0003700
Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS
US Federal Reserve
Regulatory Directive or Guidance
Free
Federal Reserve Banks Operating Circular No. 5
Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS
2023-07-01
The document as a whole was last reviewed and released on 2024-01-22T00:00:00-0800.
0003700
Free
US Federal Reserve
Regulatory Directive or Guidance
Federal Reserve Banks Operating Circular No. 5
Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS
2023-07-01
The document as a whole was last reviewed and released on 2024-01-22T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Federal Reserve Banks Operating Circular No. 5 ELECTRONIC ACCESS are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Business Processes | Preventive | |
Establish, implement, and maintain payment systems. CC ID 13539 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1] | Business Processes | Preventive | |
Document the business need justification for payment page scripts. CC ID 15480 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 | Business Processes | Preventive | |
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 | Business Processes | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Technical Security | Preventive | |
Restrict transaction activities, as necessary. CC ID 16334 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Business Processes | Preventive | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Notwithstanding any other provision of this Appendix, when a sender or a receiving bank (or a Service Provider) chooses to use one of the Security Procedures, it rejects other Security Procedures, and if any one of the rejected Security Procedures is commercially reasonable for such sender or receiving bank, the sender or receiving bank agrees to be bound by any payment order, whether or not authorized, if it was issued in the sender's or the receiving bank's name and accepted by a Reserve Bank in compliance with the Security Procedure selected, subject to Section 4A-203 of Article 4A of the Uniform Commercial Code. Appendix A 2.3(b)] | Behavior | Preventive | |
Acquire products or services. CC ID 11450 | Acquisition/Sale of Assets or Services | Preventive | |
Discourage the modification of vendor-supplied software. CC ID 12016 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)] | Process or Activity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Establish Roles | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)] | Testing | Detective | |
Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2] | Establish/Maintain Documentation | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Records Management | Preventive | |
Audit policies, standards, and procedures. CC ID 12927 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2] | Audits and Risk Management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Audits and Risk Management | Detective | |
Establish and maintain organizational audit reports. CC ID 06731 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii) {independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)] | Actionable Reports or Measurements | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A confirmation that the Institution has conducted a Self-Assessment within the time period requested by the Reserve Banks; Appendix A 3.2 ¶ 1(ii)] | Establish/Maintain Documentation | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)] | Establish/Maintain Documentation | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)] | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 | Establish/Maintain Documentation | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, an acknowledgement that the Institution is responsible for its Service Provider's compliance with the Security Requirements; Appendix A 3.2 ¶ 1(iv)] | Establish/Maintain Documentation | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Establish/Maintain Documentation | Detective | |
Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 | Testing | Detective | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Communicate | Preventive | |
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources Management | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 | Behavior | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4] | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) When a Settlement Instruction is issued, the Offline Security Procedure involves a telephone call initiated by an authorized employee of the Settlement Agent followed by the transmission by e-mail or facsimile of a Settlement Instruction signed (in the case of a facsimile) by an authorized employee of the Settlement Agent or sent from the e-mail address of an authorized employee of the Settlement Agent. Appendix A 2.3(c) ¶ 5] | Establish/Maintain Documentation | Preventive | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 ["Confidential Information" shall include all information, provided in writing, electronically or orally, which is designated by Reserve Bank herein or by other means as "Confidential." All security-related information, including information regarding Access Control Features and security procedures, whether or not it is labeled as "Confidential," is hereby designated as "Confidential," unless a Reserve Bank makes any such information generally available to the public (i.e., places it on its unrestricted public Web site or otherwise publishes it to the general public). Confidential Information contains trade secrets, proprietary information or security information of Reserve Banks or others. Unauthorized disclosure of Confidential Information likely would cause a Reserve Bank immediate and irreparable damage for which there may be no adequate remedy at law. 5.4 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement of the Institution's responsibility to adhere to the Security Requirements; Appendix A 3.2 ¶ 1(i)] | Establish/Maintain Documentation | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Log Management | Detective | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitor and Evaluate Occurrences | Preventive | |
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Configuration | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitor and Evaluate Occurrences | Detective | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitor and Evaluate Occurrences | Detective | |
Detect unauthorized access to systems. CC ID 06798 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Establish/Maintain Documentation | Preventive | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Systems Continuity | Corrective | |
Report changes in the continuity plan to senior management. CC ID 12757 | Communicate | Corrective | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Communicate | Preventive | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Systems Continuity | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Establish/Maintain Documentation | Preventive | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Human Resources Management | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Establish/Maintain Documentation | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Human Resources Management | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Systems Continuity | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Configuration | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Behavior | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Establish/Maintain Documentation | Preventive | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Establish/Maintain Documentation | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Systems Continuity | Corrective | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 | Establish/Maintain Documentation | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Technical Security | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Monitor and Evaluate Occurrences | Detective | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Process or Activity | Preventive | |
Record business continuity management system performance for posterity. CC ID 12411 | Monitor and Evaluate Occurrences | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Process or Activity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 | Establish/Maintain Documentation | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Establish/Maintain Documentation | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Establish/Maintain Documentation | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Establish Roles | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Communicate | Preventive | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Establish/Maintain Documentation | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Configuration | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Configuration | Preventive | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Acquisition/Sale of Assets or Services | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Establish/Maintain Documentation | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Establish/Maintain Documentation | Preventive | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Testing | Detective | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Communicate | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Establish/Maintain Documentation | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Establish/Maintain Documentation | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Human Resources Management | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Establish/Maintain Documentation | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Establish/Maintain Documentation | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Establish/Maintain Documentation | Preventive | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Investigate | Detective | |
Test the recovery plan, as necessary. CC ID 13290 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Testing | Detective | |
Test the backup information, as necessary. CC ID 13303 | Testing | Detective | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Communicate | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 | Establish Roles | Preventive | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Establish/Maintain Documentation | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Communicate | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Systems Continuity | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Systems Continuity | Corrective | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Testing | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Testing | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Testing | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Testing | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Testing | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 | Testing | Detective | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Testing | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 | Testing | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Actionable Reports or Measurements | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Testing | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b) The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Software includes trade secrets and proprietary information of the Reserve Banks and others, which may be copyrighted or patented, and must be handled in accordance with the requirements applicable to Confidential Information as set forth in Paragraph 5.4. 4.6 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 [{refrain from removing} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: remove any copyright or trademark notice contained in the Software. 4.4 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 Each Institution must at all times comply with the measures, protections, and requirements established under the Reserve Bank Program described in Section 1.1 of this Appendix A, the Institution Program described in Section 1.2 of this Appendix A, and any applicable Security Procedures (collectively, the "Security Requirements"). Appendix A 3.1 ¶ 1 In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)] | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Establish/Maintain Documentation | Preventive | |
Define confidentiality controls. CC ID 01908 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Establish/Maintain Documentation | Preventive | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Process or Activity | Preventive | |
Define integrity controls. CC ID 01909 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Establish/Maintain Documentation | Preventive | |
Define availability controls. CC ID 01911 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c) {refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Automate software license monitoring, as necessary. CC ID 07057 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Establish/Maintain Documentation | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1] | Behavior | Preventive | |
Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Establish/Maintain Documentation | Preventive | |
Respond to and triage when an incident is detected. CC ID 06942 | Monitor and Evaluate Occurrences | Detective | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Process or Activity | Corrective | |
Contain the incident to prevent further loss. CC ID 01751 | Process or Activity | Corrective | |
Isolate compromised systems from the network. CC ID 01753 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)] | Technical Security | Corrective | |
Share incident information with interested personnel and affected parties. CC ID 01212 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Data and Information Management | Corrective | |
Share data loss event information with the media. CC ID 01759 | Behavior | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Data and Information Management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Establish/Maintain Documentation | Corrective | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Data and Information Management | Corrective | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Log Management | Detective | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Behavior | Corrective | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Establish/Maintain Documentation | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Establish Roles | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Establish Roles | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 {breach notification} Each Institution and any Service Provider shall include within its security breach related notification procedures and processes (e.g., within disaster recovery, hazard, business continuity, cyber security, and other appropriate procedures and processes) the obligation to immediately notify Federal Reserve Financial Services by telephone at (888) 333-7010, with written confirmation via email at ccc.technical.support@kc.frb.org, in the event of a known, suspected, or threatened compromise, cyber event, fraud, malware detection, or other security incident or breach that would render the Electronic Connection vulnerable to misconduct. Appendix A 1.2(c)] | Communicate | Corrective | |
