
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Audits and risk management	Corrective
Comply with the encryption laws of the local country. CC ID 16377	Technical security	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Preventive
Transport restricted media using a delivery method that can be tracked. CC ID 11777	Physical and environmental protection	Preventive
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Preventive
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572	Physical and environmental protection	Preventive
Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052	Physical and environmental protection	Preventive
Define the scope for the internal control framework. CC ID 16325	Operational management	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Detective
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Operational management	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Operational management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain payment systems. CC ID 13539 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1]	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Acquisition or sale of facilities, technology, and services	Preventive
Restrict transaction activities, as necessary. CC ID 16334 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Acquisition or sale of facilities, technology, and services	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Preventive
Include disclosure requirements in third party contracts. CC ID 08825 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Preventive
Track all chargeable items in Service Level Agreements. CC ID 11616	Third Party and supply chain oversight	Detective
Enforce third party Service Level Agreements, as necessary. CC ID 07098	Third Party and supply chain oversight	Corrective
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Preventive
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Third Party and supply chain oversight	Detective
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2]	Third Party and supply chain oversight	Detective
Require individual attestations of compliance from each location a third party operates in. CC ID 12228	Third Party and supply chain oversight	Preventive
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075	Third Party and supply chain oversight	Detective
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a third party payment system. CC ID 08903 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1]	Third Party and supply chain oversight	Preventive
Make third party payments freely and proportionate to the furnished services. CC ID 08906	Third Party and supply chain oversight	Preventive
Establish a trust to pay for supply chain security forces. CC ID 08907	Third Party and supply chain oversight	Preventive
Notify third parties of revenue collection weaknesses. CC ID 08909	Third Party and supply chain oversight	Preventive
Avoid cash purchases of supplies from third parties. CC ID 08910	Third Party and supply chain oversight	Preventive
Pay third parties through official banking channels. CC ID 08911	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d)]	Third Party and supply chain oversight	Preventive
Assign unique reference numbers to all products and their subcomponents. CC ID 08932	Third Party and supply chain oversight	Preventive
Implement physical security controls at all supply chain member locations. CC ID 08933	Third Party and supply chain oversight	Detective

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Audits and risk management	Preventive
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Audits and risk management	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Preventive
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Technical security	Preventive
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Technical security	Preventive
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Technical security	Preventive
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137	Technical security	Preventive
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Technical security	Preventive
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034	Technical security	Preventive
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Technical security	Preventive
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Technical security	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Technical security	Preventive
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Technical security	Corrective
Report damaged property to interested personnel and affected parties. CC ID 13702	Physical and environmental protection	Corrective
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319	Physical and environmental protection	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Preventive
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165	Physical and environmental protection	Preventive
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186	Physical and environmental protection	Preventive
Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160	Physical and environmental protection	Preventive
Report changes in the continuity plan to senior management. CC ID 12757	Operational and Systems Continuity	Corrective
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Preventive
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Operational and Systems Continuity	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Human Resources management	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Preventive
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 {breach notification} Each Institution and any Service Provider shall include within its security breach related notification procedures and processes (e.g., within disaster recovery, hazard, business continuity, cyber security, and other appropriate procedures and processes) the obligation to immediately notify Federal Reserve Financial Services by telephone at (888) 333-7010, with written confirmation via email at ccc.technical.support@kc.frb.org, in the event of a known, suspected, or threatened compromise, cyber event, fraud, malware detection, or other security incident or breach that would render the Electronic Connection vulnerable to misconduct. Appendix A 1.2(c)]	Operational management	Corrective
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Monitoring and measurement	Preventive
Enable access control for objects and users on each system. CC ID 04553 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Technical security	Preventive
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Preventive
Prohibit systems from connecting directly to external networks. CC ID 08709	Technical security	Preventive
Secure the Domain Name System. CC ID 00540	Technical security	Preventive
Configure the network to limit zone transfers to trusted servers. CC ID 01876	Technical security	Preventive
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274	Technical security	Preventive
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293	Technical security	Preventive
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784	Technical security	Preventive
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541	Technical security	Preventive
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847	Technical security	Preventive
Configure network ports to organizational standards. CC ID 14007	Technical security	Preventive
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550	Technical security	Preventive
Configure network access and control points to protect restricted data or restricted information. CC ID 01284	Technical security	Preventive
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Technical security	Detective
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547	Technical security	Preventive
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Technical security	Preventive
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Technical security	Preventive
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Technical security	Preventive
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Technical security	Preventive
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Technical security	Preventive
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Technical security	Preventive
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Technical security	Preventive
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Technical security	Preventive
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Technical security	Preventive
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Technical security	Preventive
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Technical security	Preventive
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Technical security	Preventive
Synchronize and secure all router configuration files. CC ID 01291	Technical security	Preventive
Synchronize and secure all firewall configuration files. CC ID 11851	Technical security	Preventive
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Technical security	Preventive
Configure network access and control points to organizational standards. CC ID 12442 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Technical security	Detective
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450	Technical security	Preventive
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751	Technical security	Preventive
Remove all unauthorized Wireless Local Area Networks. CC ID 06309	Technical security	Preventive
Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648	Technical security	Preventive
Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830	Technical security	Preventive
Remove all unauthorized wireless access points. CC ID 11856	Technical security	Preventive
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Technical security	Preventive
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Technical security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Technical security	Preventive
Install security and protection software, as necessary. CC ID 00575 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Technical security	Preventive
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211	Physical and environmental protection	Preventive
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215	Physical and environmental protection	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Physical and environmental protection	Preventive
Install emergency doors to permit egress only. CC ID 06688	Physical and environmental protection	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Physical and environmental protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Physical and environmental protection	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Physical and environmental protection	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Physical and environmental protection	Preventive
Configure video cameras to cover all physical entry points. CC ID 06302	Physical and environmental protection	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Physical and environmental protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Physical and environmental protection	Preventive
Serialize all removable storage media. CC ID 00949	Physical and environmental protection	Preventive
Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706	Physical and environmental protection	Preventive
Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769	Physical and environmental protection	Preventive
Enable network jacks at the patch panel, as necessary. CC ID 06305	Physical and environmental protection	Preventive
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Preventive
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Operational and Systems Continuity	Preventive
Install a generator sized to support the facility. CC ID 06709	Operational and Systems Continuity	Preventive
Automate threat assessments, as necessary. CC ID 06877	Operational management	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Corrective
Review and restrict network addresses and network protocols. CC ID 01518	System hardening through configuration management	Preventive
Configure security and protection software according to Organizational Standards. CC ID 11917 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	System hardening through configuration management	Preventive
Configure security and protection software to automatically run at startup. CC ID 12443	System hardening through configuration management	Preventive
Configure security and protection software to enable automatic updates. CC ID 11945 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	System hardening through configuration management	Preventive
Configure security and protection software to check e-mail attachments. CC ID 11860	System hardening through configuration management	Preventive
Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515	System hardening through configuration management	Preventive
Configure Windows Defender Credential Guard to organizational standards. CC ID 16514	System hardening through configuration management	Preventive

Data and Information Management

114

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Leadership and high level objectives	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Leadership and high level objectives	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Leadership and high level objectives	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Leadership and high level objectives	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Leadership and high level objectives	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Leadership and high level objectives	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Leadership and high level objectives	Preventive
Classify the value of information in the information classification standard. CC ID 11995	Leadership and high level objectives	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994	Leadership and high level objectives	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Technical security	Preventive
Include virtual systems in the network diagram. CC ID 16324	Technical security	Preventive
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285	Technical security	Preventive
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289	Technical security	Preventive
Protect data stored at external locations. CC ID 16333	Technical security	Preventive
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Technical security	Preventive
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Technical security	Preventive
Constrain the information flow of restricted data or restricted information. CC ID 06763	Technical security	Preventive
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Technical security	Preventive
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Technical security	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Technical security	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Technical security	Preventive
Perform content sanitization on data-in-transit. CC ID 16512	Technical security	Preventive
Perform content conversion on data-in-transit. CC ID 16510	Technical security	Preventive
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Technical security	Preventive
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Technical security	Preventive
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Technical security	Preventive
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Technical security	Preventive
Implement the documented cryptographic module security functions. CC ID 06755	Technical security	Preventive
Establish, implement, and maintain digital signatures. CC ID 13828	Technical security	Preventive
Include the expiration date in digital signatures. CC ID 13833	Technical security	Preventive
Include audience restrictions in digital signatures. CC ID 13834	Technical security	Preventive
Include the subject in digital signatures. CC ID 13832	Technical security	Preventive
Include the issuer in digital signatures. CC ID 13831	Technical security	Preventive
Include identifiers in the digital signature. CC ID 13829	Technical security	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Technical security	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Technical security	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Technical security	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Technical security	Preventive
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Technical security	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Technical security	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Technical security	Preventive
Generate strong cryptographic keys. CC ID 01299	Technical security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Technical security	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Technical security	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Technical security	Preventive
Store cryptographic keys securely. CC ID 01298	Technical security	Preventive
Restrict access to cryptographic keys. CC ID 01297	Technical security	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Technical security	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Technical security	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Technical security	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Technical security	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Technical security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Technical security	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Technical security	Corrective
Archive outdated cryptographic keys. CC ID 06884	Technical security	Preventive
Archive revoked cryptographic keys. CC ID 11819	Technical security	Preventive
Manage the digital signature cryptographic key pair. CC ID 06576	Technical security	Preventive
Track restricted storage media while it is in transit. CC ID 00967	Physical and environmental protection	Detective
Establish, implement, and maintain removable storage media controls. CC ID 06680	Physical and environmental protection	Preventive
Control access to restricted storage media. CC ID 04889	Physical and environmental protection	Preventive
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Physical and environmental protection	Preventive
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Physical and environmental protection	Preventive
Encrypt information stored on mobile devices. CC ID 01422	Physical and environmental protection	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Preventive
Identify the sender in all electronic messages. CC ID 13996	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Corrective
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082	Records management	Preventive
Label restricted storage media appropriately. CC ID 00966	Records management	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2]	Privacy protection for information and data	Preventive
Limit data leakage. CC ID 00356	Privacy protection for information and data	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Preventive
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i) The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Detective
Disclose payments made to third parties. CC ID 08904	Third Party and supply chain oversight	Preventive
Disclose payments made to supply chain security forces. CC ID 10031	Third Party and supply chain oversight	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678	Audits and risk management	Preventive
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Audits and risk management	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Include assigned roles and responsibilities in the network access control standard. CC ID 06410	Technical security	Preventive
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Technical security	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Technical security	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Physical and environmental protection	Preventive
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134	Physical and environmental protection	Preventive
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Preventive
Include restoration procedures in the continuity plan. CC ID 01169	Operational and Systems Continuity	Preventive
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Third Party and supply chain oversight	Preventive