Establish, implement, and maintain a change control program. CC ID 00886 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
Patch the operating system, as necessary. CC ID 11824 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Technical Security | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain physical security plans. CC ID 13307 | Establish/Maintain Documentation | Preventive | |
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Establish/Maintain Documentation | Preventive | |
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Establish/Maintain Documentation | Preventive | |
Conduct external audits of the physical security plan. CC ID 13314 | Audits and Risk Management | Detective | |
Establish, implement, and maintain physical security procedures. CC ID 13076 | Establish/Maintain Documentation | Preventive | |
Analyze and evaluate engineering systems. CC ID 13080 | Physical and Environmental Protection | Preventive | |
Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and Environmental Protection | Preventive | |
Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and Environmental Protection | Preventive | |
Report damaged property to interested personnel and affected parties. CC ID 13702 | Communicate | Corrective | |
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Monitor and Evaluate Occurrences | Detective | |
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Configuration | Preventive | |
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Configuration | Preventive | |
Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Monitor and Evaluate Occurrences | Detective | |
Inspect device surfaces to detect tampering. CC ID 11868 | Investigate | Detective | |
Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Investigate | Detective | |
Inspect for tampering, as necessary. CC ID 10640 | Monitor and Evaluate Occurrences | Detective | |
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Communicate | Preventive | |
Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Establish/Maintain Documentation | Preventive | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Behavior | Preventive | |
Protect the facility from crime. CC ID 06347 | Physical and Environmental Protection | Preventive | |
Define communication methods for reporting crimes. CC ID 06349 | Establish/Maintain Documentation | Preventive | |
Include identification cards or badges in the physical security program. CC ID 14818 | Establish/Maintain Documentation | Preventive | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and Environmental Protection | Preventive | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and Environmental Protection | Preventive | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain floor plans. CC ID 16419 | Establish/Maintain Documentation | Preventive | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Establish/Maintain Documentation | Preventive | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Communicate | Preventive | |
Post and maintain security signage for all facilities. CC ID 02201 | Establish/Maintain Documentation | Preventive | |
Inspect items brought into the facility. CC ID 06341 | Physical and Environmental Protection | Preventive | |
Maintain all physical security systems. CC ID 02206 | Physical and Environmental Protection | Preventive | |
Detect anomalies in physical barriers. CC ID 13533 | Investigate | Detective | |
Maintain all security alarm systems. CC ID 11669 | Physical and Environmental Protection | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Establish/Maintain Documentation | Preventive | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Establish/Maintain Documentation | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and Environmental Protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and Environmental Protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Establish/Maintain Documentation | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Establish/Maintain Documentation | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and Environmental Protection | Preventive | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Testing | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Behavior | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Establish/Maintain Documentation | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Establish/Maintain Documentation | Preventive | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Establish/Maintain Documentation | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and Environmental Protection | Corrective | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Establish/Maintain Documentation | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Human Resources Management | Preventive | |
Implement physical identification processes. CC ID 13715 | Process or Activity | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Process or Activity | Preventive | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and Environmental Protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Testing | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Establish/Maintain Documentation | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Establish/Maintain Documentation | Corrective | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and Environmental Protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Behavior | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Human Resources Management | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and Environmental Protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Behavior | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and Environmental Protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Behavior | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Establish/Maintain Documentation | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Process or Activity | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Establish/Maintain Documentation | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Business Processes | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Establish/Maintain Documentation | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Process or Activity | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Establish/Maintain Documentation | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Establish/Maintain Documentation | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and Environmental Protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and Environmental Protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and Environmental Protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Establish/Maintain Documentation | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Human Resources Management | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Establish/Maintain Documentation | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Establish/Maintain Documentation | Preventive | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Configuration | Preventive | |
Install emergency doors to permit egress only. CC ID 06688 | Configuration | Preventive | |
Install contact alarms on doors, as necessary. CC ID 06710 | Configuration | Preventive | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and Environmental Protection | Preventive | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Configuration | Preventive | |
Test locks for physical security vulnerabilities. CC ID 04880 | Testing | Detective | |
Secure unissued access mechanisms. CC ID 06713 | Technical Security | Preventive | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Establish/Maintain Documentation | Preventive | |
Change cipher lock codes, as necessary. CC ID 06651 | Technical Security | Preventive | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Establish/Maintain Documentation | Preventive | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Configuration | Preventive | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Configuration | Preventive | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Establish/Maintain Documentation | Preventive | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and Environmental Protection | Preventive | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and Environmental Protection | Preventive | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and Environmental Protection | Preventive | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and Environmental Protection | Preventive | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and Environmental Protection | Preventive | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and Environmental Protection | Preventive | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Establish/Maintain Documentation | Preventive | |
Establish a security room, if necessary. CC ID 00738 | Physical and Environmental Protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and Environmental Protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and Environmental Protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and Environmental Protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and Environmental Protection | Detective | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Establish/Maintain Documentation | Preventive | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Communicate | Preventive | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Monitor and Evaluate Occurrences | Detective | |
Establish and maintain a visitor log. CC ID 00715 | Log Management | Preventive | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Establish/Maintain Documentation | Preventive | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Investigate | Detective | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Behavior | Preventive | |
Record the visitor's name in the visitor log. CC ID 00557 | Log Management | Preventive | |
Record the visitor's organization in the visitor log. CC ID 12121 | Log Management | Preventive | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Log Management | Preventive | |
Record the date and time of entry in the visitor log. CC ID 13255 | Establish/Maintain Documentation | Preventive | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Establish/Maintain Documentation | Preventive | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Log Management | Preventive | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Establish/Maintain Documentation | Preventive | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Log Management | Preventive | |
Log when the vault is accessed. CC ID 06725 | Log Management | Detective | |
Log when the cabinet is accessed. CC ID 11674 | Log Management | Detective | |
Store facility access logs in off-site storage. CC ID 06958 | Log Management | Preventive | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Monitor and Evaluate Occurrences | Preventive | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Monitor and Evaluate Occurrences | Detective | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Monitor and Evaluate Occurrences | Detective | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Configuration | Preventive | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Configuration | Preventive | |
Retain video events according to Records Management procedures. CC ID 06304 | Records Management | Preventive | |
Monitor physical entry point alarms. CC ID 01639 | Physical and Environmental Protection | Detective | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Monitor and Evaluate Occurrences | Detective | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Establish/Maintain Documentation | Preventive | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and Environmental Protection | Preventive | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and Environmental Protection | Preventive | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and Environmental Protection | Preventive | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Establish Roles | Preventive | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Establish/Maintain Documentation | Preventive | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and Environmental Protection | Preventive | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Configuration | Preventive | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Behavior | Preventive | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Behavior | Preventive | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Business Processes | Preventive | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Behavior | Preventive | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Behavior | Preventive | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Physical and Environmental Protection | Preventive | |
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Records Management | Preventive | |
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Log Management | Preventive | |
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Technical Security | Preventive | |
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Records Management | Preventive | |
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and Environmental Protection | Preventive | |
Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Business Processes | Preventive | |
Track restricted storage media while it is in transit. CC ID 00967 | Data and Information Management | Detective | |
Restrict physical access to distributed assets. CC ID 11865 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Physical and Environmental Protection | Preventive | |
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and Environmental Protection | Preventive | |
Protect electronic storage media with physical access controls. CC ID 00720 | Physical and Environmental Protection | Preventive | |
Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a media protection policy. CC ID 14029 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the media protection policy. CC ID 14185 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the media protection policy. CC ID 14184 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the media protection policy. CC ID 14182 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the media protection policy. CC ID 14180 | Establish/Maintain Documentation | Preventive | |
Include the scope in the media protection policy. CC ID 14167 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the media protection policy. CC ID 14166 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Communicate | Preventive | |
Establish, implement, and maintain media protection procedures. CC ID 14062 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Communicate | Preventive | |
Establish, implement, and maintain removable storage media controls. CC ID 06680 | Data and Information Management | Preventive | |
Control access to restricted storage media. CC ID 04889 | Data and Information Management | Preventive | |
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and Environmental Protection | Preventive | |
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Records Management | Preventive | |
Treat archive media as evidence. CC ID 00960 | Records Management | Preventive | |
Log the transfer of removable storage media. CC ID 12322 | Log Management | Preventive | |
Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Establish/Maintain Documentation | Preventive | |
Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Behavior | Preventive | |
Control the storage of restricted storage media. CC ID 00965 | Records Management | Preventive | |
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and Environmental Protection | Preventive | |
Protect the combinations for all combination locks. CC ID 02199 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Establish/Maintain Documentation | Preventive | |
Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and Environmental Protection | Preventive | |
Serialize all removable storage media. CC ID 00949 | Configuration | Preventive | |
Protect distributed assets against theft. CC ID 06799 | Physical and Environmental Protection | Preventive | |
Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Communicate | Preventive | |
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Process or Activity | Preventive | |
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and Environmental Protection | Preventive | |
Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and Environmental Protection | Preventive | |
Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Technical Security | Preventive | |
Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Technical Security | Preventive | |
Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Establish/Maintain Documentation | Preventive | |
Attach asset location technologies to distributed assets. CC ID 10626 | Physical and Environmental Protection | Detective | |
Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and Environmental Protection | Preventive | |
Monitor the location of distributed assets. CC ID 11684 | Monitor and Evaluate Occurrences | Detective | |
Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
Unpair missing Bluetooth devices. CC ID 12428 | Physical and Environmental Protection | Corrective | |
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Establish/Maintain Documentation | Preventive | |
Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Data and Information Management | Preventive | |
Secure workstations to desks with security cables. CC ID 04724 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a mobile device management program. CC ID 15212 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Establish/Maintain Documentation | Preventive | |
Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Business Processes | Preventive | |
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Establish/Maintain Documentation | Preventive | |
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Data and Information Management | Preventive | |
Include legal requirements in the mobile device security guidelines. CC ID 12291 | Establish/Maintain Documentation | Preventive | |
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and Environmental Protection | Preventive | |
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Establish/Maintain Documentation | Preventive | |
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Establish/Maintain Documentation | Preventive | |
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Establish/Maintain Documentation | Preventive | |
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and Environmental Protection | Preventive | |
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and Environmental Protection | Preventive | |
Encrypt information stored on mobile devices. CC ID 01422 | Data and Information Management | Preventive | |
Remove dormant systems from the network, as necessary. CC ID 13727 | Process or Activity | Corrective | |
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and Environmental Protection | Preventive | |
Secure system components from unauthorized viewing. CC ID 01437 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain asset return procedures. CC ID 04537 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Behavior | Preventive | |
Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Behavior | Preventive | |
Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Behavior | Preventive | |
Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Behavior | Preventive | |
Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Behavior | Preventive | |
Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Configuration | Preventive | |
Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Investigate | Detective | |
Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Monitor and Evaluate Occurrences | Corrective | |
Establish, implement, and maintain open storage container procedures. CC ID 02198 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a clean desk policy. CC ID 06534 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a clear screen policy. CC ID 12436 | Technical Security | Preventive | |
Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Establish/Maintain Documentation | Preventive | |
Identify customer property within the organizational facility. CC ID 06612 | Physical and Environmental Protection | Preventive | |
Protect customer property under the care of the organization. CC ID 11685 | Physical and Environmental Protection | Preventive | |
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Technical Security | Preventive | |
Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Configuration | Preventive | |
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Technical Security | Preventive | |
Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a vehicle access program. CC ID 02216 | Establish/Maintain Documentation | Preventive | |
Establish parking requirements for vehicles. CC ID 02218 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain proper container security. CC ID 02208 | Physical and Environmental Protection | Preventive | |
Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and Environmental Protection | Detective | |
Lock closable storage containers. CC ID 06307 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain returned card procedures. CC ID 13567 | Establish/Maintain Documentation | Preventive | |
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Business Processes | Preventive | |
Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain payment card disposal procedures. CC ID 16137 | Establish/Maintain Documentation | Preventive | |
Control the issuance of payment cards. CC ID 06403 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain a mailing control log. CC ID 16136 | Establish/Maintain Documentation | Preventive | |
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Establish Roles | Preventive | |
Inventory payment cards, as necessary. CC ID 13547 | Records Management | Preventive | |
Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and Environmental Protection | Preventive | |
Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and Environmental Protection | Preventive | |
Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Business Processes | Preventive | |
Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Establish/Maintain Documentation | Preventive | |
Notify customers about payment card usage security measures. CC ID 06407 | Behavior | Preventive | |
Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Establish/Maintain Documentation | Preventive | |
Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and Environmental Protection | Preventive | |
Install and protect network cabling. CC ID 08624 | Physical and Environmental Protection | Preventive | |
Control physical access to network cables. CC ID 00723 | Process or Activity | Preventive | |
Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and Environmental Protection | Preventive | |
Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and Environmental Protection | Preventive | |
Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and Environmental Protection | Detective | |
Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and Environmental Protection | Preventive | |
Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and Environmental Protection | Preventive | |
Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and Environmental Protection | Detective | |
Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and Environmental Protection | Preventive | |
Establish and maintain security classifications for network cabling. CC ID 08627 | Establish/Maintain Documentation | Preventive | |
Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and Environmental Protection | Preventive | |
Label each end of a network cable run. CC ID 08632 | Physical and Environmental Protection | Preventive | |
Terminate approved network cables on the patch panel. CC ID 08633 | Physical and Environmental Protection | Preventive | |
Color code cables in accordance with organizational standards. CC ID 16422 | Physical and Environmental Protection | Preventive | |
Establish and maintain documentation for network cabling schemes. CC ID 08641 | Establish/Maintain Documentation | Preventive | |
Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and Environmental Protection | Preventive | |
Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and Environmental Protection | Preventive | |
Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and Environmental Protection | Preventive | |
Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and Environmental Protection | Preventive | |
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and Environmental Protection | Preventive | |
Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and Environmental Protection | Preventive | |
Label network cabling outlet boxes. CC ID 08631 | Physical and Environmental Protection | Preventive | |
Enable network jacks at the patch panel, as necessary. CC ID 06305 | Configuration | Preventive | |
Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and Environmental Protection | Preventive | |
Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and Environmental Protection | Preventive | |
Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and Environmental Protection | Preventive | |
Install and maintain network patch panels. CC ID 08636 | Physical and Environmental Protection | Preventive | |
Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and Environmental Protection | Preventive | |
Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and Environmental Protection | Preventive | |
Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and Environmental Protection | Preventive | |
Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and Environmental Protection | Preventive | |
Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and Environmental Protection | Preventive | |
Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and Environmental Protection | Preventive | |
Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and Environmental Protection | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Data and Information Management | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Establish/Maintain Documentation | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Data and Information Management | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Establish/Maintain Documentation | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Establish/Maintain Documentation | Preventive | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Establish/Maintain Documentation | Preventive | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Establish/Maintain Documentation | Preventive | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Establish/Maintain Documentation | Preventive | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Establish/Maintain Documentation | Preventive | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Establish/Maintain Documentation | Preventive | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Establish/Maintain Documentation | Preventive | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Establish/Maintain Documentation | Preventive | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Communicate | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Establish/Maintain Documentation | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2] | Data and Information Management | Preventive | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Records Management | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Communicate | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Establish/Maintain Documentation | Preventive | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Records Management | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)] | Monitor and Evaluate Occurrences | Corrective | |
Establish, implement, and maintain data handling procedures. CC ID 11756 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
Define the organization's liability based on the applicable law. CC ID 00504 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Process or Activity | Preventive | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 | Establish/Maintain Documentation | Preventive | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Records Management | Preventive | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Physical and Environmental Protection | Preventive | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Physical and Environmental Protection | Preventive | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Data and Information Management | Preventive | |