Establish/Maintain Documentation

585

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain communication protocols. CC ID 12245	Leadership and high level objectives	Preventive
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) When a Settlement Instruction is issued, the Offline Security Procedure involves a telephone call initiated by an authorized employee of the Settlement Agent followed by the transmission by e-mail or facsimile of a Settlement Instruction signed (in the case of a facsimile) by an authorized employee of the Settlement Agent or sent from the e-mail address of an authorized employee of the Settlement Agent. Appendix A 2.3(c) ¶ 5]	Leadership and high level objectives	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601 ["Confidential Information" shall include all information, provided in writing, electronically or orally, which is designated by Reserve Bank herein or by other means as "Confidential." All security-related information, including information regarding Access Control Features and security procedures, whether or not it is labeled as "Confidential," is hereby designated as "Confidential," unless a Reserve Bank makes any such information generally available to the public (i.e., places it on its unrestricted public Web site or otherwise publishes it to the general public). Confidential Information contains trade secrets, proprietary information or security information of Reserve Banks or others. Unauthorized disclosure of Confidential Information likely would cause a Reserve Bank immediate and irreparable damage for which there may be no adequate remedy at law. 5.4 ¶ 1]	Leadership and high level objectives	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement of the Institution's responsibility to adhere to the Security Requirements; Appendix A 3.2 ¶ 1(i)]	Leadership and high level objectives	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Detective
Establish, implement, and maintain an audit program. CC ID 00684	Audits and risk management	Preventive
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965	Audits and risk management	Preventive
Establish and maintain audit assertions, as necessary. CC ID 14871 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2]	Audits and risk management	Detective
Include an in scope system description in the audit assertion. CC ID 14872	Audits and risk management	Preventive
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Audits and risk management	Preventive
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Audits and risk management	Preventive
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Audits and risk management	Preventive
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Audits and risk management	Preventive
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Audits and risk management	Preventive
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Audits and risk management	Preventive
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Audits and risk management	Preventive
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Audits and risk management	Preventive
Include the in scope procedures in the audit assertion. CC ID 06972	Audits and risk management	Preventive
Include the in scope records produced in the audit assertion. CC ID 06968	Audits and risk management	Preventive
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Audits and risk management	Preventive
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Audits and risk management	Preventive
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Audits and risk management	Preventive
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Audits and risk management	Preventive
Include in scope change controls in the audit assertion. CC ID 06976	Audits and risk management	Preventive
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Audits and risk management	Preventive
Establish and maintain organizational audit reports. CC ID 06731 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Audits and risk management	Preventive
Determine what disclosures are required in the audit report. CC ID 14888	Audits and risk management	Detective
Include audit subject matter in the audit report. CC ID 14882	Audits and risk management	Preventive
Include an other-matter paragraph in the audit report. CC ID 14901	Audits and risk management	Preventive
Include that the auditee did not provide comments in the audit report. CC ID 16849	Audits and risk management	Preventive
Write the audit report using clear and conspicuous language. CC ID 13948	Audits and risk management	Preventive
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Audits and risk management	Preventive
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Audits and risk management	Preventive
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Audits and risk management	Preventive
Include a description of the financial information being reported on in the audit report. CC ID 13965	Audits and risk management	Preventive
Include references to any adjustments of financial information in the audit report. CC ID 13964	Audits and risk management	Preventive
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Audits and risk management	Preventive
Include references to historical financial information used in the audit report. CC ID 13961	Audits and risk management	Preventive
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Audits and risk management	Preventive
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Audits and risk management	Preventive
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Audits and risk management	Preventive
Include any discussions of significant findings in the audit report. CC ID 13955	Audits and risk management	Preventive
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Audits and risk management	Preventive
Include the audit criteria in the audit report. CC ID 13945	Audits and risk management	Preventive
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Audits and risk management	Preventive
Include all hypothetical assumptions in the audit report. CC ID 13947	Audits and risk management	Preventive
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Audits and risk management	Preventive
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Audits and risk management	Preventive
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Audits and risk management	Preventive
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Audits and risk management	Preventive
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A confirmation that the Institution has conducted a Self-Assessment within the time period requested by the Reserve Banks; Appendix A 3.2 ¶ 1(ii)]	Audits and risk management	Preventive
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Audits and risk management	Preventive
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Audits and risk management	Preventive
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)]	Audits and risk management	Preventive
Include a statement of the character of the engagement in the audit report. CC ID 07166	Audits and risk management	Preventive
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Audits and risk management	Preventive
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Audits and risk management	Preventive
Include all restrictions on the audit in the audit report. CC ID 13930	Audits and risk management	Preventive
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Audits and risk management	Preventive
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Audits and risk management	Preventive
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Audits and risk management	Preventive
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Audits and risk management	Preventive
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Audits and risk management	Preventive
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Audits and risk management	Preventive
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Audits and risk management	Preventive
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Audits and risk management	Preventive
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Audits and risk management	Preventive
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Audits and risk management	Preventive
Include recommended corrective actions in the audit report. CC ID 16197 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)]	Audits and risk management	Preventive
Include risks and opportunities in the audit report. CC ID 16196	Audits and risk management	Preventive
Include the description of tests of controls and results in the audit report. CC ID 14898	Audits and risk management	Preventive
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Audits and risk management	Preventive
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Audits and risk management	Preventive
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Audits and risk management	Preventive
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Audits and risk management	Preventive
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Audits and risk management	Preventive
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Audits and risk management	Preventive
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Audits and risk management	Preventive
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Audits and risk management	Preventive
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Audits and risk management	Preventive
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Audits and risk management	Preventive
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Audits and risk management	Preventive
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Audits and risk management	Preventive
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Audits and risk management	Preventive
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Audits and risk management	Preventive
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Audits and risk management	Preventive
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Audits and risk management	Preventive
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Audits and risk management	Preventive
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Audits and risk management	Detective
Review past audit reports. CC ID 01155	Audits and risk management	Detective
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Audits and risk management	Detective
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Audits and risk management	Detective
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Audits and risk management	Preventive
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Audits and risk management	Preventive
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Audits and risk management	Preventive
Include deficiencies and non-compliance in the audit report. CC ID 14879	Audits and risk management	Corrective
Include an audit opinion in the audit report. CC ID 07017	Audits and risk management	Preventive
Include qualified opinions in the audit report. CC ID 13928	Audits and risk management	Preventive
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Audits and risk management	Preventive
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Audits and risk management	Corrective
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Audits and risk management	Preventive
Include items that were excluded from the audit report in the audit report. CC ID 07007	Audits and risk management	Preventive
Include the organization's privacy practices in the audit report. CC ID 07029	Audits and risk management	Preventive
Include items that pertain to third parties in the audit report. CC ID 07008 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, an acknowledgement that the Institution is responsible for its Service Provider's compliance with the Security Requirements; Appendix A 3.2 ¶ 1(iv)]	Audits and risk management	Preventive
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Audits and risk management	Preventive
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Audits and risk management	Preventive
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Audits and risk management	Preventive
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Audits and risk management	Preventive
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Audits and risk management	Preventive
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Audits and risk management	Preventive
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Audits and risk management	Preventive
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Audits and risk management	Corrective
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Audits and risk management	Preventive
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Audits and risk management	Preventive
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1]	Audits and risk management	Preventive
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Audits and risk management	Preventive
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Audits and risk management	Preventive
Review the issues of non-compliance from past audit reports. CC ID 01148	Audits and risk management	Detective
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Audits and risk management	Detective
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a)]	Technical security	Preventive
Include compliance requirements in the access control policy. CC ID 14006	Technical security	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Technical security	Preventive
Include management commitment in the access control policy. CC ID 14004	Technical security	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Technical security	Preventive
Include the scope in the access control policy. CC ID 14002	Technical security	Preventive
Include the purpose in the access control policy. CC ID 14001	Technical security	Preventive
Document the business need justification for user accounts. CC ID 15490	Technical security	Preventive
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Technical security	Preventive
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical security	Preventive
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Technical security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663	Technical security	Preventive
Document approving and granting access in the access control log. CC ID 06786 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Technical security	Preventive
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Technical security	Preventive
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Technical security	Preventive
Establish, implement, and maintain a network configuration standard. CC ID 00530	Technical security	Preventive
Establish, implement, and maintain network segmentation requirements. CC ID 16380	Technical security	Preventive
Establish, implement, and maintain a network security policy. CC ID 06440	Technical security	Preventive
Include compliance requirements in the network security policy. CC ID 14205	Technical security	Preventive
Include coordination amongst entities in the network security policy. CC ID 14204	Technical security	Preventive
Include management commitment in the network security policy. CC ID 14203	Technical security	Preventive
Include roles and responsibilities in the network security policy. CC ID 14202	Technical security	Preventive
Include the scope in the network security policy. CC ID 14201	Technical security	Preventive
Include the purpose in the network security policy. CC ID 14200	Technical security	Preventive
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Technical security	Preventive
Establish, implement, and maintain a wireless networking policy. CC ID 06732	Technical security	Preventive
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Technical security	Preventive
Maintain up-to-date network diagrams. CC ID 00531	Technical security	Preventive
Include the date of the most recent update on the network diagram. CC ID 14319	Technical security	Preventive
Include the organization's name in the network diagram. CC ID 14318	Technical security	Preventive
Include Internet Protocol addresses in the network diagram. CC ID 16244	Technical security	Preventive
Include Domain Name System names in the network diagram. CC ID 16240	Technical security	Preventive
Accept, by formal signature, the security implications of the network topology. CC ID 12323	Technical security	Preventive
Maintain up-to-date data flow diagrams. CC ID 10059	Technical security	Preventive
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Technical security	Detective
Include information flows to third parties in the data flow diagram. CC ID 13185	Technical security	Preventive
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Technical security	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Technical security	Preventive
Establish, implement, and maintain a network access control standard. CC ID 00546	Technical security	Preventive
Include configuration management and rulesets in the network access control standard. CC ID 11845	Technical security	Preventive
Secure the network access control standard against unauthorized changes. CC ID 11920	Technical security	Preventive
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948	Technical security	Preventive
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960	Technical security	Preventive
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961	Technical security	Preventive
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435	Technical security	Preventive
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434	Technical security	Preventive
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426	Technical security	Preventive
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537	Technical security	Preventive
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Technical security	Preventive
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539	Technical security	Preventive
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280	Technical security	Preventive
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033	Technical security	Preventive
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032	Technical security	Preventive
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Technical security	Preventive
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Technical security	Preventive
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Technical security	Preventive
Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853	Technical security	Preventive
Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854	Technical security	Preventive
Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449	Technical security	Preventive
Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646	Technical security	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Technical security	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii)]	Technical security	Preventive
Establish, implement, and maintain a document printing policy. CC ID 14384	Technical security	Preventive
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Technical security	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542	Technical security	Preventive
Establish, implement, and maintain information exchange procedures. CC ID 11782 [An Institution or its Service Provider must manage its Electronic Connection(s) so as to permit the Reserve Banks to send data to the Institution or the Service Provider, and to permit the Institution or the Service Provider to receive data from the Reserve Banks, on a timely basis throughout the day. A Reserve Bank is not responsible for any delay in sending data (or for notifying any party of such a delay), if the delay results from the Institution's or its Service Provider's failure to so manage its connection(s), or from any cause other than the Reserve Bank's failure to exercise ordinary care or to act in good faith. The Reserve Bank's records shall be determinative of when data has been received by a Reserve Bank or when a Reserve Bank sends data to, or makes it retrievable by, the Institution or its Service Provider. 5.5(a)]	Technical security	Preventive
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Technical security	Preventive
Revoke membership in the whitelist, as necessary. CC ID 13827	Technical security	Corrective
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780	Technical security	Preventive
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Technical security	Preventive
Define the cryptographic boundaries. CC ID 06543	Technical security	Preventive
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Technical security	Preventive
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Technical security	Preventive
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Technical security	Preventive
Document the operation of the cryptographic module. CC ID 06546	Technical security	Preventive
Generate and protect a secret random number for each digital signature. CC ID 06577	Technical security	Preventive
Establish the security strength requirements for the digital signature process. CC ID 06578	Technical security	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546	Technical security	Preventive
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Technical security	Preventive
Establish, implement, and maintain encryption management procedures. CC ID 15475	Technical security	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Technical security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Technical security	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Technical security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Technical security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Technical security	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Technical security	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Technical security	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Technical security	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Technical security	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Technical security	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Technical security	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Technical security	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Technical security	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Technical security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Technical security	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Technical security	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Technical security	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Technical security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Technical security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Technical security	Preventive
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Technical security	Preventive
Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security plans. CC ID 13307	Physical and environmental protection	Preventive
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309	Physical and environmental protection	Preventive
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security procedures. CC ID 13076	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711	Physical and environmental protection	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Physical and environmental protection	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Physical and environmental protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Physical and environmental protection	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Corrective
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Physical and environmental protection	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Physical and environmental protection	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Physical and environmental protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Physical and environmental protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Physical and environmental protection	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Physical and environmental protection	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Physical and environmental protection	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Preventive
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Physical and environmental protection	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Physical and environmental protection	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security threat reports. CC ID 02207	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Physical and environmental protection	Preventive
Establish, implement, and maintain a media protection policy. CC ID 14029	Physical and environmental protection	Preventive
Include compliance requirements in the media protection policy. CC ID 14185	Physical and environmental protection	Preventive
Include coordination amongst entities in the media protection policy. CC ID 14184	Physical and environmental protection	Preventive
Include management commitment in the media protection policy. CC ID 14182	Physical and environmental protection	Preventive
Include roles and responsibilities in the media protection policy. CC ID 14180	Physical and environmental protection	Preventive
Include the scope in the media protection policy. CC ID 14167	Physical and environmental protection	Preventive
Include the purpose in the media protection policy. CC ID 14166	Physical and environmental protection	Preventive
Establish, implement, and maintain media protection procedures. CC ID 14062	Physical and environmental protection	Preventive
Establish, implement, and maintain storage media access control procedures. CC ID 00959	Physical and environmental protection	Preventive
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200	Physical and environmental protection	Preventive
Include Information Technology assets in the asset removal policy. CC ID 13162	Physical and environmental protection	Preventive
Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Physical and environmental protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Physical and environmental protection	Preventive
Establish, implement, and maintain missing asset reporting procedures. CC ID 06336	Physical and environmental protection	Preventive
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719	Physical and environmental protection	Preventive
Establish, implement, and maintain a locking screen saver policy. CC ID 06717	Physical and environmental protection	Preventive
Establish, implement, and maintain a mobile device management program. CC ID 15212	Physical and environmental protection	Preventive
Establish, implement, and maintain a mobile device management policy. CC ID 15214	Physical and environmental protection	Preventive
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454	Physical and environmental protection	Preventive
Establish, implement, and maintain mobile device security guidelines. CC ID 04723	Physical and environmental protection	Preventive
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Physical and environmental protection	Preventive
Include legal requirements in the mobile device security guidelines. CC ID 12291	Physical and environmental protection	Preventive
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Physical and environmental protection	Preventive
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Physical and environmental protection	Preventive
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Physical and environmental protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Physical and environmental protection	Preventive
Establish, implement, and maintain open storage container procedures. CC ID 02198	Physical and environmental protection	Preventive
Establish, implement, and maintain a clean desk policy. CC ID 06534	Physical and environmental protection	Preventive
Establish, implement, and maintain contact card reader security guidelines. CC ID 06588	Physical and environmental protection	Preventive
Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589	Physical and environmental protection	Preventive
Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590	Physical and environmental protection	Preventive
Establish, implement, and maintain a vehicle access program. CC ID 02216	Physical and environmental protection	Preventive
Establish, implement, and maintain returned card procedures. CC ID 13567	Physical and environmental protection	Preventive
Establish and maintain the physical security of non-issued payment cards. CC ID 06402	Physical and environmental protection	Preventive
Establish, implement, and maintain payment card disposal procedures. CC ID 16137	Physical and environmental protection	Preventive
Establish, implement, and maintain a mailing control log. CC ID 16136	Physical and environmental protection	Preventive
Establish, implement, and maintain payment card usage security measures. CC ID 06406	Physical and environmental protection	Preventive
Establish, implement, and maintain payment card disposal procedures. CC ID 16135	Physical and environmental protection	Preventive
Establish and maintain security classifications for network cabling. CC ID 08627	Physical and environmental protection	Preventive
Establish and maintain documentation for network cabling schemes. CC ID 08641	Physical and environmental protection	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Preventive
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Preventive
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Preventive
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Operational and Systems Continuity	Preventive
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Preventive
Include the continuity strategy in the continuity plan. CC ID 13189	Operational and Systems Continuity	Preventive
Document and use the lessons learned to update the continuity plan. CC ID 10037	Operational and Systems Continuity	Preventive
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Operational and Systems Continuity	Preventive
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Preventive
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Preventive
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Preventive
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Operational and Systems Continuity	Preventive
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Operational and Systems Continuity	Preventive
Establish, implement, and maintain the continuity procedures. CC ID 14236	Operational and Systems Continuity	Corrective
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Operational and Systems Continuity	Preventive
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Operational and Systems Continuity	Preventive
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Preventive
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Operational and Systems Continuity	Preventive
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Preventive
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Detective
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Operational and Systems Continuity	Preventive
Include the recovery plan in the continuity plan. CC ID 01377	Operational and Systems Continuity	Preventive
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Preventive
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Human Resources management	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Operational management	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Preventive
Include system development in the information security program. CC ID 12389	Operational management	Preventive
Include system maintenance in the information security program. CC ID 12388	Operational management	Preventive
Include system acquisition in the information security program. CC ID 12387	Operational management	Preventive
Include access control in the information security program. CC ID 12386	Operational management	Preventive
Include operations management in the information security program. CC ID 12385	Operational management	Preventive
Include communication management in the information security program. CC ID 12384	Operational management	Preventive
Include environmental security in the information security program. CC ID 12383	Operational management	Preventive
Include physical security in the information security program. CC ID 12382	Operational management	Preventive
Include human resources security in the information security program. CC ID 12381	Operational management	Preventive
Include asset management in the information security program. CC ID 12380	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Preventive
Include risk management in the information security program. CC ID 12378	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Operational management	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Preventive
Include startup processes in operational control procedures. CC ID 00833	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Corrective
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2]	Operational management	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3]	Operational management	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2]	Operational management	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Operational management	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Software includes trade secrets and proprietary information of the Reserve Banks and others, which may be copyrighted or patented, and must be handled in accordance with the requirements applicable to Confidential Information as set forth in Paragraph 5.4. 4.6 ¶ 1]	Operational management	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 [{refrain from removing} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: remove any copyright or trademark notice contained in the Software. 4.4 ¶ 1(d)]	Operational management	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g)]	Operational management	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Operational management	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Preventive
Establish, implement, and maintain a use of information agreement. CC ID 06215 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Operational management	Preventive
Include use limitations in the use of information agreement. CC ID 06244	Operational management	Preventive
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Preventive
Include information recipients in the use of information agreement. CC ID 06245	Operational management	Preventive
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Preventive
Include disclosure of information in the use of information agreement. CC ID 11830	Operational management	Preventive
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Operational management	Preventive
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Preventive
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Operational management	Preventive
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Operational management	Preventive
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 Each Institution must at all times comply with the measures, protections, and requirements established under the Reserve Bank Program described in Section 1.1 of this Appendix A, the Institution Program described in Section 1.2 of this Appendix A, and any applicable Security Procedures (collectively, the "Security Requirements"). Appendix A 3.1 ¶ 1 In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Operational management	Preventive
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Preventive
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Operational management	Preventive
Define confidentiality controls. CC ID 01908	Operational management	Preventive
Establish, implement, and maintain the systems' availability level. CC ID 01905	Operational management	Preventive
Define integrity controls. CC ID 01909	Operational management	Preventive
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Operational management	Preventive
Define availability controls. CC ID 01911	Operational management	Preventive
Establish, implement, and maintain a software accountability policy. CC ID 00868	Operational management	Preventive
Establish, implement, and maintain software license management procedures. CC ID 06639 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c) {refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Operational management	Preventive
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi)]	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886	Operational management	Preventive
Establish, implement, and maintain a Configuration Management program. CC ID 00867	System hardening through configuration management	Preventive
Establish, implement, and maintain system tracking documentation. CC ID 15266	System hardening through configuration management	Preventive
Include contact information in the system tracking documentation. CC ID 15280 [The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	System hardening through configuration management	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Preventive
Establish, implement, and maintain network parameter modification procedures. CC ID 01517	System hardening through configuration management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Establish, implement, and maintain records disposition procedures. CC ID 00971	Records management	Preventive
Maintain disposal records or redeployment records. CC ID 01644 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Records management	Preventive
Include the name of the signing officer in the disposal record. CC ID 15710	Records management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Records management	Preventive
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Preventive
Establish, implement, and maintain system design requirements. CC ID 06618	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system design project management framework. CC ID 00990	Systems design, build, and implementation	Preventive
Document the business need justification for payment page scripts. CC ID 15480	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2]	Privacy protection for information and data	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Preventive
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Preventive
Define the organization's liability based on the applicable law. CC ID 00504 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Third Party and supply chain oversight	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Third Party and supply chain oversight	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019 [{be liable} A Reserve Bank's fees relating to Electronic Connections (including, for example, installation support and training) are published separately and are subject to change on thirty (30) calendar days' prior notice. A Reserve Bank charges these fees to the Institution's (or its correspondent's) account on a Reserve Bank's books. By designating a Service Provider, an Institution agrees that the Service Provider may be billed directly by the Reserve Bank for any fees related to the Service Provider's Electronic Connection. Notwithstanding any such direct billing, the Institution shall remain liable for any unpaid fees. 6.1 ¶ 1 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1]	Third Party and supply chain oversight	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Third Party and supply chain oversight	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2 {business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Third Party and supply chain oversight	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Third Party and supply chain oversight	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a) Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Third Party and supply chain oversight	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Third Party and supply chain oversight	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i)]	Third Party and supply chain oversight	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Third Party and supply chain oversight	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Preventive
Include a termination provision clause in third party contracts. CC ID 01367 [An Institution may terminate its agreement to use Reserve Bank services and/or applications through an Electronic Connection and its agreement to the terms of this Circular by giving not less than thirty (30) calendar days' prior written notice to the Reserve Bank(s) with which it has Electronic Connections. A Reserve Bank may terminate an Institution's or its Service Provider's authority to use an Electronic Connection on similar notice. In addition, a Reserve Bank immediately may terminate an Institution's or its Service Provider's Electronic Connection if the Reserve Bank, in its sole discretion, determines that continued use of the Electronic Connection poses a risk to the Reserve Bank or others, or the Reserve Bank believes that the Institution or its Service Provider is in violation of this Circular. 7.1 ¶ 1]	Third Party and supply chain oversight	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Third Party and supply chain oversight	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Third Party and supply chain oversight	Preventive
Include termination costs in third party contracts. CC ID 10023	Third Party and supply chain oversight	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Third Party and supply chain oversight	Preventive
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2 In addition, before sending a National Settlement Service settlement file to a Reserve Bank, a Settlement Agent must execute a security procedure agreement with the Host Reserve Bank (as defined in Operating Circular 12) in the form attached as Appendix B-1 to Operating Circular 12. Appendix A 2.3(a) ¶ 3]	Third Party and supply chain oversight	Preventive
Include technical processes in operational level agreements, as necessary. CC ID 13639	Third Party and supply chain oversight	Preventive
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842	Third Party and supply chain oversight	Detective
Approve all Service Level Agreements. CC ID 00843	Third Party and supply chain oversight	Detective
Document all chargeable items in Service Level Agreements. CC ID 00844	Third Party and supply chain oversight	Detective
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)]	Third Party and supply chain oversight	Preventive
Request attestation of compliance from third parties. CC ID 12067 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1]	Third Party and supply chain oversight	Detective
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Third Party and supply chain oversight	Preventive
Define timeliness factors for third party reporting requirements. CC ID 13304	Third Party and supply chain oversight	Preventive
Document payments to third parties. CC ID 08905	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify the audit team members in the audit report. CC ID 15259	Audits and risk management	Detective
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Audits and risk management	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Technical security	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Preventive
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Preventive
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Preventive
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Preventive
Assign senior management to approve functional requirements in the system requirements specification. CC ID 13067	Systems design, build, and implementation	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Detective
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Audits and risk management	Detective
Scan for malicious code, as necessary. CC ID 11941 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Technical security	Detective
Inspect device surfaces to detect tampering. CC ID 11868	Physical and environmental protection	Detective
Inspect device surfaces to detect unauthorized substitution. CC ID 11869	Physical and environmental protection	Detective
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Detective
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Detective
Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707	Physical and environmental protection	Detective
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Detective
Perform social network analysis, as necessary. CC ID 14864	Operational management	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Audits and risk management	Detective
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Technical security	Preventive
Establish and maintain a visitor log. CC ID 00715	Physical and environmental protection	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Physical and environmental protection	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Physical and environmental protection	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Physical and environmental protection	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Physical and environmental protection	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Physical and environmental protection	Preventive
Log when the vault is accessed. CC ID 06725	Physical and environmental protection	Detective
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Detective
Store facility access logs in off-site storage. CC ID 06958	Physical and environmental protection	Preventive
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321	Physical and environmental protection	Preventive
Log the transfer of removable storage media. CC ID 12322	Physical and environmental protection	Preventive
Maintain records of all system components entering and exiting the facility. CC ID 14304	Physical and environmental protection	Preventive
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Restart systems on a periodic basis. CC ID 16498	Operational management	Preventive
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Leadership and high level objectives	Preventive
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Leadership and high level objectives	Preventive
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Leadership and high level objectives	Preventive
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Leadership and high level objectives	Preventive
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Leadership and high level objectives	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Preventive
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Preventive
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitoring and measurement	Detective
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitoring and measurement	Detective
Detect unauthorized access to systems. CC ID 06798 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Monitoring and measurement	Detective
Enforce information flow control. CC ID 11781	Technical security	Preventive
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638	Physical and environmental protection	Detective
Monitor for evidence of when tampering indicators are being identified. CC ID 11905	Physical and environmental protection	Detective
Inspect for tampering, as necessary. CC ID 10640	Physical and environmental protection	Detective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Physical and environmental protection	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Physical and environmental protection	Detective
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Physical and environmental protection	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Physical and environmental protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Physical and environmental protection	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Physical and environmental protection	Detective
Monitor the location of distributed assets. CC ID 11684	Physical and environmental protection	Detective
Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708	Physical and environmental protection	Corrective
Monitor and evaluate business continuity management system performance. CC ID 12410	Operational and Systems Continuity	Detective
Record business continuity management system performance for posterity. CC ID 12411	Operational and Systems Continuity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Preventive
Automate software license monitoring, as necessary. CC ID 07057	Operational management	Preventive
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)]	Privacy protection for information and data	Corrective
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Preventive