Maintain disposal records or redeployment records. CC ID 01644 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Data and Information Management | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records Management | Detective | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Establish/Maintain Documentation | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Establish/Maintain Documentation | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Establish/Maintain Documentation | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Data and Information Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Configuration Management program. CC ID 00867 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system tracking documentation. CC ID 15266 | Establish/Maintain Documentation | Preventive | |
Include contact information in the system tracking documentation. CC ID 15280 [The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain network parameter modification procedures. CC ID 01517 | Establish/Maintain Documentation | Preventive | |
Review and restrict network addresses and network protocols. CC ID 01518 | Configuration | Preventive | |
Define the location requirements for network elements and network devices. CC ID 16379 [{refrain from situating} {unapproved location} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: situate any VPN device used in conjunction with an Electronic Connection in any location other than the Institution's or its Service Provider's premises within the United States or its territories; 4.4 ¶ 1(a)] | Process or Activity | Preventive | |
Configure security and protection software according to Organizational Standards. CC ID 11917 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Configuration | Preventive | |
Configure security and protection software to automatically run at startup. CC ID 12443 | Configuration | Preventive | |
Configure security and protection software to check for up-to-date signature files. CC ID 00576 | Testing | Detective | |
Configure security and protection software to enable automatic updates. CC ID 11945 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Configuration | Preventive | |
Configure security and protection software to check e-mail messages. CC ID 00578 | Testing | Preventive | |
Configure security and protection software to check e-mail attachments. CC ID 11860 | Configuration | Preventive | |
Configure security and protection software to check for phishing attacks. CC ID 04569 | Technical Security | Detective | |
Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515 | Configuration | Preventive | |
Configure Windows Defender Credential Guard to organizational standards. CC ID 16514 | Configuration | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain system design requirements. CC ID 06618 | Establish/Maintain Documentation | Preventive | |
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a system requirements specification. CC ID 01035 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Systems Design, Build, and Implementation | Preventive | |
Include relevant resources needed for the system design project in the system requirements specification. CC ID 01036 | Systems Design, Build, and Implementation | Detective | |
Include system interoperability in the system requirements specification. CC ID 16256 | Systems Design, Build, and Implementation | Preventive | |
Include pertinent legal requirements in the system requirements specification. CC ID 01037 | Systems Design, Build, and Implementation | Detective | |
Include recordkeeping documentation standards in the system requirements specification. CC ID 01038 | Records Management | Detective | |
Include archives and record management standards in the system requirements specification. CC ID 01039 | Records Management | Detective | |
Include privacy requirements in the system requirements specification. CC ID 01040 | Systems Design, Build, and Implementation | Detective | |
Include file format standards in the system requirements specification. CC ID 01041 | Records Management | Detective | |
Include equipment interoperability in the system requirements specification. CC ID 16257 | Acquisition/Sale of Assets or Services | Preventive | |
Include record retention requirements in the system requirements specification. CC ID 01042 | Records Management | Detective | |
Assign senior management to approve functional requirements in the system requirements specification. CC ID 13067 | Human Resources Management | Preventive | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)] | Technical Security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain access control policies. CC ID 00512 [An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the access control policy. CC ID 14006 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the access control policy. CC ID 14005 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the access control policy. CC ID 14004 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the access control policy. CC ID 14003 | Establish/Maintain Documentation | Preventive | |
Include the scope in the access control policy. CC ID 14002 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the access control policy. CC ID 14001 | Establish/Maintain Documentation | Preventive | |
Document the business need justification for user accounts. CC ID 15490 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
Enable access control for objects and users on each system. CC ID 04553 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Configuration | Preventive | |
Include all system components in the access control system. CC ID 11939 | Technical Security | Preventive | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Process or Activity | Preventive | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical Security | Preventive | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical Security | Preventive | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical Security | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Establish Roles | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Data and Information Management | Preventive | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical Security | Preventive | |
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Establish/Maintain Documentation | Preventive | |
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical Security | Preventive | |
Establish, implement, and maintain access control procedures. CC ID 11663 | Establish/Maintain Documentation | Preventive | |
Grant access to authorized personnel or systems. CC ID 12186 | Configuration | Preventive | |
Document approving and granting access in the access control log. CC ID 06786 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Communicate | Preventive | |
Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Communicate | Preventive | |
Identify and control all network access controls. CC ID 00529 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1] | Technical Security | Preventive | |
Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 | Technical Security | Detective | |
Establish, implement, and maintain a network configuration standard. CC ID 00530 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Establish/Maintain Documentation | Preventive | |
Enforce the network segmentation requirements. CC ID 16381 | Process or Activity | Preventive | |
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical Security | Preventive | |
Establish, implement, and maintain a network security policy. CC ID 06440 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the network security policy. CC ID 14205 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the network security policy. CC ID 14204 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the network security policy. CC ID 14203 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the network security policy. CC ID 14202 | Establish/Maintain Documentation | Preventive | |
Include the scope in the network security policy. CC ID 14201 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the network security policy. CC ID 14200 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Communicate | Preventive | |
Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Communicate | Preventive | |
Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Establish/Maintain Documentation | Preventive | |
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Establish/Maintain Documentation | Preventive | |
Maintain up-to-date network diagrams. CC ID 00531 | Establish/Maintain Documentation | Preventive | |
Include the date of the most recent update on the network diagram. CC ID 14319 | Establish/Maintain Documentation | Preventive | |
Include virtual systems in the network diagram. CC ID 16324 | Data and Information Management | Preventive | |
Include the organization's name in the network diagram. CC ID 14318 | Establish/Maintain Documentation | Preventive | |
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Process or Activity | Detective | |
Include Internet Protocol addresses in the network diagram. CC ID 16244 | Establish/Maintain Documentation | Preventive | |
Include Domain Name System names in the network diagram. CC ID 16240 | Establish/Maintain Documentation | Preventive | |
Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Communicate | Preventive | |
Maintain up-to-date data flow diagrams. CC ID 10059 | Establish/Maintain Documentation | Preventive | |
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Process or Activity | Detective | |
Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Establish/Maintain Documentation | Detective | |
Include information flows to third parties in the data flow diagram. CC ID 13185 | Establish/Maintain Documentation | Preventive | |
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Communicate | Preventive | |
Manage all internal network connections. CC ID 06329 | Technical Security | Preventive | |
Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109 | Technical Security | Preventive | |
Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124 | Technical Security | Preventive | |
Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095 | Technical Security | Preventive | |
Plan for and approve all network changes. CC ID 00534 | Technical Security | Preventive | |
Manage all external network connections. CC ID 11842 | Technical Security | Preventive | |
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116 | Technical Security | Preventive | |
Prohibit systems from connecting directly to external networks. CC ID 08709 | Configuration | Preventive | |
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical Security | Preventive | |
Secure the Domain Name System. CC ID 00540 | Configuration | Preventive | |
Implement a fault-tolerant architecture. CC ID 01626 | Technical Security | Preventive | |
Implement segregation of duties. CC ID 11843 | Technical Security | Preventive | |
Configure the network to limit zone transfers to trusted servers. CC ID 01876 | Configuration | Preventive | |
Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210 | Testing | Detective | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Establish/Maintain Documentation | Preventive | |
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 | Technical Security | Preventive | |
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Communicate | Preventive | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical Security | Preventive | |
Implement gateways between security domains. CC ID 16493 | Systems Design, Build, and Implementation | Preventive | |
Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical Security | Preventive | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical Security | Preventive | |
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical Security | Preventive | |
Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical Security | Preventive | |
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical Security | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Data and Information Management | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 | Technical Security | Preventive | |
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical Security | Preventive | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Data and Information Management | Preventive | |
Establish, implement, and maintain a network access control standard. CC ID 00546 | Establish/Maintain Documentation | Preventive | |
Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Establish Roles | Preventive | |
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical Security | Preventive | |
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical Security | Preventive | |
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Configuration | Preventive | |
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Configuration | Preventive | |
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Configuration | Preventive | |
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical Security | Preventive | |
Include configuration management and rulesets in the network access control standard. CC ID 11845 | Establish/Maintain Documentation | Preventive | |
Secure the network access control standard against unauthorized changes. CC ID 11920 | Establish/Maintain Documentation | Preventive | |
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical Security | Preventive | |
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Configuration | Preventive | |
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 | Process or Activity | Detective | |
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 | Establish/Maintain Documentation | Preventive | |
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 | Technical Security | Corrective | |
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 | Establish/Maintain Documentation | Preventive | |
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 | Establish/Maintain Documentation | Preventive | |
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 | Establish/Maintain Documentation | Preventive | |
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 | Establish/Maintain Documentation | Preventive | |
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 | Establish/Maintain Documentation | Preventive | |
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Configuration | Preventive | |
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Establish/Maintain Documentation | Preventive | |
Configure network ports to organizational standards. CC ID 14007 | Configuration | Preventive | |
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Establish/Maintain Documentation | Preventive | |
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Establish/Maintain Documentation | Preventive | |
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 | Establish/Maintain Documentation | Preventive | |