Physical and Environmental Protection

121

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze and evaluate engineering systems. CC ID 13080	Physical and environmental protection	Preventive
Analyze and evaluate facilities and their structural elements. CC ID 13079	Physical and environmental protection	Preventive
Analyze and evaluate mechanical systems, as necessary. CC ID 13078	Physical and environmental protection	Preventive
Protect assets from tampering or unapproved substitution. CC ID 11902	Physical and environmental protection	Preventive
Protect the facility from crime. CC ID 06347	Physical and environmental protection	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and environmental protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and environmental protection	Detective
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and environmental protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and environmental protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and environmental protection	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and environmental protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and environmental protection	Preventive
Maintain all security alarm systems. CC ID 11669	Physical and environmental protection	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and environmental protection	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Corrective
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Preventive
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and environmental protection	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and environmental protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and environmental protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and environmental protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and environmental protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and environmental protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and environmental protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and environmental protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and environmental protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and environmental protection	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and environmental protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and environmental protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and environmental protection	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and environmental protection	Detective
Build and maintain fencing, as necessary. CC ID 02235	Physical and environmental protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and environmental protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Physical and environmental protection	Preventive
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and environmental protection	Preventive
Restrict physical access to distributed assets. CC ID 11865 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Physical and environmental protection	Preventive
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and environmental protection	Preventive
Protect electronic storage media with physical access controls. CC ID 00720	Physical and environmental protection	Preventive
Protect physical assets with earthquake-resistant mechanisms. CC ID 06360	Physical and environmental protection	Preventive
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664	Physical and environmental protection	Preventive
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717	Physical and environmental protection	Preventive
Protect the combinations for all combination locks. CC ID 02199	Physical and environmental protection	Preventive
Establish and maintain eavesdropping protection for vaults. CC ID 02231	Physical and environmental protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Preventive
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441	Physical and environmental protection	Preventive
Control the removal of assets through physical entry points and physical exit points. CC ID 11681	Physical and environmental protection	Preventive
Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820	Physical and environmental protection	Preventive
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539	Physical and environmental protection	Preventive
Attach asset location technologies to distributed assets. CC ID 10626	Physical and environmental protection	Detective
Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627	Physical and environmental protection	Preventive
Unpair missing Bluetooth devices. CC ID 12428	Physical and environmental protection	Corrective
Secure workstations to desks with security cables. CC ID 04724	Physical and environmental protection	Preventive
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and environmental protection	Preventive
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and environmental protection	Preventive
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429	Physical and environmental protection	Preventive
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722	Physical and environmental protection	Preventive
Secure system components from unauthorized viewing. CC ID 01437	Physical and environmental protection	Preventive
Identify customer property within the organizational facility. CC ID 06612	Physical and environmental protection	Preventive
Protect customer property under the care of the organization. CC ID 11685	Physical and environmental protection	Preventive
Provide storage media shelving capable of bearing all potential loads. CC ID 11400	Physical and environmental protection	Preventive
Establish, implement, and maintain proper aircraft security. CC ID 02213	Physical and environmental protection	Preventive
Establish parking requirements for vehicles. CC ID 02218	Physical and environmental protection	Preventive
Establish, implement, and maintain proper container security. CC ID 02208	Physical and environmental protection	Preventive
Inspect the physical integrity of all containers before loading the containers. CC ID 02209	Physical and environmental protection	Detective
Lock closable storage containers. CC ID 06307	Physical and environmental protection	Preventive
Control the issuance of payment cards. CC ID 06403	Physical and environmental protection	Preventive
Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404	Physical and environmental protection	Preventive
Deliver payment cards to customers using secure methods. CC ID 06405	Physical and environmental protection	Preventive
Establish and maintain physical security of assets used for publicity. CC ID 06724	Physical and environmental protection	Preventive
Install and protect network cabling. CC ID 08624	Physical and environmental protection	Preventive
Install and protect fiber optic cable, as necessary. CC ID 08625	Physical and environmental protection	Preventive
Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628	Physical and environmental protection	Preventive
Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639	Physical and environmental protection	Detective
Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640	Physical and environmental protection	Preventive
Install network cable in a way that allows ease of inspecting. CC ID 08626	Physical and environmental protection	Preventive
Inspect network cabling at distances determined by security classification. CC ID 08644	Physical and environmental protection	Detective
Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649	Physical and environmental protection	Preventive
Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630	Physical and environmental protection	Preventive
Label each end of a network cable run. CC ID 08632	Physical and environmental protection	Preventive
Terminate approved network cables on the patch panel. CC ID 08633	Physical and environmental protection	Preventive
Color code cables in accordance with organizational standards. CC ID 16422	Physical and environmental protection	Preventive
Prevent installing network cabling inside walls shared with third parties. CC ID 08648	Physical and environmental protection	Preventive
Install network cabling specifically for maintenance purposes. CC ID 10613	Physical and environmental protection	Preventive
Install and maintain network jacks and outlet boxes. CC ID 08635	Physical and environmental protection	Preventive
Color code outlet boxes in accordance with organizational standards. CC ID 16451	Physical and environmental protection	Preventive
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142	Physical and environmental protection	Preventive
Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989	Physical and environmental protection	Preventive
Label network cabling outlet boxes. CC ID 08631	Physical and environmental protection	Preventive
Implement logical controls to enable network jacks, as necessary. CC ID 11934	Physical and environmental protection	Preventive
Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634	Physical and environmental protection	Preventive
Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643	Physical and environmental protection	Preventive
Install and maintain network patch panels. CC ID 08636	Physical and environmental protection	Preventive
Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637	Physical and environmental protection	Preventive
Assign access to network patch panels on a need to know basis. CC ID 08638	Physical and environmental protection	Preventive
Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647	Physical and environmental protection	Preventive
Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646	Physical and environmental protection	Preventive
Seal data conduit couplings and data conduit fitting bodies. CC ID 08629	Physical and environmental protection	Preventive
Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642	Physical and environmental protection	Preventive
Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645	Physical and environmental protection	Preventive
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Operational management	Preventive
Place printed records awaiting destruction into secure containers. CC ID 12464	Records management	Preventive
Destroy printed records so they cannot be reconstructed. CC ID 11779	Records management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Audits and risk management	Detective
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Detective
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Technical security	Preventive
Enforce the network segmentation requirements. CC ID 16381	Technical security	Preventive
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735	Technical security	Detective
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Technical security	Detective
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270	Technical security	Detective
Update application layer firewalls to the most current version. CC ID 12037	Technical security	Preventive
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Technical security	Preventive
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Technical security	Preventive
Define the format of the biometric data on identification cards or badges. CC ID 06586	Technical security	Preventive
Remove malware when malicious code is discovered. CC ID 13691	Technical security	Corrective
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027	Physical and environmental protection	Preventive
Remote wipe any distributed asset reported lost or stolen. CC ID 12197	Physical and environmental protection	Corrective
Remove dormant systems from the network, as necessary. CC ID 13727	Physical and environmental protection	Corrective
Control physical access to network cables. CC ID 00723	Physical and environmental protection	Preventive
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Preventive
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Preventive
Review and approve access controls, as necessary. CC ID 13074	Operational management	Detective
Provide management direction and support for the information security program. CC ID 11999 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Operational management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b) The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Operational management	Preventive
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Operational management	Corrective
Contain the incident to prevent further loss. CC ID 01751	Operational management	Corrective
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Preventive
Define the location requirements for network elements and network devices. CC ID 16379 [{refrain from situating} {unapproved location} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: situate any VPN device used in conjunction with an Electronic Connection in any location other than the Institution's or its Service Provider's premises within the United States or its territories; 4.4 ¶ 1(a)]	System hardening through configuration management	Preventive
Define each system's disposition requirements for records and logs. CC ID 11651	Records management	Preventive
Discourage the modification of vendor-supplied software. CC ID 12016 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)]	Acquisition or sale of facilities, technology, and services	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Detective
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2]	Third Party and supply chain oversight	Preventive
Assess third parties' compliance environment during due diligence. CC ID 13134	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Audits and risk management	Preventive
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Technical security	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Physical and environmental protection	Preventive
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Physical and environmental protection	Preventive
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964	Physical and environmental protection	Preventive
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961	Physical and environmental protection	Preventive
Treat archive media as evidence. CC ID 00960	Physical and environmental protection	Preventive
Control the storage of restricted storage media. CC ID 00965	Physical and environmental protection	Preventive
Inventory payment cards, as necessary. CC ID 13547	Physical and environmental protection	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Records management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Detective
Include recordkeeping documentation standards in the system requirements specification. CC ID 01038	Systems design, build, and implementation	Detective
Include archives and record management standards in the system requirements specification. CC ID 01039	Systems design, build, and implementation	Detective
Include file format standards in the system requirements specification. CC ID 01041	Systems design, build, and implementation	Detective
Include record retention requirements in the system requirements specification. CC ID 01042	Systems design, build, and implementation	Detective
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Operational and Systems Continuity	Corrective
Maintain normal security levels when an emergency occurs. CC ID 06377	Operational and Systems Continuity	Preventive
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Operational and Systems Continuity	Preventive
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Preventive
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Preventive
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Corrective
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Operational and Systems Continuity	Preventive
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Preventive
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Operational and Systems Continuity	Preventive
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Operational and Systems Continuity	Preventive
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Operational and Systems Continuity	Corrective
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Preventive
Review third parties' backup policies. CC ID 13043	Third Party and supply chain oversight	Detective

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement gateways between security domains. CC ID 16493	Technical security	Preventive
Apply security controls to each level of the information classification standard. CC ID 01903 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)]	Operational management	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Preventive
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system requirements specification. CC ID 01035 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Systems design, build, and implementation	Preventive
Include relevant resources needed for the system design project in the system requirements specification. CC ID 01036	Systems design, build, and implementation	Detective
Include system interoperability in the system requirements specification. CC ID 16256	Systems design, build, and implementation	Preventive
Include pertinent legal requirements in the system requirements specification. CC ID 01037	Systems design, build, and implementation	Detective
Include privacy requirements in the system requirements specification. CC ID 01040	Systems design, build, and implementation	Detective
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems design, build, and implementation	Preventive
Develop new products based on best practices. CC ID 01095	Systems design, build, and implementation	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Control access rights to organizational assets. CC ID 00004	Technical security	Preventive
Include all system components in the access control system. CC ID 11939	Technical security	Preventive
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical security	Preventive
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Preventive
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical security	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514	Technical security	Preventive
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical security	Preventive
Identify and control all network access controls. CC ID 00529 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1]	Technical security	Preventive
Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589	Technical security	Detective
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385	Technical security	Preventive
Manage all internal network connections. CC ID 06329	Technical security	Preventive
Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109	Technical security	Preventive
Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124	Technical security	Preventive
Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095	Technical security	Preventive
Plan for and approve all network changes. CC ID 00534	Technical security	Preventive
Manage all external network connections. CC ID 11842	Technical security	Preventive
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116	Technical security	Preventive
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical security	Preventive
Implement a fault-tolerant architecture. CC ID 01626	Technical security	Preventive
Implement segregation of duties. CC ID 11843	Technical security	Preventive
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891	Technical security	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Preventive
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical security	Preventive
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical security	Preventive
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical security	Preventive
Design Demilitarized Zones with proper isolation rules. CC ID 00532	Technical security	Preventive
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881	Technical security	Preventive
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998	Technical security	Preventive
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993	Technical security	Preventive
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical security	Preventive
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821	Technical security	Preventive
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588	Technical security	Preventive
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540	Technical security	Preventive
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903	Technical security	Corrective
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420	Technical security	Preventive
Protect the firewall's network connection interfaces. CC ID 01955	Technical security	Preventive
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Preventive
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical security	Preventive
Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647	Technical security	Preventive
Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605	Technical security	Preventive
Review and approve information exchange system connections. CC ID 07143	Technical security	Preventive
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical security	Preventive
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical security	Preventive
Block uncategorized sites using URL filtering. CC ID 12140	Technical security	Preventive
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical security	Detective
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Technical security	Preventive
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical security	Preventive
Make key usage for data fields unique for each device. CC ID 04828	Technical security	Preventive
Accept only trusted keys and/or certificates. CC ID 11988	Technical security	Preventive
Bind keys to each identity. CC ID 12337	Technical security	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical security	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical security	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical security	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical security	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical security	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical security	Preventive
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical security	Preventive
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical security	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564	Technical security	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical security	Preventive
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical security	Preventive
Install and maintain container security solutions. CC ID 16178	Technical security	Preventive
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Preventive
Secure unissued access mechanisms. CC ID 06713	Physical and environmental protection	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Physical and environmental protection	Preventive
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Physical and environmental protection	Preventive
Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682	Physical and environmental protection	Preventive
Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683	Physical and environmental protection	Preventive
Remote lock any distributed assets reported lost or stolen. CC ID 14008	Physical and environmental protection	Corrective
Establish, implement, and maintain a clear screen policy. CC ID 12436	Physical and environmental protection	Preventive
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768	Physical and environmental protection	Preventive
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647	Physical and environmental protection	Preventive
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Operational and Systems Continuity	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Preventive
Employ dedicated systems during system maintenance. CC ID 12108	Operational management	Preventive
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Operational management	Preventive
Isolate compromised systems from the network. CC ID 01753 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)]	Operational management	Corrective
Patch the operating system, as necessary. CC ID 11824 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Operational management	Corrective
Configure security and protection software to check for phishing attacks. CC ID 04569	System hardening through configuration management	Detective
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)]	Systems design, build, and implementation	Preventive
Establish, implement, and maintain payment transaction security measures. CC ID 13088	Acquisition or sale of facilities, technology, and services	Preventive
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Third Party and supply chain oversight	Detective

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)]	Audits and risk management	Detective
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Detective
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Detective
Determine the effectiveness of in scope controls. CC ID 06984	Audits and risk management	Detective
Determine the effectiveness of risk control measures. CC ID 06601	Audits and risk management	Detective
Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210	Technical security	Detective
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Technical security	Detective
Test cryptographic key management applications, as necessary. CC ID 04829	Technical security	Detective
Implement non-repudiation for transactions. CC ID 00567	Technical security	Detective
Test all removable storage media for viruses and malicious code. CC ID 11861	Technical security	Detective
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Technical security	Detective
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Physical and environmental protection	Detective
Establish, implement, and maintain the organization's call tree. CC ID 01167	Operational and Systems Continuity	Detective
Test the recovery plan, as necessary. CC ID 13290 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Detective
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Detective
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Operational and Systems Continuity	Preventive
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Detective
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Preventive
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Preventive
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Preventive
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Operational and Systems Continuity	Preventive
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Detective
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Detective
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Detective
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Preventive
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Detective
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Operational and Systems Continuity	Preventive
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Detective
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Detective
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Operational and Systems Continuity	Detective
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Detective
Configure security and protection software to check for up-to-date signature files. CC ID 00576	System hardening through configuration management	Detective
Configure security and protection software to check e-mail messages. CC ID 00578	System hardening through configuration management	Preventive
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Detective
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Detective
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Detective
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Third Party and supply chain oversight	Detective

Common Controls and
mandates by Classification 127 Mandated Controls - bold
128 Implied Controls - italic 1106 Implementation

Number of Controls

1361 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Establish/Maintain Documentation
Include deficiencies and non-compliance in the audit report. CC ID 14879	Audits and risk management	Establish/Maintain Documentation
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898	Audits and risk management	Establish/Maintain Documentation
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901	Audits and risk management	Business Processes
Modify the audit opinion in the audit report under defined conditions. CC ID 13937	Audits and risk management	Establish/Maintain Documentation
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903	Technical security	Technical Security
Revoke membership in the whitelist, as necessary. CC ID 13827	Technical security	Establish/Maintain Documentation
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Technical security	Data and Information Management
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Technical security	Data and Information Management
Remove malware when malicious code is discovered. CC ID 13691	Technical security	Process or Activity
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Technical security	Communicate
Report damaged property to interested personnel and affected parties. CC ID 13702	Physical and environmental protection	Communicate
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Physical and Environmental Protection
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Establish/Maintain Documentation
Remote lock any distributed assets reported lost or stolen. CC ID 14008	Physical and environmental protection	Technical Security
Remote wipe any distributed asset reported lost or stolen. CC ID 12197	Physical and environmental protection	Process or Activity
Unpair missing Bluetooth devices. CC ID 12428	Physical and environmental protection	Physical and Environmental Protection
Remove dormant systems from the network, as necessary. CC ID 13727	Physical and environmental protection	Process or Activity
Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708	Physical and environmental protection	Monitor and Evaluate Occurrences
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373	Operational and Systems Continuity	Systems Continuity
Report changes in the continuity plan to senior management. CC ID 12757	Operational and Systems Continuity	Communicate
Restore systems and environments to be operational. CC ID 13476	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain the continuity procedures. CC ID 14236	Operational and Systems Continuity	Establish/Maintain Documentation
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665	Operational and Systems Continuity	Systems Continuity
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Actionable Reports or Measurements
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Establish/Maintain Documentation
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Establish/Maintain Documentation
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Operational management	Process or Activity
Contain the incident to prevent further loss. CC ID 01751	Operational management	Process or Activity
Isolate compromised systems from the network. CC ID 01753 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)]	Operational management	Technical Security
Share incident information with interested personnel and affected parties. CC ID 01212 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 {breach notification} Each Institution and any Service Provider shall include within its security breach related notification procedures and processes (e.g., within disaster recovery, hazard, business continuity, cyber security, and other appropriate procedures and processes) the obligation to immediately notify Federal Reserve Financial Services by telephone at (888) 333-7010, with written confirmation via email at ccc.technical.support@kc.frb.org, in the event of a known, suspected, or threatened compromise, cyber event, fraud, malware detection, or other security incident or breach that would render the Electronic Connection vulnerable to misconduct. Appendix A 1.2(c)]	Operational management	Communicate
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Configuration
Patch the operating system, as necessary. CC ID 11824 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Operational management	Technical Security
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)]	Privacy protection for information and data	Monitor and Evaluate Occurrences
Enforce third party Service Level Agreements, as necessary. CC ID 07098	Third Party and supply chain oversight	Business Processes

Detective

125

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Monitor systems for inappropriate usage and other security violations. CC ID 00585	Monitoring and measurement	Monitor and Evaluate Occurrences
Monitor systems for access to restricted data or restricted information. CC ID 04721	Monitoring and measurement	Monitor and Evaluate Occurrences
Detect unauthorized access to systems. CC ID 06798 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)]	Audits and risk management	Testing
Establish and maintain audit assertions, as necessary. CC ID 14871 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2]	Audits and risk management	Establish/Maintain Documentation
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011	Audits and risk management	Investigate
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980	Audits and risk management	Testing
Document test plans for auditing in scope controls. CC ID 06985	Audits and risk management	Testing
Determine the effectiveness of in scope controls. CC ID 06984	Audits and risk management	Testing
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Audits and risk management	Audits and Risk Management
Determine what disclosures are required in the audit report. CC ID 14888	Audits and risk management	Establish/Maintain Documentation
Identify the audit team members in the audit report. CC ID 15259	Audits and risk management	Human Resources Management
Identify the participants from the organization being audited in the audit report. CC ID 15258	Audits and risk management	Audits and Risk Management
Review the adequacy of the internal auditor's work papers. CC ID 01146	Audits and risk management	Audits and Risk Management
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158	Audits and risk management	Establish/Maintain Documentation
Review the adequacy of the internal auditor's audit reports. CC ID 11620	Audits and risk management	Audits and Risk Management
Review past audit reports. CC ID 01155	Audits and risk management	Establish/Maintain Documentation
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160	Audits and risk management	Establish/Maintain Documentation
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161	Audits and risk management	Establish/Maintain Documentation
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886	Audits and risk management	Investigate
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979	Audits and risk management	Process or Activity
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653	Audits and risk management	Log Management
Review the issues of non-compliance from past audit reports. CC ID 01148	Audits and risk management	Establish/Maintain Documentation
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Audits and risk management	Establish/Maintain Documentation
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Process or Activity
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Process or Activity
Determine the effectiveness of risk control measures. CC ID 06601	Audits and risk management	Testing
Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589	Technical security	Technical Security
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735	Technical security	Process or Activity
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737	Technical security	Process or Activity
Establish, implement, and maintain a sensitive information inventory. CC ID 13736	Technical security	Establish/Maintain Documentation
Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210	Technical security	Testing
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270	Technical security	Process or Activity
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Technical security	Configuration
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Technical security	Testing
Configure network access and control points to organizational standards. CC ID 12442 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Technical security	Configuration
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139	Technical security	Technical Security
Test cryptographic key management applications, as necessary. CC ID 04829	Technical security	Testing
Implement non-repudiation for transactions. CC ID 00567	Technical security	Testing
Scan for malicious code, as necessary. CC ID 11941 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Technical security	Investigate
Test all removable storage media for viruses and malicious code. CC ID 11861	Technical security	Testing
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Technical security	Testing
Conduct external audits of the physical security plan. CC ID 13314	Physical and environmental protection	Audits and Risk Management
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor for evidence of when tampering indicators are being identified. CC ID 11905	Physical and environmental protection	Monitor and Evaluate Occurrences
Inspect device surfaces to detect tampering. CC ID 11868	Physical and environmental protection	Investigate
Inspect device surfaces to detect unauthorized substitution. CC ID 11869	Physical and environmental protection	Investigate
Inspect for tampering, as necessary. CC ID 10640	Physical and environmental protection	Monitor and Evaluate Occurrences
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and environmental protection	Physical and Environmental Protection
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Investigate
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Physical and Environmental Protection
Test locks for physical security vulnerabilities. CC ID 04880	Physical and environmental protection	Testing
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Physical and Environmental Protection
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Physical and environmental protection	Monitor and Evaluate Occurrences
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Investigate
Log when the vault is accessed. CC ID 06725	Physical and environmental protection	Log Management
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Log Management
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Physical and environmental protection	Monitor and Evaluate Occurrences
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor physical entry point alarms. CC ID 01639	Physical and environmental protection	Physical and Environmental Protection
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor for alarmed security doors being propped open. CC ID 06684	Physical and environmental protection	Monitor and Evaluate Occurrences
Track restricted storage media while it is in transit. CC ID 00967	Physical and environmental protection	Data and Information Management
Attach asset location technologies to distributed assets. CC ID 10626	Physical and environmental protection	Physical and Environmental Protection
Monitor the location of distributed assets. CC ID 11684	Physical and environmental protection	Monitor and Evaluate Occurrences
Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707	Physical and environmental protection	Investigate
Inspect the physical integrity of all containers before loading the containers. CC ID 02209	Physical and environmental protection	Physical and Environmental Protection
Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639	Physical and environmental protection	Physical and Environmental Protection
Inspect network cabling at distances determined by security classification. CC ID 08644	Physical and environmental protection	Physical and Environmental Protection
Monitor and evaluate business continuity management system performance. CC ID 12410	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Establish, implement, and maintain the organization's call tree. CC ID 01167	Operational and Systems Continuity	Testing
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Investigate
Test the recovery plan, as necessary. CC ID 13290 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Testing
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Testing
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Establish/Maintain Documentation
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Testing
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793	Operational and Systems Continuity	Testing
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757	Operational and Systems Continuity	Testing
Analyze system interdependence during continuity plan tests. CC ID 13082	Operational and Systems Continuity	Testing
Test the continuity plan at the alternate facility. CC ID 01174	Operational and Systems Continuity	Testing
Review all third party's continuity plan test results. CC ID 01365	Operational and Systems Continuity	Testing
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389	Operational and Systems Continuity	Testing
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553	Operational and Systems Continuity	Testing
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404	Operational and Systems Continuity	Testing
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Business Processes
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Establish/Maintain Documentation
Review and approve access controls, as necessary. CC ID 13074	Operational management	Process or Activity
Perform social network analysis, as necessary. CC ID 14864	Operational management	Investigate
Respond to and triage when an incident is detected. CC ID 06942	Operational management	Monitor and Evaluate Occurrences
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Configure security and protection software to check for up-to-date signature files. CC ID 00576	System hardening through configuration management	Testing
Configure security and protection software to check for phishing attacks. CC ID 04569	System hardening through configuration management	Technical Security
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Records Management
Include relevant resources needed for the system design project in the system requirements specification. CC ID 01036	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include pertinent legal requirements in the system requirements specification. CC ID 01037	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include recordkeeping documentation standards in the system requirements specification. CC ID 01038	Systems design, build, and implementation	Records Management
Include archives and record management standards in the system requirements specification. CC ID 01039	Systems design, build, and implementation	Records Management
Include privacy requirements in the system requirements specification. CC ID 01040	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include file format standards in the system requirements specification. CC ID 01041	Systems design, build, and implementation	Records Management
Include record retention requirements in the system requirements specification. CC ID 01042	Systems design, build, and implementation	Records Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Testing
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Process or Activity
Include a termination provision clause in third party contracts. CC ID 01367 [An Institution may terminate its agreement to use Reserve Bank services and/or applications through an Electronic Connection and its agreement to the terms of this Circular by giving not less than thirty (30) calendar days' prior written notice to the Reserve Bank(s) with which it has Electronic Connections. A Reserve Bank may terminate an Institution's or its Service Provider's authority to use an Electronic Connection on similar notice. In addition, a Reserve Bank immediately may terminate an Institution's or its Service Provider's Electronic Connection if the Reserve Bank, in its sole discretion, determines that continued use of the Electronic Connection poses a risk to the Reserve Bank or others, or the Reserve Bank believes that the Institution or its Service Provider is in violation of this Circular. 7.1 ¶ 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Testing
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Testing
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Testing
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Testing
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i) The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Data and Information Management
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Testing
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842	Third Party and supply chain oversight	Establish/Maintain Documentation
Approve all Service Level Agreements. CC ID 00843	Third Party and supply chain oversight	Establish/Maintain Documentation
Track all chargeable items in Service Level Agreements. CC ID 11616	Third Party and supply chain oversight	Business Processes
Document all chargeable items in Service Level Agreements. CC ID 00844	Third Party and supply chain oversight	Establish/Maintain Documentation
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Third Party and supply chain oversight	Business Processes
Review third parties' backup policies. CC ID 13043	Third Party and supply chain oversight	Systems Continuity
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Third Party and supply chain oversight	Testing
Assess third parties' compliance environment during due diligence. CC ID 13134	Third Party and supply chain oversight	Process or Activity
Request attestation of compliance from third parties. CC ID 12067 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2]	Third Party and supply chain oversight	Business Processes
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075	Third Party and supply chain oversight	Business Processes
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Third Party and supply chain oversight	Technical Security
Implement physical security controls at all supply chain member locations. CC ID 08933	Third Party and supply chain oversight	Business Processes