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Establish/Maintain Documentation | Preventive | |
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Establish/Maintain Documentation | Preventive | |
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 | Configuration | Preventive | |
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 | Technical Security | Preventive | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 | Configuration | Preventive | |
Protect data stored at external locations. CC ID 16333 | Data and Information Management | Preventive | |
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Configuration | Detective | |
Protect the firewall's network connection interfaces. CC ID 01955 | Technical Security | Preventive | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 | Configuration | Preventive | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Configuration | Preventive | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Configuration | Preventive | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Configuration | Preventive | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Configuration | Preventive | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Configuration | Preventive | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Configuration | Preventive | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Configuration | Preventive | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Configuration | Preventive | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Configuration | Preventive | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Configuration | Preventive | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Configuration | Preventive | |
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Configuration | Preventive | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Testing | Detective | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical Security | Preventive | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical Security | Preventive | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Data and Information Management | Preventive | |
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Data and Information Management | Preventive | |
Synchronize and secure all router configuration files. CC ID 01291 | Configuration | Preventive | |
Synchronize and secure all firewall configuration files. CC ID 11851 | Configuration | Preventive | |
Configure firewalls to generate an audit log. CC ID 12038 | Audits and Risk Management | Preventive | |
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Configuration | Preventive | |
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Establish/Maintain Documentation | Preventive | |
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Establish/Maintain Documentation | Preventive | |
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Establish/Maintain Documentation | Preventive | |
Configure network access and control points to organizational standards. CC ID 12442 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Configuration | Detective | |
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 | Configuration | Preventive | |
Update application layer firewalls to the most current version. CC ID 12037 | Process or Activity | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854 | Establish/Maintain Documentation | Preventive | |
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751 | Configuration | Preventive | |
Remove all unauthorized Wireless Local Area Networks. CC ID 06309 | Configuration | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646 | Establish/Maintain Documentation | Preventive | |
Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647 | Technical Security | Preventive | |
Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648 | Configuration | Preventive | |
Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605 | Technical Security | Preventive | |
Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830 | Configuration | Preventive | |
Remove all unauthorized wireless access points. CC ID 11856 | Configuration | Preventive | |
Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 | Data and Information Management | Preventive | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Data and Information Management | Preventive | |
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii)] | Establish/Maintain Documentation | Preventive | |
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Data and Information Management | Preventive | |
Establish, implement, and maintain a document printing policy. CC ID 14384 | Establish/Maintain Documentation | Preventive | |
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information flow procedures. CC ID 04542 | Establish/Maintain Documentation | Preventive | |
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Data and Information Management | Preventive | |
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Data and Information Management | Preventive | |
Establish, implement, and maintain information exchange procedures. CC ID 11782 [An Institution or its Service Provider must manage its Electronic Connection(s) so as to permit the Reserve Banks to send data to the Institution or the Service Provider, and to permit the Institution or the Service Provider to receive data from the Reserve Banks, on a timely basis throughout the day. A Reserve Bank is not responsible for any delay in sending data (or for notifying any party of such a delay), if the delay results from the Institution's or its Service Provider's failure to so manage its connection(s), or from any cause other than the Reserve Bank's failure to exercise ordinary care or to act in good faith. The Reserve Bank's records shall be determinative of when data has been received by a Reserve Bank or when a Reserve Bank sends data to, or makes it retrievable by, the Institution or its Service Provider. 5.5(a)] | Establish/Maintain Documentation | Preventive | |
Perform content sanitization on data-in-transit. CC ID 16512 | Data and Information Management | Preventive | |
Perform content conversion on data-in-transit. CC ID 16510 | Data and Information Management | Preventive | |
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Data and Information Management | Preventive | |
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Data and Information Management | Preventive | |
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Data and Information Management | Preventive | |
Review and approve information exchange system connections. CC ID 07143 | Technical Security | Preventive | |
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Log Management | Preventive | |
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical Security | Preventive | |
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical Security | Preventive | |
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Establish/Maintain Documentation | Preventive | |
Revoke membership in the whitelist, as necessary. CC ID 13827 | Establish/Maintain Documentation | Corrective | |
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Configuration | Preventive | |
Block uncategorized sites using URL filtering. CC ID 12140 | Technical Security | Preventive | |
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical Security | Detective | |
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Data and Information Management | Preventive | |
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Establish/Maintain Documentation | Preventive | |
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Behavior | Preventive | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Technical Security | Preventive | |
Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Establish/Maintain Documentation | Preventive | |
Define the cryptographic boundaries. CC ID 06543 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Establish/Maintain Documentation | Preventive | |
Implement the documented cryptographic module security functions. CC ID 06755 | Data and Information Management | Preventive | |
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Establish/Maintain Documentation | Preventive | |
Document the operation of the cryptographic module. CC ID 06546 | Establish/Maintain Documentation | Preventive | |
Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical Security | Preventive | |
Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
Generate and protect a secret random number for each digital signature. CC ID 06577 | Establish/Maintain Documentation | Preventive | |
Establish the security strength requirements for the digital signature process. CC ID 06578 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Configuration | Preventive | |
Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Data and Information Management | Preventive | |
Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
Make key usage for data fields unique for each device. CC ID 04828 | Technical Security | Preventive | |
Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Data and Information Management | Preventive | |
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Communicate | Preventive | |
Establish, implement, and maintain encryption management procedures. CC ID 15475 | Establish/Maintain Documentation | Preventive | |
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
Bind keys to each identity. CC ID 12337 | Technical Security | Preventive | |
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
Generate strong cryptographic keys. CC ID 01299 | Data and Information Management | Preventive | |
Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical Security | Preventive | |
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate cryptographic keys securely. CC ID 01300 | Data and Information Management | Preventive | |
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
Store cryptographic keys securely. CC ID 01298 | Data and Information Management | Preventive | |
Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
Store cryptographic keys in encrypted format. CC ID 06084 | Data and Information Management | Preventive | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive | |
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Data and Information Management | Preventive | |
Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Data and Information Management | Preventive | |
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Data and Information Management | Preventive | |
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Data and Information Management | Corrective | |
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Data and Information Management | Corrective | |
Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Human Resources Management | Preventive | |
Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical Security | Preventive | |
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Establish/Maintain Documentation | Preventive | |
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Establish/Maintain Documentation | Preventive | |
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical Security | Preventive | |
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical Security | Preventive | |
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical Security | Preventive | |
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
Implement non-repudiation for transactions. CC ID 00567 | Testing | Detective | |
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Install security and protection software, as necessary. CC ID 00575 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Configuration | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical Security | Preventive | |
Scan for malicious code, as necessary. CC ID 11941 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Investigate | Detective | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Testing | Detective | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Testing | Detective | |
Remove malware when malicious code is discovered. CC ID 13691 | Process or Activity | Corrective | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Communicate | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Establish/Maintain Documentation | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 [{be liable} A Reserve Bank's fees relating to Electronic Connections (including, for example, installation support and training) are published separately and are subject to change on thirty (30) calendar days' prior notice. A Reserve Bank charges these fees to the Institution's (or its correspondent's) account on a Reserve Bank's books. By designating a Service Provider, an Institution agrees that the Service Provider may be billed directly by the Reserve Bank for any fees related to the Service Provider's Electronic Connection. Notwithstanding any such direct billing, the Institution shall remain liable for any unpaid fees. 6.1 ¶ 1 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Business Processes | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2 {business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a) Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i)] | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [An Institution may terminate its agreement to use Reserve Bank services and/or applications through an Electronic Connection and its agreement to the terms of this Circular by giving not less than thirty (30) calendar days' prior written notice to the Reserve Bank(s) with which it has Electronic Connections. A Reserve Bank may terminate an Institution's or its Service Provider's authority to use an Electronic Connection on similar notice. In addition, a Reserve Bank immediately may terminate an Institution's or its Service Provider's Electronic Connection if the Reserve Bank, in its sole discretion, determines that continued use of the Electronic Connection poses a risk to the Reserve Bank or others, or the Reserve Bank believes that the Institution or its Service Provider is in violation of this Circular. 7.1 ¶ 1] | Establish/Maintain Documentation | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Establish/Maintain Documentation | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Establish/Maintain Documentation | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Testing | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Testing | Detective | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
Establish the third party's service continuity. CC ID 00797 | Testing | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i) The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Data and Information Management | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