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

1182

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Business Processes
Establish, implement, and maintain communication protocols. CC ID 12245	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) When a Settlement Instruction is issued, the Offline Security Procedure involves a telephone call initiated by an authorized employee of the Settlement Agent followed by the transmission by e-mail or facsimile of a Settlement Instruction signed (in the case of a facsimile) by an authorized employee of the Settlement Agent or sent from the e-mail address of an authorized employee of the Settlement Agent. Appendix A 2.3(c) ¶ 5]	Leadership and high level objectives	Establish/Maintain Documentation
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of performance variances in the notification system. CC ID 12929	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928	Leadership and high level objectives	Monitor and Evaluate Occurrences
Include the capturing and alerting of account activity in the notification system. CC ID 15314	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information classification standard. CC ID 00601 ["Confidential Information" shall include all information, provided in writing, electronically or orally, which is designated by Reserve Bank herein or by other means as "Confidential." All security-related information, including information regarding Access Control Features and security procedures, whether or not it is labeled as "Confidential," is hereby designated as "Confidential," unless a Reserve Bank makes any such information generally available to the public (i.e., places it on its unrestricted public Web site or otherwise publishes it to the general public). Confidential Information contains trade secrets, proprietary information or security information of Reserve Banks or others. Unauthorized disclosure of Confidential Information likely would cause a Reserve Bank immediate and irreparable damage for which there may be no adequate remedy at law. 5.4 ¶ 1]	Leadership and high level objectives	Establish/Maintain Documentation
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Leadership and high level objectives	Data and Information Management
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Leadership and high level objectives	Data and Information Management
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Leadership and high level objectives	Data and Information Management
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Leadership and high level objectives	Data and Information Management
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Leadership and high level objectives	Data and Information Management
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Leadership and high level objectives	Data and Information Management
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Leadership and high level objectives	Data and Information Management
Classify the value of information in the information classification standard. CC ID 11995	Leadership and high level objectives	Data and Information Management
Classify the legal requirements of information in the information classification standard. CC ID 11994	Leadership and high level objectives	Data and Information Management
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Establish/Maintain Documentation
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement of the Institution's responsibility to adhere to the Security Requirements; Appendix A 3.2 ¶ 1(i)]	Leadership and high level objectives	Establish/Maintain Documentation
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Establish/Maintain Documentation
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Establish/Maintain Documentation
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Establish/Maintain Documentation
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Establish/Maintain Documentation
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Monitor and Evaluate Occurrences
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Monitoring and measurement	Configuration
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678	Audits and risk management	Establish Roles
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680	Audits and risk management	Establish Roles
Establish, implement, and maintain an audit program. CC ID 00684	Audits and risk management	Establish/Maintain Documentation
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965	Audits and risk management	Establish/Maintain Documentation
Include an in scope system description in the audit assertion. CC ID 14872	Audits and risk management	Establish/Maintain Documentation
Include any assumptions that are improbable in the audit assertion. CC ID 13950	Audits and risk management	Establish/Maintain Documentation
Include investigations and legal proceedings in the audit assertion. CC ID 16846	Audits and risk management	Establish/Maintain Documentation
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969	Audits and risk management	Establish/Maintain Documentation
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027	Audits and risk management	Establish/Maintain Documentation
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970	Audits and risk management	Establish/Maintain Documentation
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949	Audits and risk management	Establish/Maintain Documentation
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028	Audits and risk management	Establish/Maintain Documentation
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971	Audits and risk management	Establish/Maintain Documentation
Include the in scope procedures in the audit assertion. CC ID 06972	Audits and risk management	Establish/Maintain Documentation
Include the in scope records produced in the audit assertion. CC ID 06968	Audits and risk management	Establish/Maintain Documentation
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973	Audits and risk management	Establish/Maintain Documentation
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991	Audits and risk management	Establish/Maintain Documentation
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974	Audits and risk management	Establish/Maintain Documentation
Include the in scope risk assessment processes in the audit assertion. CC ID 06975	Audits and risk management	Establish/Maintain Documentation
Include in scope change controls in the audit assertion. CC ID 06976	Audits and risk management	Establish/Maintain Documentation
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989	Audits and risk management	Establish/Maintain Documentation
Accept the attestation engagement when all preconditions are met. CC ID 13933	Audits and risk management	Business Processes
Audit in scope audit items and compliance documents. CC ID 06730	Audits and risk management	Audits and Risk Management
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001	Audits and risk management	Actionable Reports or Measurements
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Audits and risk management	Records Management
Audit policies, standards, and procedures. CC ID 12927 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2]	Audits and risk management	Audits and Risk Management
Establish and maintain organizational audit reports. CC ID 06731 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Audits and risk management	Establish/Maintain Documentation
Include the justification for not following the applicable requirements in the audit report. CC ID 16822	Audits and risk management	Audits and Risk Management
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821	Audits and risk management	Audits and Risk Management
Include audit subject matter in the audit report. CC ID 14882	Audits and risk management	Establish/Maintain Documentation
Include an other-matter paragraph in the audit report. CC ID 14901	Audits and risk management	Establish/Maintain Documentation
Include that the auditee did not provide comments in the audit report. CC ID 16849	Audits and risk management	Establish/Maintain Documentation
Write the audit report using clear and conspicuous language. CC ID 13948	Audits and risk management	Establish/Maintain Documentation
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936	Audits and risk management	Establish/Maintain Documentation
Include a statement that the financial statements were audited in the audit report. CC ID 13963	Audits and risk management	Establish/Maintain Documentation
Include the criteria that financial information was measured against in the audit report. CC ID 13966	Audits and risk management	Establish/Maintain Documentation
Include a description of the financial information being reported on in the audit report. CC ID 13965	Audits and risk management	Establish/Maintain Documentation
Include references to any adjustments of financial information in the audit report. CC ID 13964	Audits and risk management	Establish/Maintain Documentation
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953	Audits and risk management	Establish/Maintain Documentation
Include references to historical financial information used in the audit report. CC ID 13961	Audits and risk management	Establish/Maintain Documentation
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900	Audits and risk management	Establish/Maintain Documentation
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958	Audits and risk management	Establish/Maintain Documentation
Include the word independent in the title of audit reports. CC ID 07003 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii) {independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)]	Audits and risk management	Actionable Reports or Measurements
Include the date of the audit in the audit report. CC ID 07024	Audits and risk management	Actionable Reports or Measurements
Structure the audit report to be in the form of procedures and findings. CC ID 13940	Audits and risk management	Establish/Maintain Documentation
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004	Audits and risk management	Actionable Reports or Measurements
Include any discussions of significant findings in the audit report. CC ID 13955	Audits and risk management	Establish/Maintain Documentation
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962	Audits and risk management	Establish/Maintain Documentation
Include the audit criteria in the audit report. CC ID 13945	Audits and risk management	Establish/Maintain Documentation
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957	Audits and risk management	Establish/Maintain Documentation
Include all hypothetical assumptions in the audit report. CC ID 13947	Audits and risk management	Establish/Maintain Documentation
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023	Audits and risk management	Actionable Reports or Measurements
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172	Audits and risk management	Establish/Maintain Documentation
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173	Audits and risk management	Establish/Maintain Documentation
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956	Audits and risk management	Establish/Maintain Documentation
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929	Audits and risk management	Establish/Maintain Documentation
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A confirmation that the Institution has conducted a Self-Assessment within the time period requested by the Reserve Banks; Appendix A 3.2 ¶ 1(ii)]	Audits and risk management	Establish/Maintain Documentation
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929	Audits and risk management	Establish/Maintain Documentation
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939	Audits and risk management	Establish/Maintain Documentation
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)]	Audits and risk management	Establish/Maintain Documentation
Include a statement of the character of the engagement in the audit report. CC ID 07166	Audits and risk management	Establish/Maintain Documentation
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167	Audits and risk management	Establish/Maintain Documentation
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168	Audits and risk management	Establish/Maintain Documentation
Include all restrictions on the audit in the audit report. CC ID 13930	Audits and risk management	Establish/Maintain Documentation
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943	Audits and risk management	Establish/Maintain Documentation
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767	Audits and risk management	Establish/Maintain Documentation
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887	Audits and risk management	Establish/Maintain Documentation
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941	Audits and risk management	Establish/Maintain Documentation
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944	Audits and risk management	Establish/Maintain Documentation
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938	Audits and risk management	Establish/Maintain Documentation
Refrain from referencing previous engagements in the audit report. CC ID 16516	Audits and risk management	Audits and Risk Management
Refrain from referencing other auditor's work in the audit report. CC ID 13881	Audits and risk management	Establish/Maintain Documentation
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018	Audits and risk management	Establish/Maintain Documentation
Include how in scope controls meet external requirements in the audit report. CC ID 16450	Audits and risk management	Establish/Maintain Documentation
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915	Audits and risk management	Establish/Maintain Documentation
Include recommended corrective actions in the audit report. CC ID 16197 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)]	Audits and risk management	Establish/Maintain Documentation
Include risks and opportunities in the audit report. CC ID 16196	Audits and risk management	Establish/Maintain Documentation
Include the description of tests of controls and results in the audit report. CC ID 14898	Audits and risk management	Establish/Maintain Documentation
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908	Audits and risk management	Establish/Maintain Documentation
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906	Audits and risk management	Establish/Maintain Documentation
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905	Audits and risk management	Establish/Maintain Documentation
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553	Audits and risk management	Audits and Risk Management
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902	Audits and risk management	Establish/Maintain Documentation
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773	Audits and risk management	Establish/Maintain Documentation
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005	Audits and risk management	Actionable Reports or Measurements
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014	Audits and risk management	Establish/Maintain Documentation
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019	Audits and risk management	Establish/Maintain Documentation
Include the attestation standards the auditor follows in the audit report. CC ID 07015	Audits and risk management	Establish/Maintain Documentation
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169	Audits and risk management	Establish/Maintain Documentation
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170	Audits and risk management	Establish/Maintain Documentation
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890	Audits and risk management	Establish/Maintain Documentation
Include the organization's in scope system description in the audit report. CC ID 11626	Audits and risk management	Audits and Risk Management
Include any out of scope components of in scope systems in the audit report. CC ID 07006	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012	Audits and risk management	Establish/Maintain Documentation
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013	Audits and risk management	Establish/Maintain Documentation
Include the scope and work performed in the audit report. CC ID 11621	Audits and risk management	Audits and Risk Management
Resolve disputes before creating the audit summary. CC ID 08964	Audits and risk management	Behavior
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975	Audits and risk management	Establish/Maintain Documentation
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983	Audits and risk management	Establish/Maintain Documentation
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974	Audits and risk management	Establish/Maintain Documentation
Include an audit opinion in the audit report. CC ID 07017	Audits and risk management	Establish/Maintain Documentation
Include qualified opinions in the audit report. CC ID 13928	Audits and risk management	Establish/Maintain Documentation
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174	Audits and risk management	Establish/Maintain Documentation
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886	Audits and risk management	Establish/Maintain Documentation
Include items that were excluded from the audit report in the audit report. CC ID 07007	Audits and risk management	Establish/Maintain Documentation
Include the organization's privacy practices in the audit report. CC ID 07029	Audits and risk management	Establish/Maintain Documentation
Include items that pertain to third parties in the audit report. CC ID 07008 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, an acknowledgement that the Institution is responsible for its Service Provider's compliance with the Security Requirements; Appendix A 3.2 ¶ 1(iv)]	Audits and risk management	Establish/Maintain Documentation
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970	Audits and risk management	Establish/Maintain Documentation
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969	Audits and risk management	Establish/Maintain Documentation
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009	Audits and risk management	Establish/Maintain Documentation
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020	Audits and risk management	Establish/Maintain Documentation
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016	Audits and risk management	Establish/Maintain Documentation
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021	Audits and risk management	Establish/Maintain Documentation
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022	Audits and risk management	Establish/Maintain Documentation
Disclose any audit irregularities in the audit report. CC ID 06995	Audits and risk management	Actionable Reports or Measurements
Include the written signature of the auditor's organization in the audit report. CC ID 13897	Audits and risk management	Establish/Maintain Documentation
Include a statement that additional reports are being submitted in the audit report. CC ID 16848	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1]	Audits and risk management	Establish/Maintain Documentation
Define the roles and responsibilities for distributing the audit report. CC ID 16845	Audits and risk management	Human Resources Management
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257	Audits and risk management	Communicate
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249	Audits and risk management	Communicate
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171	Audits and risk management	Behavior
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2]	Audits and risk management	Establish/Maintain Documentation
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Establish/Maintain Documentation
Prioritize and select controls based on the risk assessment findings. CC ID 00707	Audits and risk management	Audits and Risk Management
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Audits and Risk Management
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain access control policies. CC ID 00512 [An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a)]	Technical security	Establish/Maintain Documentation
Include compliance requirements in the access control policy. CC ID 14006	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the access control policy. CC ID 14005	Technical security	Establish/Maintain Documentation
Include management commitment in the access control policy. CC ID 14004	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the access control policy. CC ID 14003	Technical security	Establish/Maintain Documentation
Include the scope in the access control policy. CC ID 14002	Technical security	Establish/Maintain Documentation
Include the purpose in the access control policy. CC ID 14001	Technical security	Establish/Maintain Documentation
Document the business need justification for user accounts. CC ID 15490	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Technical security	Establish/Maintain Documentation
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004	Technical security	Technical Security
Enable access control for objects and users on each system. CC ID 04553 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Technical security	Configuration
Include all system components in the access control system. CC ID 11939	Technical security	Technical Security
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301	Technical security	Process or Activity
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850	Technical security	Technical Security
Enable attribute-based access control for objects and users on information systems. CC ID 16351	Technical security	Technical Security
Enable role-based access control for objects and users on information systems. CC ID 12458	Technical security	Technical Security
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for restricted data. CC ID 01921 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Technical security	Data and Information Management
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical security	Establish/Maintain Documentation
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain User Access Management procedures. CC ID 00514	Technical security	Technical Security
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Technical security	Establish/Maintain Documentation
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Technical security	Technical Security
Establish, implement, and maintain access control procedures. CC ID 11663	Technical security	Establish/Maintain Documentation
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Configuration
Document approving and granting access in the access control log. CC ID 06786 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	Technical security	Establish/Maintain Documentation
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Communicate
Establish, implement, and maintain an identification and authentication policy. CC ID 14033	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Technical security	Establish/Maintain Documentation
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223	Technical security	Communicate
Identify and control all network access controls. CC ID 00529 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1]	Technical security	Technical Security
Establish, implement, and maintain a network configuration standard. CC ID 00530	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain network segmentation requirements. CC ID 16380	Technical security	Establish/Maintain Documentation
Enforce the network segmentation requirements. CC ID 16381	Technical security	Process or Activity
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385	Technical security	Technical Security
Establish, implement, and maintain a network security policy. CC ID 06440	Technical security	Establish/Maintain Documentation
Include compliance requirements in the network security policy. CC ID 14205	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the network security policy. CC ID 14204	Technical security	Establish/Maintain Documentation
Include management commitment in the network security policy. CC ID 14203	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the network security policy. CC ID 14202	Technical security	Establish/Maintain Documentation
Include the scope in the network security policy. CC ID 14201	Technical security	Establish/Maintain Documentation
Include the purpose in the network security policy. CC ID 14200	Technical security	Establish/Maintain Documentation
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199	Technical security	Communicate
Establish, implement, and maintain system and communications protection procedures. CC ID 14052	Technical security	Establish/Maintain Documentation
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206	Technical security	Communicate
Establish, implement, and maintain a wireless networking policy. CC ID 06732	Technical security	Establish/Maintain Documentation
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443	Technical security	Establish/Maintain Documentation
Maintain up-to-date network diagrams. CC ID 00531	Technical security	Establish/Maintain Documentation
Include the date of the most recent update on the network diagram. CC ID 14319	Technical security	Establish/Maintain Documentation
Include virtual systems in the network diagram. CC ID 16324	Technical security	Data and Information Management
Include the organization's name in the network diagram. CC ID 14318	Technical security	Establish/Maintain Documentation
Include Internet Protocol addresses in the network diagram. CC ID 16244	Technical security	Establish/Maintain Documentation
Include Domain Name System names in the network diagram. CC ID 16240	Technical security	Establish/Maintain Documentation
Accept, by formal signature, the security implications of the network topology. CC ID 12323	Technical security	Establish/Maintain Documentation
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137	Technical security	Communicate
Maintain up-to-date data flow diagrams. CC ID 10059	Technical security	Establish/Maintain Documentation
Include information flows to third parties in the data flow diagram. CC ID 13185	Technical security	Establish/Maintain Documentation
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412	Technical security	Establish/Maintain Documentation
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407	Technical security	Communicate
Manage all internal network connections. CC ID 06329	Technical security	Technical Security
Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109	Technical security	Technical Security
Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124	Technical security	Technical Security
Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095	Technical security	Technical Security
Plan for and approve all network changes. CC ID 00534	Technical security	Technical Security
Manage all external network connections. CC ID 11842	Technical security	Technical Security
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116	Technical security	Technical Security
Prohibit systems from connecting directly to external networks. CC ID 08709	Technical security	Configuration
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360	Technical security	Technical Security
Secure the Domain Name System. CC ID 00540	Technical security	Configuration
Implement a fault-tolerant architecture. CC ID 01626	Technical security	Technical Security
Implement segregation of duties. CC ID 11843	Technical security	Technical Security
Configure the network to limit zone transfers to trusted servers. CC ID 01876	Technical security	Configuration