Include disclosure requirements in third party contracts. CC ID 08825 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Business Processes | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2 In addition, before sending a National Settlement Service settlement file to a Reserve Bank, a Settlement Agent must execute a security procedure agreement with the Host Reserve Bank (as defined in Operating Circular 12) in the form attached as Appendix B-1 to Operating Circular 12. Appendix A 2.3(a) ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2] | Process or Activity | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Establish/Maintain Documentation | Detective | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Business Processes | Detective | |
Review third parties' backup policies. CC ID 13043 | Systems Continuity | Detective | |
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Testing | Detective | |
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)] | Establish/Maintain Documentation | Preventive | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
Request attestation of compliance from third parties. CC ID 12067 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1] | Establish/Maintain Documentation | Detective | |
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2] | Business Processes | Detective | |
Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Business Processes | Detective | |
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Technical Security | Detective | |
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Business Processes | Preventive | |
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
Define timeliness factors for third party reporting requirements. CC ID 13304 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a third party payment system. CC ID 08903 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1] | Business Processes | Preventive | |
Disclose payments made to third parties. CC ID 08904 | Data and Information Management | Preventive | |
Document payments to third parties. CC ID 08905 | Establish/Maintain Documentation | Preventive | |
Make third party payments freely and proportionate to the furnished services. CC ID 08906 | Business Processes | Preventive | |
Establish a trust to pay for supply chain security forces. CC ID 08907 | Business Processes | Preventive | |
Notify third parties of revenue collection weaknesses. CC ID 08909 | Business Processes | Preventive | |
Avoid cash purchases of supplies from third parties. CC ID 08910 | Business Processes | Preventive | |
Pay third parties through official banking channels. CC ID 08911 | Business Processes | Preventive | |
Disclose payments made to supply chain security forces. CC ID 10031 | Data and Information Management | Preventive | |
Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d)] | Business Processes | Preventive | |
Assign unique reference numbers to all products and their subcomponents. CC ID 08932 | Business Processes | Preventive | |
Implement physical security controls at all supply chain member locations. CC ID 08933 | Business Processes | Detective |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Preventive | |
Include equipment interoperability in the system requirements specification. CC ID 16257 | Systems design, build, and implementation | Preventive | |
Acquire products or services. CC ID 11450 | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii) {independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)] | Audits and risk management | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Operational and Systems Continuity | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Preventive | |
Audit policies, standards, and procedures. CC ID 12927 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2] | Audits and risk management | Preventive | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Audits and risk management | Detective | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Preventive | |
Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Technical security | Preventive | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Preventive | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Preventive | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Preventive | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Preventive | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Preventive | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Preventive | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Preventive | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Preventive | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Preventive | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Preventive | |
Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Preventive | |
Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Preventive | |
Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Preventive | |
Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Preventive | |
Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Preventive | |
Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Preventive | |
Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Preventive | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Preventive | |
Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Preventive | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4] | Human Resources management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Perform periodic maintenance according to organizational standards. CC ID 01435 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1] | Operational management | Preventive | |
Share data loss event information with the media. CC ID 01759 | Operational management | Corrective | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Corrective | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Notwithstanding any other provision of this Appendix, when a sender or a receiving bank (or a Service Provider) chooses to use one of the Security Procedures, it rejects other Security Procedures, and if any one of the rejected Security Procedures is commercially reasonable for such sender or receiving bank, the sender or receiving bank agrees to be bound by any payment order, whether or not authorized, if it was issued in the sender's or the receiving bank's name and accepted by a Reserve Bank in compliance with the Security Procedure selected, subject to Section 4A-203 of Article 4A of the Uniform Commercial Code. Appendix A 2.3(b)] | Acquisition or sale of facilities, technology, and services | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Preventive | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Preventive | |
Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Preventive | |
Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Preventive | |
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Preventive | |
Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain payment systems. CC ID 13539 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Preventive | |
Restrict transaction activities, as necessary. CC ID 16334 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Preventive | |
Include disclosure requirements in third party contracts. CC ID 08825 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Preventive | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Corrective | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Third Party and supply chain oversight | Detective | |
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2] | Third Party and supply chain oversight | Detective | |
Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Third Party and supply chain oversight | Detective | |
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a third party payment system. CC ID 08903 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Make third party payments freely and proportionate to the furnished services. CC ID 08906 | Third Party and supply chain oversight | Preventive | |
Establish a trust to pay for supply chain security forces. CC ID 08907 | Third Party and supply chain oversight | Preventive | |
Notify third parties of revenue collection weaknesses. CC ID 08909 | Third Party and supply chain oversight | Preventive | |
Avoid cash purchases of supplies from third parties. CC ID 08910 | Third Party and supply chain oversight | Preventive | |
Pay third parties through official banking channels. CC ID 08911 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d)] | Third Party and supply chain oversight | Preventive | |
Assign unique reference numbers to all products and their subcomponents. CC ID 08932 | Third Party and supply chain oversight | Preventive | |
Implement physical security controls at all supply chain member locations. CC ID 08933 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Preventive | |
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Preventive | |
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Preventive | |
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Preventive | |
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Preventive | |
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Preventive | |
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Technical security | Preventive | |
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Preventive | |
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Corrective | |
Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Corrective | |
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Preventive | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Preventive | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Preventive | |
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Preventive | |
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Preventive | |
Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Preventive | |
Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Corrective | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Preventive | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Preventive | |
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Human Resources management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 {breach notification} Each Institution and any Service Provider shall include within its security breach related notification procedures and processes (e.g., within disaster recovery, hazard, business continuity, cyber security, and other appropriate procedures and processes) the obligation to immediately notify Federal Reserve Financial Services by telephone at (888) 333-7010, with written confirmation via email at ccc.technical.support@kc.frb.org, in the event of a known, suspected, or threatened compromise, cyber event, fraud, malware detection, or other security incident or breach that would render the Electronic Connection vulnerable to misconduct. Appendix A 1.2(c)] | Operational management | Corrective | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Preventive | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Monitoring and measurement | Preventive | |
Enable access control for objects and users on each system. CC ID 04553 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Technical security | Preventive | |
Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Preventive | |
Prohibit systems from connecting directly to external networks. CC ID 08709 | Technical security | Preventive | |
Secure the Domain Name System. CC ID 00540 | Technical security | Preventive | |
Configure the network to limit zone transfers to trusted servers. CC ID 01876 | Technical security | Preventive | |
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Preventive | |
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Technical security | Preventive | |
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Preventive | |
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Preventive | |
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Technical security | Preventive | |
Configure network ports to organizational standards. CC ID 14007 | Technical security | Preventive | |
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 | Technical security | Preventive | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 | Technical security | Preventive | |
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Detective | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 | Technical security | Preventive | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Preventive | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Preventive | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Preventive | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Preventive | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Preventive | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Preventive | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Preventive | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Preventive | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Preventive | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Preventive | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Preventive | |
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Technical security | Preventive | |
Synchronize and secure all router configuration files. CC ID 01291 | Technical security | Preventive | |
Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Preventive | |
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Preventive | |
Configure network access and control points to organizational standards. CC ID 12442 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Technical security | Detective | |
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 | Technical security | Preventive | |
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751 | Technical security | Preventive | |
Remove all unauthorized Wireless Local Area Networks. CC ID 06309 | Technical security | Preventive | |
Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648 | Technical security | Preventive | |
Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830 | Technical security | Preventive | |
Remove all unauthorized wireless access points. CC ID 11856 | Technical security | Preventive | |
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Technical security | Preventive | |
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Preventive | |
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
Install security and protection software, as necessary. CC ID 00575 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Technical security | Preventive | |
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Preventive | |
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Preventive | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Preventive | |
Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Preventive | |
Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Preventive | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Preventive | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Preventive | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Preventive | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Preventive | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Preventive | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Preventive | |
Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Preventive | |
Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Preventive | |
Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Preventive | |
Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Preventive | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Preventive | |
Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
Review and restrict network addresses and network protocols. CC ID 01518 | System hardening through configuration management | Preventive | |
Configure security and protection software according to Organizational Standards. CC ID 11917 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | System hardening through configuration management | Preventive | |
Configure security and protection software to automatically run at startup. CC ID 12443 | System hardening through configuration management | Preventive | |
Configure security and protection software to enable automatic updates. CC ID 11945 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | System hardening through configuration management | Preventive | |
Configure security and protection software to check e-mail attachments. CC ID 11860 | System hardening through configuration management | Preventive | |
Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515 | System hardening through configuration management | Preventive | |
Configure Windows Defender Credential Guard to organizational standards. CC ID 16514 | System hardening through configuration management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Enforce access restrictions for restricted data. CC ID 01921 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Technical security | Preventive | |
Include virtual systems in the network diagram. CC ID 16324 | Technical security | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Preventive | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Preventive | |
Protect data stored at external locations. CC ID 16333 | Technical security | Preventive | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Preventive | |
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Preventive | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Preventive | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Technical security | Preventive | |
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Technical security | Preventive | |
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Preventive | |
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Preventive | |
Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Preventive | |
Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Preventive | |
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Preventive | |
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Preventive | |
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Preventive | |
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Technical security | Preventive | |
Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Preventive | |
Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Preventive | |
Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Preventive | |
Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
Generate strong cryptographic keys. CC ID 01299 | Technical security | Preventive | |
Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Preventive | |
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
Store cryptographic keys securely. CC ID 01298 | Technical security | Preventive | |
Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Preventive | |
Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Preventive | |
Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Preventive | |
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Preventive | |
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Corrective | |
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Corrective | |
Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Detective | |
Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Preventive | |
Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Preventive | |
Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Preventive | |
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Preventive | |
Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
Share incident information with interested personnel and affected parties. CC ID 01212 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Operational management | Corrective | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Preventive | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Corrective | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Preventive | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Preventive | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Preventive | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Preventive | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Preventive | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2] | Privacy protection for information and data | Preventive | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i) The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Detective | |
Disclose payments made to third parties. CC ID 08904 | Third Party and supply chain oversight | Preventive | |
Disclose payments made to supply chain security forces. CC ID 10031 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Preventive | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Preventive | |
Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Technical security | Preventive | |
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Preventive | |
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Preventive | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Preventive | |
Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Preventive | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Preventive | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) When a Settlement Instruction is issued, the Offline Security Procedure involves a telephone call initiated by an authorized employee of the Settlement Agent followed by the transmission by e-mail or facsimile of a Settlement Instruction signed (in the case of a facsimile) by an authorized employee of the Settlement Agent or sent from the e-mail address of an authorized employee of the Settlement Agent. Appendix A 2.3(c) ¶ 5] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 ["Confidential Information" shall include all information, provided in writing, electronically or orally, which is designated by Reserve Bank herein or by other means as "Confidential." All security-related information, including information regarding Access Control Features and security procedures, whether or not it is labeled as "Confidential," is hereby designated as "Confidential," unless a Reserve Bank makes any such information generally available to the public (i.e., places it on its unrestricted public Web site or otherwise publishes it to the general public). Confidential Information contains trade secrets, proprietary information or security information of Reserve Banks or others. Unauthorized disclosure of Confidential Information likely would cause a Reserve Bank immediate and irreparable damage for which there may be no adequate remedy at law. 5.4 ¶ 1] | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement of the Institution's responsibility to adhere to the Security Requirements; Appendix A 3.2 ¶ 1(i)] | Leadership and high level objectives | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2] | Audits and risk management | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Audits and risk management | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A confirmation that the Institution has conducted a Self-Assessment within the time period requested by the Reserve Banks; Appendix A 3.2 ¶ 1(ii)] | Audits and risk management | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)] | Audits and risk management | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)] | Audits and risk management | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
Review past audit reports. CC ID 01155 | Audits and risk management | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, an acknowledgement that the Institution is responsible for its Service Provider's compliance with the Security Requirements; Appendix A 3.2 ¶ 1(iv)] | Audits and risk management | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1] | Audits and risk management | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Audits and risk management | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Audits and risk management | Detective | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
Establish, implement, and maintain access control policies. CC ID 00512 [An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a)] | Technical security | Preventive | |
Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Preventive | |
Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Preventive | |
Include management commitment in the access control policy. CC ID 14004 | Technical security | Preventive | |
Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Preventive | |
Include the scope in the access control policy. CC ID 14002 | Technical security | Preventive | |
Include the purpose in the access control policy. CC ID 14001 | Technical security | Preventive | |
Document the business need justification for user accounts. CC ID 15490 | Technical security | Preventive | |
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Preventive | |
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Preventive | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical security | Preventive | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical security | Preventive | |
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Technical security | Preventive | |
Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Preventive | |
Document approving and granting access in the access control log. CC ID 06786 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Technical security | Preventive | |
Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Preventive | |
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Technical security | Preventive | |
Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Preventive | |
Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Preventive | |
Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Preventive | |
Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Preventive | |
Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Preventive | |
Include management commitment in the network security policy. CC ID 14203 | Technical security | Preventive | |
Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Preventive | |
Include the scope in the network security policy. CC ID 14201 | Technical security | Preventive | |
Include the purpose in the network security policy. CC ID 14200 | Technical security | Preventive | |
Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Preventive | |
Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Preventive | |
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Preventive | |
Maintain up-to-date network diagrams. CC ID 00531 | Technical security | Preventive | |
Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Preventive | |
Include the organization's name in the network diagram. CC ID 14318 | Technical security | Preventive | |
Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Preventive | |
Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Preventive | |
Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Preventive | |
Maintain up-to-date data flow diagrams. CC ID 10059 | Technical security | Preventive | |
Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Detective | |
Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Preventive | |
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Preventive | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Preventive | |
Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Preventive | |
Include configuration management and rulesets in the network access control standard. CC ID 11845 | Technical security | Preventive | |
Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Preventive | |
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 | Technical security | Preventive | |
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 | Technical security | Preventive | |
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 | Technical security | Preventive | |
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 | Technical security | Preventive | |
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 | Technical security | Preventive | |
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 | Technical security | Preventive | |
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Technical security | Preventive | |
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Preventive | |
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Preventive | |
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 | Technical security | Preventive | |
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Preventive | |
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Preventive | |
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Preventive | |
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Preventive | |
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853 | Technical security | Preventive | |
Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854 | Technical security | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449 | Technical security | Preventive | |
Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646 | Technical security | Preventive | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii)] | Technical security | Preventive | |
Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Preventive | |
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Preventive | |
Establish, implement, and maintain information flow procedures. CC ID 04542 | Technical security | Preventive | |