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Technical security	Establish/Maintain Documentation
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891	Technical security	Technical Security
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034	Technical security	Communicate
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Technical Security
Implement gateways between security domains. CC ID 16493	Technical security	Systems Design, Build, and Implementation
Implement resource-isolation mechanisms in organizational networks. CC ID 16438	Technical security	Technical Security
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical security	Technical Security
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310	Technical security	Technical Security
Design Demilitarized Zones with proper isolation rules. CC ID 00532	Technical security	Technical Security
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881	Technical security	Technical Security
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285	Technical security	Data and Information Management
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998	Technical security	Technical Security
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993	Technical security	Technical Security
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289	Technical security	Data and Information Management
Establish, implement, and maintain a network access control standard. CC ID 00546	Technical security	Establish/Maintain Documentation
Include assigned roles and responsibilities in the network access control standard. CC ID 06410	Technical security	Establish Roles
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373	Technical security	Technical Security
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821	Technical security	Technical Security
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274	Technical security	Configuration
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293	Technical security	Configuration
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784	Technical security	Configuration
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588	Technical security	Technical Security
Include configuration management and rulesets in the network access control standard. CC ID 11845	Technical security	Establish/Maintain Documentation
Secure the network access control standard against unauthorized changes. CC ID 11920	Technical security	Establish/Maintain Documentation
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540	Technical security	Technical Security
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541	Technical security	Configuration
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948	Technical security	Establish/Maintain Documentation
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960	Technical security	Establish/Maintain Documentation
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961	Technical security	Establish/Maintain Documentation
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435	Technical security	Establish/Maintain Documentation
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434	Technical security	Establish/Maintain Documentation
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426	Technical security	Establish/Maintain Documentation
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847	Technical security	Configuration
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537	Technical security	Establish/Maintain Documentation
Configure network ports to organizational standards. CC ID 14007	Technical security	Configuration
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547	Technical security	Establish/Maintain Documentation
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539	Technical security	Establish/Maintain Documentation
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280	Technical security	Establish/Maintain Documentation
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033	Technical security	Establish/Maintain Documentation
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032	Technical security	Establish/Maintain Documentation
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550	Technical security	Configuration
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420	Technical security	Technical Security
Configure network access and control points to protect restricted data or restricted information. CC ID 01284	Technical security	Configuration
Protect data stored at external locations. CC ID 16333	Technical security	Data and Information Management
Protect the firewall's network connection interfaces. CC ID 01955	Technical security	Technical Security
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547	Technical security	Configuration
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Technical security	Configuration
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Technical security	Configuration
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Technical security	Configuration
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Technical security	Configuration
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Technical security	Configuration
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Technical security	Configuration
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Technical security	Configuration
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Technical security	Configuration
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Technical security	Configuration
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Technical security	Configuration
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Technical security	Configuration
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Technical security	Configuration
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Technical Security
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical security	Technical Security
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Technical security	Data and Information Management
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Technical security	Data and Information Management
Synchronize and secure all router configuration files. CC ID 01291	Technical security	Configuration
Synchronize and secure all firewall configuration files. CC ID 11851	Technical security	Configuration
Configure firewalls to generate an audit log. CC ID 12038	Technical security	Audits and Risk Management
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Technical security	Configuration
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Technical security	Establish/Maintain Documentation
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Technical security	Establish/Maintain Documentation
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Technical security	Establish/Maintain Documentation
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450	Technical security	Configuration
Update application layer firewalls to the most current version. CC ID 12037	Technical security	Process or Activity
Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854	Technical security	Establish/Maintain Documentation
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751	Technical security	Configuration
Remove all unauthorized Wireless Local Area Networks. CC ID 06309	Technical security	Configuration
Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646	Technical security	Establish/Maintain Documentation
Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647	Technical security	Technical Security
Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648	Technical security	Configuration
Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605	Technical security	Technical Security
Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830	Technical security	Configuration
Remove all unauthorized wireless access points. CC ID 11856	Technical security	Configuration
Enforce information flow control. CC ID 11781	Technical security	Monitor and Evaluate Occurrences
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Technical security	Establish/Maintain Documentation
Constrain the information flow of restricted data or restricted information. CC ID 06763	Technical security	Data and Information Management
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Technical security	Data and Information Management
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii)]	Technical security	Establish/Maintain Documentation
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923	Technical security	Data and Information Management
Establish, implement, and maintain a document printing policy. CC ID 14384	Technical security	Establish/Maintain Documentation
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain information flow procedures. CC ID 04542	Technical security	Establish/Maintain Documentation
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Technical security	Data and Information Management
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Technical security	Data and Information Management
Establish, implement, and maintain information exchange procedures. CC ID 11782 [An Institution or its Service Provider must manage its Electronic Connection(s) so as to permit the Reserve Banks to send data to the Institution or the Service Provider, and to permit the Institution or the Service Provider to receive data from the Reserve Banks, on a timely basis throughout the day. A Reserve Bank is not responsible for any delay in sending data (or for notifying any party of such a delay), if the delay results from the Institution's or its Service Provider's failure to so manage its connection(s), or from any cause other than the Reserve Bank's failure to exercise ordinary care or to act in good faith. The Reserve Bank's records shall be determinative of when data has been received by a Reserve Bank or when a Reserve Bank sends data to, or makes it retrievable by, the Institution or its Service Provider. 5.5(a)]	Technical security	Establish/Maintain Documentation
Perform content sanitization on data-in-transit. CC ID 16512	Technical security	Data and Information Management
Perform content conversion on data-in-transit. CC ID 16510	Technical security	Data and Information Management
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499	Technical security	Data and Information Management
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554	Technical security	Data and Information Management
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859	Technical security	Data and Information Management
Review and approve information exchange system connections. CC ID 07143	Technical security	Technical Security
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312	Technical security	Log Management
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104	Technical security	Technical Security
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107	Technical security	Technical Security
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097	Technical security	Establish/Maintain Documentation
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183	Technical security	Configuration
Block uncategorized sites using URL filtering. CC ID 12140	Technical security	Technical Security
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234	Technical security	Data and Information Management
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780	Technical security	Establish/Maintain Documentation
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094	Technical security	Behavior
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Technical security	Technical Security
Comply with the encryption laws of the local country. CC ID 16377	Technical security	Business Processes
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Technical security	Establish/Maintain Documentation
Define the cryptographic boundaries. CC ID 06543	Technical security	Establish/Maintain Documentation
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Technical security	Establish/Maintain Documentation
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Technical security	Establish/Maintain Documentation
Implement the documented cryptographic module security functions. CC ID 06755	Technical security	Data and Information Management
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Technical security	Establish/Maintain Documentation
Document the operation of the cryptographic module. CC ID 06546	Technical security	Establish/Maintain Documentation
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical security	Technical Security
Establish, implement, and maintain digital signatures. CC ID 13828	Technical security	Data and Information Management
Include the expiration date in digital signatures. CC ID 13833	Technical security	Data and Information Management
Include audience restrictions in digital signatures. CC ID 13834	Technical security	Data and Information Management
Include the subject in digital signatures. CC ID 13832	Technical security	Data and Information Management
Include the issuer in digital signatures. CC ID 13831	Technical security	Data and Information Management
Include identifiers in the digital signature. CC ID 13829	Technical security	Data and Information Management
Generate and protect a secret random number for each digital signature. CC ID 06577	Technical security	Establish/Maintain Documentation
Establish the security strength requirements for the digital signature process. CC ID 06578	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546	Technical security	Establish/Maintain Documentation
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Technical security	Configuration
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Technical security	Data and Information Management
Digitally sign records and data, as necessary. CC ID 16507	Technical security	Data and Information Management
Make key usage for data fields unique for each device. CC ID 04828	Technical security	Technical Security
Decrypt restricted data for the minimum time required. CC ID 12308	Technical security	Data and Information Management
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Technical security	Data and Information Management
Accept only trusted keys and/or certificates. CC ID 11988	Technical security	Technical Security
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Technical security	Data and Information Management
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Technical security	Process or Activity
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Technical security	Process or Activity
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Technical security	Communicate
Define the format of the biometric data on identification cards or badges. CC ID 06586	Technical security	Process or Activity
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Technical security	Data and Information Management
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Technical security	Establish/Maintain Documentation
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Technical security	Communicate
Establish, implement, and maintain encryption management procedures. CC ID 15475	Technical security	Establish/Maintain Documentation
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Technical security	Establish Roles
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Technical security	Establish/Maintain Documentation
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Technical security	Communicate
Bind keys to each identity. CC ID 12337	Technical security	Technical Security
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Technical security	Establish/Maintain Documentation
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Technical security	Establish/Maintain Documentation
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Technical security	Data and Information Management
Generate strong cryptographic keys. CC ID 01299	Technical security	Data and Information Management
Generate unique cryptographic keys for each user. CC ID 12169	Technical security	Technical Security
Use approved random number generators for creating cryptographic keys. CC ID 06574	Technical security	Data and Information Management
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical security	Technical Security
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Technical security	Establish/Maintain Documentation
Disseminate and communicate cryptographic keys securely. CC ID 01300	Technical security	Data and Information Management
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Technical security	Data and Information Management
Store cryptographic keys securely. CC ID 01298	Technical security	Data and Information Management
Restrict access to cryptographic keys. CC ID 01297	Technical security	Data and Information Management
Store cryptographic keys in encrypted format. CC ID 06084	Technical security	Data and Information Management
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical security	Technical Security
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Technical security	Establish/Maintain Documentation
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Technical security	Data and Information Management
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Technical security	Data and Information Management
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Technical security	Data and Information Management
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Technical security	Data and Information Management
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical security	Technical Security
Archive outdated cryptographic keys. CC ID 06884	Technical security	Data and Information Management
Archive revoked cryptographic keys. CC ID 11819	Technical security	Data and Information Management
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Technical security	Establish/Maintain Documentation
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Technical security	Human Resources Management
Manage the digital signature cryptographic key pair. CC ID 06576	Technical security	Data and Information Management
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Technical security	Establish/Maintain Documentation
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Technical security	Establish Roles
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Technical security	Establish/Maintain Documentation
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Technical security	Establish/Maintain Documentation
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Technical security	Establish/Maintain Documentation
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Technical security	Establish/Maintain Documentation
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Technical security	Establish/Maintain Documentation
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical security	Technical Security
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical security	Technical Security
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Technical security	Establish/Maintain Documentation
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Technical security	Establish/Maintain Documentation
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Technical security	Establish/Maintain Documentation
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Technical security	Establish/Maintain Documentation
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical security	Technical Security
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Technical security	Records Management
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical security	Technical Security
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical security	Technical Security
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564	Technical security	Technical Security
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Technical security	Configuration
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical security	Technical Security
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical security	Technical Security
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Technical security	Establish/Maintain Documentation
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical security	Technical Security
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical security	Technical Security
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical security	Technical Security
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical security	Technical Security
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical security	Technical Security
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical security	Technical Security
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Technical security	Establish/Maintain Documentation
Install security and protection software, as necessary. CC ID 00575 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	Technical security	Configuration
Install and maintain container security solutions. CC ID 16178	Technical security	Technical Security
Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain physical security plans. CC ID 13307	Physical and environmental protection	Establish/Maintain Documentation
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309	Physical and environmental protection	Establish/Maintain Documentation
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain physical security procedures. CC ID 13076	Physical and environmental protection	Establish/Maintain Documentation
Analyze and evaluate engineering systems. CC ID 13080	Physical and environmental protection	Physical and Environmental Protection
Analyze and evaluate facilities and their structural elements. CC ID 13079	Physical and environmental protection	Physical and Environmental Protection
Analyze and evaluate mechanical systems, as necessary. CC ID 13078	Physical and environmental protection	Physical and Environmental Protection
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211	Physical and environmental protection	Configuration
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215	Physical and environmental protection	Configuration
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319	Physical and environmental protection	Communicate
Protect assets from tampering or unapproved substitution. CC ID 11902	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a facility physical security program. CC ID 00711	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Establish/Maintain Documentation
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Behavior
Protect the facility from crime. CC ID 06347	Physical and environmental protection	Physical and Environmental Protection
Define communication methods for reporting crimes. CC ID 06349	Physical and environmental protection	Establish/Maintain Documentation
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Establish/Maintain Documentation
Protect facilities from eavesdropping. CC ID 02222	Physical and environmental protection	Physical and Environmental Protection
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Technical Security
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Establish/Maintain Documentation
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and environmental protection	Physical and Environmental Protection
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and environmental protection	Physical and Environmental Protection
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Physical and Environmental Protection
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Establish/Maintain Documentation
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Establish/Maintain Documentation
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Communicate
Post and maintain security signage for all facilities. CC ID 02201	Physical and environmental protection	Establish/Maintain Documentation
Inspect items brought into the facility. CC ID 06341	Physical and environmental protection	Physical and Environmental Protection
Maintain all physical security systems. CC ID 02206	Physical and environmental protection	Physical and Environmental Protection
Maintain all security alarm systems. CC ID 11669	Physical and environmental protection	Physical and Environmental Protection
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Establish/Maintain Documentation
Control physical access to (and within) the facility. CC ID 01329	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Establish/Maintain Documentation
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Physical and Environmental Protection
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Establish/Maintain Documentation
Escort visitors within the facility, as necessary. CC ID 06417	Physical and environmental protection	Establish/Maintain Documentation
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Physical and Environmental Protection
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Testing
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Behavior
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Establish/Maintain Documentation
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Establish/Maintain Documentation
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Establish/Maintain Documentation
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Physical and environmental protection	Monitor and Evaluate Occurrences
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Establish/Maintain Documentation
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Human Resources Management
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Process or Activity
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Process or Activity
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Physical and Environmental Protection
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Testing
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Establish/Maintain Documentation
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Physical and Environmental Protection
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Behavior
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Human Resources Management
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Physical and Environmental Protection
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Behavior
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Physical and Environmental Protection
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Behavior
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Establish/Maintain Documentation
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Process or Activity
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Establish/Maintain Documentation
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Business Processes
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Establish/Maintain Documentation
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Process or Activity
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Establish/Maintain Documentation
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Establish/Maintain Documentation
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Physical and Environmental Protection
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Establish/Maintain Documentation
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Human Resources Management
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Establish/Maintain Documentation
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Establish/Maintain Documentation
Install doors so that exposed hinges are on the secured side. CC ID 06687	Physical and environmental protection	Configuration
Install emergency doors to permit egress only. CC ID 06688	Physical and environmental protection	Configuration
Install contact alarms on doors, as necessary. CC ID 06710	Physical and environmental protection	Configuration
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and environmental protection	Physical and Environmental Protection
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Physical and environmental protection	Configuration
Secure unissued access mechanisms. CC ID 06713	Physical and environmental protection	Technical Security
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Physical and environmental protection	Establish/Maintain Documentation
Change cipher lock codes, as necessary. CC ID 06651	Physical and environmental protection	Technical Security
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Establish/Maintain Documentation
Install contact alarms on openable windows, as necessary. CC ID 06690	Physical and environmental protection	Configuration
Install glass break alarms on windows, as necessary. CC ID 06691	Physical and environmental protection	Configuration
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Physical and environmental protection	Establish/Maintain Documentation
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and environmental protection	Physical and Environmental Protection
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Physical and Environmental Protection
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and environmental protection	Physical and Environmental Protection
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and environmental protection	Physical and Environmental Protection
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and environmental protection	Physical and Environmental Protection
Screen incoming mail and deliveries. CC ID 06719	Physical and environmental protection	Physical and Environmental Protection
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Physical and environmental protection	Establish/Maintain Documentation
Establish a security room, if necessary. CC ID 00738	Physical and environmental protection	Physical and Environmental Protection
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and environmental protection	Physical and Environmental Protection
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Physical and Environmental Protection
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Physical and environmental protection	Establish/Maintain Documentation
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Communicate
Establish and maintain a visitor log. CC ID 00715	Physical and environmental protection	Log Management
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Physical and environmental protection	Establish/Maintain Documentation
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Behavior
Record the visitor's name in the visitor log. CC ID 00557	Physical and environmental protection	Log Management
Record the visitor's organization in the visitor log. CC ID 12121	Physical and environmental protection	Log Management
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Physical and environmental protection	Log Management
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Establish/Maintain Documentation
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Physical and environmental protection	Establish/Maintain Documentation
Retain all records in the visitor log as prescribed by law. CC ID 00572	Physical and environmental protection	Log Management
Establish, implement, and maintain a physical access log. CC ID 12080	Physical and environmental protection	Establish/Maintain Documentation
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Physical and environmental protection	Log Management
Store facility access logs in off-site storage. CC ID 06958	Physical and environmental protection	Log Management
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Monitor and Evaluate Occurrences
Configure video cameras to cover all physical entry points. CC ID 06302	Physical and environmental protection	Configuration
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Physical and environmental protection	Configuration
Retain video events according to Records Management procedures. CC ID 06304	Physical and environmental protection	Records Management
Establish, implement, and maintain physical security threat reports. CC ID 02207	Physical and environmental protection	Establish/Maintain Documentation
Build and maintain fencing, as necessary. CC ID 02235	Physical and environmental protection	Physical and Environmental Protection
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and environmental protection	Physical and Environmental Protection
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Physical and Environmental Protection
Employ security guards to provide physical security, as necessary. CC ID 06653	Physical and environmental protection	Establish Roles
Establish, implement, and maintain a facility wall standard. CC ID 06692	Physical and environmental protection	Establish/Maintain Documentation
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and environmental protection	Physical and Environmental Protection
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Physical and environmental protection	Configuration
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Behavior
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Behavior
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Business Processes
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Behavior
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Behavior
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Physical and environmental protection	Physical and Environmental Protection
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Physical and environmental protection	Records Management
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321	Physical and environmental protection	Log Management
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258	Physical and environmental protection	Technical Security
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964	Physical and environmental protection	Records Management
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286	Physical and environmental protection	Physical and Environmental Protection
Transport restricted media using a delivery method that can be tracked. CC ID 11777	Physical and environmental protection	Business Processes
Restrict physical access to distributed assets. CC ID 11865 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Physical and environmental protection	Physical and Environmental Protection
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873	Physical and environmental protection	Physical and Environmental Protection
Protect electronic storage media with physical access controls. CC ID 00720	Physical and environmental protection	Physical and Environmental Protection
Protect physical assets with earthquake-resistant mechanisms. CC ID 06360	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a media protection policy. CC ID 14029	Physical and environmental protection	Establish/Maintain Documentation
Include compliance requirements in the media protection policy. CC ID 14185	Physical and environmental protection	Establish/Maintain Documentation
Include coordination amongst entities in the media protection policy. CC ID 14184	Physical and environmental protection	Establish/Maintain Documentation
Include management commitment in the media protection policy. CC ID 14182	Physical and environmental protection	Establish/Maintain Documentation
Include roles and responsibilities in the media protection policy. CC ID 14180	Physical and environmental protection	Establish/Maintain Documentation
Include the scope in the media protection policy. CC ID 14167	Physical and environmental protection	Establish/Maintain Documentation
Include the purpose in the media protection policy. CC ID 14166	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165	Physical and environmental protection	Communicate
Establish, implement, and maintain media protection procedures. CC ID 14062	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186	Physical and environmental protection	Communicate
Establish, implement, and maintain removable storage media controls. CC ID 06680	Physical and environmental protection	Data and Information Management
Control access to restricted storage media. CC ID 04889	Physical and environmental protection	Data and Information Management
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664	Physical and environmental protection	Physical and Environmental Protection
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961	Physical and environmental protection	Records Management
Treat archive media as evidence. CC ID 00960	Physical and environmental protection	Records Management
Log the transfer of removable storage media. CC ID 12322	Physical and environmental protection	Log Management
Establish, implement, and maintain storage media access control procedures. CC ID 00959	Physical and environmental protection	Establish/Maintain Documentation
Require removable storage media be in the custody of an authorized individual. CC ID 12319	Physical and environmental protection	Behavior
Control the storage of restricted storage media. CC ID 00965	Physical and environmental protection	Records Management
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717	Physical and environmental protection	Physical and Environmental Protection
Protect the combinations for all combination locks. CC ID 02199	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain eavesdropping protection for vaults. CC ID 02231	Physical and environmental protection	Physical and Environmental Protection
Serialize all removable storage media. CC ID 00949	Physical and environmental protection	Configuration
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Physical and Environmental Protection
Include Information Technology assets in the asset removal policy. CC ID 13162	Physical and environmental protection	Establish/Maintain Documentation
Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160	Physical and environmental protection	Communicate
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Physical and environmental protection	Establish/Maintain Documentation
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027	Physical and environmental protection	Process or Activity
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441	Physical and environmental protection	Physical and Environmental Protection
Control the removal of assets through physical entry points and physical exit points. CC ID 11681	Physical and environmental protection	Physical and Environmental Protection
Maintain records of all system components entering and exiting the facility. CC ID 14304	Physical and environmental protection	Log Management
Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682	Physical and environmental protection	Technical Security
Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683	Physical and environmental protection	Technical Security
Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain missing asset reporting procedures. CC ID 06336	Physical and environmental protection	Establish/Maintain Documentation
Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a locking screen saver policy. CC ID 06717	Physical and environmental protection	Establish/Maintain Documentation
Encrypt information stored on devices in publicly accessible areas. CC ID 16410	Physical and environmental protection	Data and Information Management
Secure workstations to desks with security cables. CC ID 04724	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a mobile device management program. CC ID 15212	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a mobile device management policy. CC ID 15214	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain mobile device security guidelines. CC ID 04723	Physical and environmental protection	Establish/Maintain Documentation
Require users to refrain from leaving mobile devices unattended. CC ID 16446	Physical and environmental protection	Business Processes
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242	Physical and environmental protection	Data and Information Management
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292	Physical and environmental protection	Establish/Maintain Documentation
Include legal requirements in the mobile device security guidelines. CC ID 12291	Physical and environmental protection	Establish/Maintain Documentation
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452	Physical and environmental protection	Physical and Environmental Protection
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290	Physical and environmental protection	Establish/Maintain Documentation
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289	Physical and environmental protection	Establish/Maintain Documentation
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288	Physical and environmental protection	Establish/Maintain Documentation
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430	Physical and environmental protection	Physical and Environmental Protection
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429	Physical and environmental protection	Physical and Environmental Protection
Encrypt information stored on mobile devices. CC ID 01422	Physical and environmental protection	Data and Information Management
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722	Physical and environmental protection	Physical and Environmental Protection
Secure system components from unauthorized viewing. CC ID 01437	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain asset return procedures. CC ID 04537 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Physical and environmental protection	Establish/Maintain Documentation
Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678	Physical and environmental protection	Behavior
Require the return of all assets upon notification an individual is terminated. CC ID 06679	Physical and environmental protection	Behavior
Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598	Physical and environmental protection	Behavior
Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354	Physical and environmental protection	Behavior
Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597	Physical and environmental protection	Behavior
Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706	Physical and environmental protection	Configuration
Establish, implement, and maintain open storage container procedures. CC ID 02198	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a clean desk policy. CC ID 06534	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a clear screen policy. CC ID 12436	Physical and environmental protection	Technical Security
Establish, implement, and maintain contact card reader security guidelines. CC ID 06588	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590	Physical and environmental protection	Establish/Maintain Documentation
Identify customer property within the organizational facility. CC ID 06612	Physical and environmental protection	Physical and Environmental Protection
Protect customer property under the care of the organization. CC ID 11685	Physical and environmental protection	Physical and Environmental Protection
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768	Physical and environmental protection	Technical Security
Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769	Physical and environmental protection	Configuration
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647	Physical and environmental protection	Technical Security
Provide storage media shelving capable of bearing all potential loads. CC ID 11400	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain proper aircraft security. CC ID 02213	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a vehicle access program. CC ID 02216	Physical and environmental protection	Establish/Maintain Documentation
Establish parking requirements for vehicles. CC ID 02218	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain proper container security. CC ID 02208	Physical and environmental protection	Physical and Environmental Protection
Lock closable storage containers. CC ID 06307	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain returned card procedures. CC ID 13567	Physical and environmental protection	Establish/Maintain Documentation
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572	Physical and environmental protection	Business Processes
Establish and maintain the physical security of non-issued payment cards. CC ID 06402	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain payment card disposal procedures. CC ID 16137	Physical and environmental protection	Establish/Maintain Documentation
Control the issuance of payment cards. CC ID 06403	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a mailing control log. CC ID 16136	Physical and environmental protection	Establish/Maintain Documentation
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134	Physical and environmental protection	Establish Roles
Inventory payment cards, as necessary. CC ID 13547	Physical and environmental protection	Records Management
Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404	Physical and environmental protection	Physical and Environmental Protection
Deliver payment cards to customers using secure methods. CC ID 06405	Physical and environmental protection	Physical and Environmental Protection
Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052	Physical and environmental protection	Business Processes
Establish, implement, and maintain payment card usage security measures. CC ID 06406	Physical and environmental protection	Establish/Maintain Documentation
Notify customers about payment card usage security measures. CC ID 06407	Physical and environmental protection	Behavior
Establish, implement, and maintain payment card disposal procedures. CC ID 16135	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain physical security of assets used for publicity. CC ID 06724	Physical and environmental protection	Physical and Environmental Protection
Install and protect network cabling. CC ID 08624	Physical and environmental protection	Physical and Environmental Protection
Control physical access to network cables. CC ID 00723	Physical and environmental protection	Process or Activity
Install and protect fiber optic cable, as necessary. CC ID 08625	Physical and environmental protection	Physical and Environmental Protection
Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628	Physical and environmental protection	Physical and Environmental Protection
Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640	Physical and environmental protection	Physical and Environmental Protection
Install network cable in a way that allows ease of inspecting. CC ID 08626	Physical and environmental protection	Physical and Environmental Protection
Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649	Physical and environmental protection	Physical and Environmental Protection
Establish and maintain security classifications for network cabling. CC ID 08627	Physical and environmental protection	Establish/Maintain Documentation
Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630	Physical and environmental protection	Physical and Environmental Protection
Label each end of a network cable run. CC ID 08632	Physical and environmental protection	Physical and Environmental Protection
Terminate approved network cables on the patch panel. CC ID 08633	Physical and environmental protection	Physical and Environmental Protection
Color code cables in accordance with organizational standards. CC ID 16422	Physical and environmental protection	Physical and Environmental Protection
Establish and maintain documentation for network cabling schemes. CC ID 08641	Physical and environmental protection	Establish/Maintain Documentation
Prevent installing network cabling inside walls shared with third parties. CC ID 08648	Physical and environmental protection	Physical and Environmental Protection
Install network cabling specifically for maintenance purposes. CC ID 10613	Physical and environmental protection	Physical and Environmental Protection
Install and maintain network jacks and outlet boxes. CC ID 08635	Physical and environmental protection	Physical and Environmental Protection
Color code outlet boxes in accordance with organizational standards. CC ID 16451	Physical and environmental protection	Physical and Environmental Protection
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142	Physical and environmental protection	Physical and Environmental Protection
Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989	Physical and environmental protection	Physical and Environmental Protection
Label network cabling outlet boxes. CC ID 08631	Physical and environmental protection	Physical and Environmental Protection
Enable network jacks at the patch panel, as necessary. CC ID 06305	Physical and environmental protection	Configuration
Implement logical controls to enable network jacks, as necessary. CC ID 11934	Physical and environmental protection	Physical and Environmental Protection
Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634	Physical and environmental protection	Physical and Environmental Protection
Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643	Physical and environmental protection	Physical and Environmental Protection
Install and maintain network patch panels. CC ID 08636	Physical and environmental protection	Physical and Environmental Protection
Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637	Physical and environmental protection	Physical and Environmental Protection
Assign access to network patch panels on a need to know basis. CC ID 08638	Physical and environmental protection	Physical and Environmental Protection
Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647	Physical and environmental protection	Physical and Environmental Protection
Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646	Physical and environmental protection	Physical and Environmental Protection
Seal data conduit couplings and data conduit fitting bodies. CC ID 08629	Physical and environmental protection	Physical and Environmental Protection
Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642	Physical and environmental protection	Physical and Environmental Protection
Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Identify all stakeholders in the continuity plan. CC ID 13256	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777	Operational and Systems Continuity	Communicate
Maintain normal security levels when an emergency occurs. CC ID 06377	Operational and Systems Continuity	Systems Continuity
Execute fail-safe procedures when an emergency occurs. CC ID 07108	Operational and Systems Continuity	Systems Continuity
Lead or manage business continuity and system continuity, as necessary. CC ID 12240	Operational and Systems Continuity	Human Resources Management
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993	Operational and Systems Continuity	Establish/Maintain Documentation
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992	Operational and Systems Continuity	Human Resources Management
Include the in scope system's location in the continuity plan. CC ID 16246	Operational and Systems Continuity	Systems Continuity
Include the system description in the continuity plan. CC ID 16241	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain redundant systems. CC ID 16354	Operational and Systems Continuity	Configuration
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093	Operational and Systems Continuity	Behavior
Include identification procedures in the continuity plan, as necessary. CC ID 14372	Operational and Systems Continuity	Establish/Maintain Documentation
Include the continuity strategy in the continuity plan. CC ID 13189	Operational and Systems Continuity	Establish/Maintain Documentation
Document and use the lessons learned to update the continuity plan. CC ID 10037	Operational and Systems Continuity	Establish/Maintain Documentation
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605	Operational and Systems Continuity	Technical Security
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258	Operational and Systems Continuity	Process or Activity
Record business continuity management system performance for posterity. CC ID 12411	Operational and Systems Continuity	Monitor and Evaluate Occurrences
Coordinate continuity planning with community organizations, as necessary. CC ID 13259	Operational and Systems Continuity	Process or Activity
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242	Operational and Systems Continuity	Establish/Maintain Documentation
Include incident management procedures in the continuity plan. CC ID 13244	Operational and Systems Continuity	Establish/Maintain Documentation
Include the use of virtual meeting tools in the continuity plan. CC ID 14390	Operational and Systems Continuity	Establish/Maintain Documentation
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057	Operational and Systems Continuity	Establish/Maintain Documentation
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233	Operational and Systems Continuity	Establish Roles
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055	Operational and Systems Continuity	Communicate
Document the uninterrupted power requirements for all in scope systems. CC ID 06707	Operational and Systems Continuity	Establish/Maintain Documentation
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725	Operational and Systems Continuity	Configuration
Install a generator sized to support the facility. CC ID 06709	Operational and Systems Continuity	Configuration
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376	Operational and Systems Continuity	Acquisition/Sale of Assets or Services
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371	Operational and Systems Continuity	Establish/Maintain Documentation
Include notifications to alternate facilities in the continuity plan. CC ID 13220	Operational and Systems Continuity	Establish/Maintain Documentation
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778	Operational and Systems Continuity	Systems Continuity
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain damage assessment procedures. CC ID 01267	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Communicate
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Human Resources Management
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Establish/Maintain Documentation
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Establish/Maintain Documentation
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Communicate
Include restoration procedures in the continuity plan. CC ID 01169	Operational and Systems Continuity	Establish Roles
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166	Operational and Systems Continuity	Establish/Maintain Documentation
Include the recovery plan in the continuity plan. CC ID 01377	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758	Operational and Systems Continuity	Communicate
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663	Operational and Systems Continuity	Systems Continuity
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829	Operational and Systems Continuity	Testing
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767	Operational and Systems Continuity	Testing
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766	Operational and Systems Continuity	Testing
Validate the emergency communications procedures during continuity plan tests. CC ID 12777	Operational and Systems Continuity	Testing
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769	Operational and Systems Continuity	Testing
Validate the evacuation plans during continuity plan tests. CC ID 12760	Operational and Systems Continuity	Testing
Include predefined goals and realistic conditions during off-site testing. CC ID 01175	Operational and Systems Continuity	Establish/Maintain Documentation
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388	Operational and Systems Continuity	Testing
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548	Operational and Systems Continuity	Actionable Reports or Measurements
Approve the continuity plan test results. CC ID 15718	Operational and Systems Continuity	Systems Continuity
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Human Resources management	Establish/Maintain Documentation
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Human Resources management	Communicate
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Human Resources Management
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Behavior
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4]	Human Resources management	Behavior
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an internal control framework. CC ID 00820 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Operational management	Establish/Maintain Documentation
Define the scope for the internal control framework. CC ID 16325	Operational management	Business Processes
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Establish Roles
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Business Processes
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Establish Roles
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)]	Operational management	Business Processes
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Establish/Maintain Documentation
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Establish/Maintain Documentation
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Business Processes
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Establish/Maintain Documentation
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Establish/Maintain Documentation
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Establish/Maintain Documentation
Automate threat assessments, as necessary. CC ID 06877	Operational management	Configuration
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Establish/Maintain Documentation
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Configuration
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Establish/Maintain Documentation
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Establish/Maintain Documentation
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Establish/Maintain Documentation
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Establish/Maintain Documentation
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Communicate
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Process or Activity
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Establish/Maintain Documentation
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Establish/Maintain Documentation
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Establish/Maintain Documentation
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Establish/Maintain Documentation
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Communicate
Establish, implement, and maintain an information security program. CC ID 00812 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Establish/Maintain Documentation
Include system development in the information security program. CC ID 12389	Operational management	Establish/Maintain Documentation
Include system maintenance in the information security program. CC ID 12388	Operational management	Establish/Maintain Documentation
Include system acquisition in the information security program. CC ID 12387	Operational management	Establish/Maintain Documentation
Include access control in the information security program. CC ID 12386	Operational management	Establish/Maintain Documentation
Include operations management in the information security program. CC ID 12385	Operational management	Establish/Maintain Documentation
Include communication management in the information security program. CC ID 12384	Operational management	Establish/Maintain Documentation
Include environmental security in the information security program. CC ID 12383	Operational management	Establish/Maintain Documentation
Include physical security in the information security program. CC ID 12382	Operational management	Establish/Maintain Documentation
Include human resources security in the information security program. CC ID 12381	Operational management	Establish/Maintain Documentation
Include asset management in the information security program. CC ID 12380	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Establish/Maintain Documentation
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Establish/Maintain Documentation
Include risk management in the information security program. CC ID 12378	Operational management	Establish/Maintain Documentation
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Provide management direction and support for the information security program. CC ID 11999 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Operational management	Process or Activity
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information security policy. CC ID 11740 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Define thresholds for approving information security activities in the information security program. CC ID 15702 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b) The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)]	Operational management	Process or Activity
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Establish Roles
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Human Resources Management
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Establish/Maintain Documentation
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Human Resources Management
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Communicate
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Establish/Maintain Documentation
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Business Processes
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Business Processes
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Behavior
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Establish/Maintain Documentation
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Establish/Maintain Documentation
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Operational management	Establish/Maintain Documentation
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Establish/Maintain Documentation
Include startup processes in operational control procedures. CC ID 00833	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Business Processes
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Communicate
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Establish/Maintain Documentation
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Establish/Maintain Documentation
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Establish/Maintain Documentation
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Establish/Maintain Documentation
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2]	Operational management	Establish/Maintain Documentation
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3]	Operational management	Establish/Maintain Documentation
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Establish/Maintain Documentation
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Technical Security
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Establish/Maintain Documentation
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Data and Information Management
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Establish/Maintain Documentation
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2]	Operational management	Establish/Maintain Documentation
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Establish/Maintain Documentation
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Establish/Maintain Documentation
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Establish/Maintain Documentation
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Communicate
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1]	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Business Processes
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Software includes trade secrets and proprietary information of the Reserve Banks and others, which may be copyrighted or patented, and must be handled in accordance with the requirements applicable to Confidential Information as set forth in Paragraph 5.4. 4.6 ¶ 1]	Operational management	Establish/Maintain Documentation
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 [{refrain from removing} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: remove any copyright or trademark notice contained in the Software. 4.4 ¶ 1(d)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Establish/Maintain Documentation
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Establish/Maintain Documentation
Identify the sender in all electronic messages. CC ID 13996	Operational management	Data and Information Management
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Operational management	Establish/Maintain Documentation
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Communicate
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a use of information agreement. CC ID 06215 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Operational management	Establish/Maintain Documentation
Include use limitations in the use of information agreement. CC ID 06244	Operational management	Establish/Maintain Documentation
Include disclosure requirements in the use of information agreement. CC ID 11735	Operational management	Establish/Maintain Documentation
Include information recipients in the use of information agreement. CC ID 06245	Operational management	Establish/Maintain Documentation
Include reporting out of scope use of information in the use of information agreement. CC ID 06246	Operational management	Establish/Maintain Documentation
Include disclosure of information in the use of information agreement. CC ID 11830	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Operational management	Establish/Maintain Documentation
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418	Operational management	Establish/Maintain Documentation
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131	Operational management	Establish/Maintain Documentation
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 Each Institution must at all times comply with the measures, protections, and requirements established under the Reserve Bank Program described in Section 1.1 of this Appendix A, the Institution Program described in Section 1.2 of this Appendix A, and any applicable Security Procedures (collectively, the "Security Requirements"). Appendix A 3.1 ¶ 1 In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Business Processes
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902	Operational management	Establish/Maintain Documentation
Apply security controls to each level of the information classification standard. CC ID 01903 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)]	Operational management	Systems Design, Build, and Implementation
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904	Operational management	Establish/Maintain Documentation
Define confidentiality controls. CC ID 01908	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the systems' availability level. CC ID 01905	Operational management	Establish/Maintain Documentation
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742	Operational management	Process or Activity
Define integrity controls. CC ID 01909	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the systems' integrity level. CC ID 01906	Operational management	Establish/Maintain Documentation
Define availability controls. CC ID 01911	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a software accountability policy. CC ID 00868	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain software license management procedures. CC ID 06639 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c) {refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Operational management	Establish/Maintain Documentation
Automate software license monitoring, as necessary. CC ID 07057	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885	Operational management	Establish/Maintain Documentation
Perform periodic maintenance according to organizational standards. CC ID 01435 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1]	Operational management	Behavior
Restart systems on a periodic basis. CC ID 16498	Operational management	Maintenance
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251	Operational management	Maintenance
Employ dedicated systems during system maintenance. CC ID 12108	Operational management	Technical Security
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114	Operational management	Technical Security
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873	Operational management	Human Resources Management
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874	Operational management	Physical and Environmental Protection
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi)]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Establish, implement, and maintain a change control program. CC ID 00886	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Process or Activity
Establish, implement, and maintain a Configuration Management program. CC ID 00867	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain system tracking documentation. CC ID 15266	System hardening through configuration management	Establish/Maintain Documentation
Include contact information in the system tracking documentation. CC ID 15280 [The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6]	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain network parameter modification procedures. CC ID 01517	System hardening through configuration management	Establish/Maintain Documentation
Review and restrict network addresses and network protocols. CC ID 01518	System hardening through configuration management	Configuration
Define the location requirements for network elements and network devices. CC ID 16379 [{refrain from situating} {unapproved location} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: situate any VPN device used in conjunction with an Electronic Connection in any location other than the Institution's or its Service Provider's premises within the United States or its territories; 4.4 ¶ 1(a)]	System hardening through configuration management	Process or Activity
Configure security and protection software according to Organizational Standards. CC ID 11917 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1]	System hardening through configuration management	Configuration
Configure security and protection software to automatically run at startup. CC ID 12443	System hardening through configuration management	Configuration
Configure security and protection software to enable automatic updates. CC ID 11945 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	System hardening through configuration management	Configuration
Configure security and protection software to check e-mail messages. CC ID 00578	System hardening through configuration management	Testing
Configure security and protection software to check e-mail attachments. CC ID 11860	System hardening through configuration management	Configuration
Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515	System hardening through configuration management	Configuration
Configure Windows Defender Credential Guard to organizational standards. CC ID 16514	System hardening through configuration management	Configuration
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Define each system's disposition requirements for records and logs. CC ID 11651	Records management	Process or Activity
Establish, implement, and maintain records disposition procedures. CC ID 00971	Records management	Establish/Maintain Documentation
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Records management	Records Management
Place printed records awaiting destruction into secure containers. CC ID 12464	Records management	Physical and Environmental Protection
Destroy printed records so they cannot be reconstructed. CC ID 11779	Records management	Physical and Environmental Protection
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082	Records management	Data and Information Management
Maintain disposal records or redeployment records. CC ID 01644 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Records management	Establish/Maintain Documentation
Include the name of the signing officer in the disposal record. CC ID 15710	Records management	Establish/Maintain Documentation
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Establish/Maintain Documentation
Establish, implement, and maintain security label procedures. CC ID 06747 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)]	Records management	Establish/Maintain Documentation
Label restricted storage media appropriately. CC ID 00966	Records management	Data and Information Management
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Establish/Maintain Documentation
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Establish/Maintain Documentation
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Establish/Maintain Documentation
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Establish/Maintain Documentation
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Establish/Maintain Documentation
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Establish/Maintain Documentation
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Data and Information Management
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain system design requirements. CC ID 06618	Systems design, build, and implementation	Establish/Maintain Documentation
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system design project management framework. CC ID 00990	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain a system requirements specification. CC ID 01035 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include system interoperability in the system requirements specification. CC ID 16256	Systems design, build, and implementation	Systems Design, Build, and Implementation
Include equipment interoperability in the system requirements specification. CC ID 16257	Systems design, build, and implementation	Acquisition/Sale of Assets or Services
Assign senior management to approve functional requirements in the system requirements specification. CC ID 13067	Systems design, build, and implementation	Human Resources Management
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Systems Design, Build, and Implementation
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems design, build, and implementation	Systems Design, Build, and Implementation
Develop new products based on best practices. CC ID 01095	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)]	Systems design, build, and implementation	Technical Security
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain payment systems. CC ID 13539 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1]	Acquisition or sale of facilities, technology, and services	Business Processes
Document the business need justification for payment page scripts. CC ID 15480	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain payment transaction security measures. CC ID 13088	Acquisition or sale of facilities, technology, and services	Technical Security
Restrict transaction activities, as necessary. CC ID 16334 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)]	Acquisition or sale of facilities, technology, and services	Business Processes
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Notwithstanding any other provision of this Appendix, when a sender or a receiving bank (or a Service Provider) chooses to use one of the Security Procedures, it rejects other Security Procedures, and if any one of the rejected Security Procedures is commercially reasonable for such sender or receiving bank, the sender or receiving bank agrees to be bound by any payment order, whether or not authorized, if it was issued in the sender's or the receiving bank's name and accepted by a Reserve Bank in compliance with the Security Procedure selected, subject to Section 4A-203 of Article 4A of the Uniform Commercial Code. Appendix A 2.3(b)]	Acquisition or sale of facilities, technology, and services	Behavior
Acquire products or services. CC ID 11450	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Discourage the modification of vendor-supplied software. CC ID 12016 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)]	Acquisition or sale of facilities, technology, and services	Process or Activity
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Data and Information Management
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Establish/Maintain Documentation
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure date in the disclosure accounting record. CC ID 07133 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Establish/Maintain Documentation
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Establish/Maintain Documentation
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Establish/Maintain Documentation
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Establish/Maintain Documentation
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Establish/Maintain Documentation
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Communicate
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2]	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Establish/Maintain Documentation
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Records Management
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361	Privacy protection for information and data	Establish/Maintain Documentation
Limit data leakage. CC ID 00356	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain data handling procedures. CC ID 11756 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2]	Privacy protection for information and data	Establish/Maintain Documentation
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Establish/Maintain Documentation
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Data and Information Management
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Data and Information Management
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Business Processes
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Monitor and Evaluate Occurrences
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Communicate
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Data and Information Management
Define the organization's liability based on the applicable law. CC ID 00504 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the products or services fees in third party contracts. CC ID 10018	Third Party and supply chain oversight	Establish/Maintain Documentation
Include which parties are responsible for which fees in third party contracts. CC ID 10019 [{be liable} A Reserve Bank's fees relating to Electronic Connections (including, for example, installation support and training) are published separately and are subject to change on thirty (30) calendar days' prior notice. A Reserve Bank charges these fees to the Institution's (or its correspondent's) account on a Reserve Bank's books. By designating a Service Provider, an Institution agrees that the Service Provider may be billed directly by the Reserve Bank for any fees related to the Service Provider's Electronic Connection. Notwithstanding any such direct billing, the Institution shall remain liable for any unpaid fees. 6.1 ¶ 1 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Business Processes
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2 {business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include roles and responsibilities in third party contracts. CC ID 13487 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a) Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include an indemnification and liability clause in third party contracts. CC ID 06517 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include early termination contingency plans in the third party contracts. CC ID 06526	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Third Party and supply chain oversight	Establish/Maintain Documentation
Include termination costs in third party contracts. CC ID 10023	Third Party and supply chain oversight	Establish/Maintain Documentation
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Establish/Maintain Documentation
Include disclosure requirements in third party contracts. CC ID 08825 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3]	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2 In addition, before sending a National Settlement Service settlement file to a Reserve Bank, a Settlement Agent must execute a security procedure agreement with the Host Reserve Bank (as defined in Operating Circular 12) in the form attached as Appendix B-1 to Operating Circular 12. Appendix A 2.3(a) ¶ 3]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include technical processes in operational level agreements, as necessary. CC ID 13639	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2]	Third Party and supply chain oversight	Process or Activity
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Third Party and supply chain oversight	Establish Roles
Conduct all parts of the supply chain due diligence process. CC ID 08854	Third Party and supply chain oversight	Business Processes
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Require individual attestations of compliance from each location a third party operates in. CC ID 12228	Third Party and supply chain oversight	Business Processes
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1]	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Define timeliness factors for third party reporting requirements. CC ID 13304	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain a third party payment system. CC ID 08903 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1]	Third Party and supply chain oversight	Business Processes
Disclose payments made to third parties. CC ID 08904	Third Party and supply chain oversight	Data and Information Management
Document payments to third parties. CC ID 08905	Third Party and supply chain oversight	Establish/Maintain Documentation
Make third party payments freely and proportionate to the furnished services. CC ID 08906	Third Party and supply chain oversight	Business Processes
Establish a trust to pay for supply chain security forces. CC ID 08907	Third Party and supply chain oversight	Business Processes
Notify third parties of revenue collection weaknesses. CC ID 08909	Third Party and supply chain oversight	Business Processes
Avoid cash purchases of supplies from third parties. CC ID 08910	Third Party and supply chain oversight	Business Processes
Pay third parties through official banking channels. CC ID 08911	Third Party and supply chain oversight	Business Processes
Disclose payments made to supply chain security forces. CC ID 10031	Third Party and supply chain oversight	Data and Information Management
Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d)]	Third Party and supply chain oversight	Business Processes
Assign unique reference numbers to all products and their subcomponents. CC ID 08932	Third Party and supply chain oversight	Business Processes