Establish, implement, and maintain information exchange procedures. CC ID 11782 [An Institution or its Service Provider must manage its Electronic Connection(s) so as to permit the Reserve Banks to send data to the Institution or the Service Provider, and to permit the Institution or the Service Provider to receive data from the Reserve Banks, on a timely basis throughout the day. A Reserve Bank is not responsible for any delay in sending data (or for notifying any party of such a delay), if the delay results from the Institution's or its Service Provider's failure to so manage its connection(s), or from any cause other than the Reserve Bank's failure to exercise ordinary care or to act in good faith. The Reserve Bank's records shall be determinative of when data has been received by a Reserve Bank or when a Reserve Bank sends data to, or makes it retrievable by, the Institution or its Service Provider. 5.5(a)] | Technical security | Preventive | |
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Technical security | Preventive | |
Revoke membership in the whitelist, as necessary. CC ID 13827 | Technical security | Corrective | |
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Technical security | Preventive | |
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Preventive | |
Define the cryptographic boundaries. CC ID 06543 | Technical security | Preventive | |
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Preventive | |
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Preventive | |
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Preventive | |
Document the operation of the cryptographic module. CC ID 06546 | Technical security | Preventive | |
Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Preventive | |
Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Preventive | |
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Preventive | |
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Preventive | |
Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Preventive | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Preventive | |
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Preventive | |
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Preventive | |
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Preventive | |
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Preventive | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Technical security | Preventive | |
Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Preventive | |
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Preventive | |
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Preventive | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Preventive | |
Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Preventive | |
Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Preventive | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Preventive | |
Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Preventive | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Preventive | |
Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Preventive | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Preventive | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Preventive | |
Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Corrective | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Preventive | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Preventive | |
Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Preventive | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Preventive | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Preventive | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Preventive | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Preventive | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Preventive | |
Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Preventive | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Preventive | |
Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Preventive | |
Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Preventive | |
Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Preventive | |
Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Preventive | |
Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Preventive | |
Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Preventive | |
Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Physical and environmental protection | Preventive | |
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Preventive | |
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Preventive | |
Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Preventive | |
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Preventive | |
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Preventive | |
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain asset return procedures. CC ID 04537 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Physical and environmental protection | Preventive | |
Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Preventive | |
Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain payment card disposal procedures. CC ID 16137 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Preventive | |
Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Preventive | |
Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Preventive | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Preventive | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Preventive | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Preventive | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Preventive | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Preventive | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Preventive | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Preventive | |
Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Preventive | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Preventive | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Corrective | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Preventive | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Preventive | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Preventive | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Preventive | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Preventive | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Preventive | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Preventive | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Preventive | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Preventive | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Preventive | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Preventive | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Detective | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Preventive | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Preventive | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2] | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3] | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2] | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Software includes trade secrets and proprietary information of the Reserve Banks and others, which may be copyrighted or patented, and must be handled in accordance with the requirements applicable to Confidential Information as set forth in Paragraph 5.4. 4.6 ¶ 1] | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 [{refrain from removing} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: remove any copyright or trademark notice contained in the Software. 4.4 ¶ 1(d)] | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g)] | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Operational management | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Operational management | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 Each Institution must at all times comply with the measures, protections, and requirements established under the Reserve Bank Program described in Section 1.1 of this Appendix A, the Institution Program described in Section 1.2 of this Appendix A, and any applicable Security Procedures (collectively, the "Security Requirements"). Appendix A 3.1 ¶ 1 In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Operational management | Preventive | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Preventive | |
Define confidentiality controls. CC ID 01908 | Operational management | Preventive | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Preventive | |
Define integrity controls. CC ID 01909 | Operational management | Preventive | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Preventive | |
Define availability controls. CC ID 01911 | Operational management | Preventive | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Preventive | |
Establish, implement, and maintain software license management procedures. CC ID 06639 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c) {refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Operational management | Preventive | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Preventive | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Preventive | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Corrective | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi)] | Operational management | Preventive | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Preventive | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Preventive | |
Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Preventive | |
Include contact information in the system tracking documentation. CC ID 15280 [The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | System hardening through configuration management | Preventive | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain network parameter modification procedures. CC ID 01517 | System hardening through configuration management | Preventive | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Preventive | |
Maintain disposal records or redeployment records. CC ID 01644 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Records management | Preventive | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Preventive | |
Establish, implement, and maintain security label procedures. CC ID 06747 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Records management | Preventive | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Preventive | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Preventive | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Preventive | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Preventive | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Preventive | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Preventive | |
Establish, implement, and maintain system design requirements. CC ID 06618 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
Document the business need justification for payment page scripts. CC ID 15480 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Preventive | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Preventive | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Preventive | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Preventive | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Preventive | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Preventive | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Preventive | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Preventive | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Preventive | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Preventive | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Preventive | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Preventive | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Preventive | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2] | Privacy protection for information and data | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
Define the organization's liability based on the applicable law. CC ID 00504 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Preventive | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 [{be liable} A Reserve Bank's fees relating to Electronic Connections (including, for example, installation support and training) are published separately and are subject to change on thirty (30) calendar days' prior notice. A Reserve Bank charges these fees to the Institution's (or its correspondent's) account on a Reserve Bank's books. By designating a Service Provider, an Institution agrees that the Service Provider may be billed directly by the Reserve Bank for any fees related to the Service Provider's Electronic Connection. Notwithstanding any such direct billing, the Institution shall remain liable for any unpaid fees. 6.1 ¶ 1 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2 {business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Third Party and supply chain oversight | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a) Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i)] | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Third Party and supply chain oversight | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [An Institution may terminate its agreement to use Reserve Bank services and/or applications through an Electronic Connection and its agreement to the terms of this Circular by giving not less than thirty (30) calendar days' prior written notice to the Reserve Bank(s) with which it has Electronic Connections. A Reserve Bank may terminate an Institution's or its Service Provider's authority to use an Electronic Connection on similar notice. In addition, a Reserve Bank immediately may terminate an Institution's or its Service Provider's Electronic Connection if the Reserve Bank, in its sole discretion, determines that continued use of the Electronic Connection poses a risk to the Reserve Bank or others, or the Reserve Bank believes that the Institution or its Service Provider is in violation of this Circular. 7.1 ¶ 1] | Third Party and supply chain oversight | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Third Party and supply chain oversight | Preventive | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2 In addition, before sending a National Settlement Service settlement file to a Reserve Bank, a Settlement Agent must execute a security procedure agreement with the Host Reserve Bank (as defined in Operating Circular 12) in the form attached as Appendix B-1 to Operating Circular 12. Appendix A 2.3(a) ¶ 3] | Third Party and supply chain oversight | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Detective | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)] | Third Party and supply chain oversight | Preventive | |
Request attestation of compliance from third parties. CC ID 12067 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1] | Third Party and supply chain oversight | Detective | |
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Third Party and supply chain oversight | Preventive | |
Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Preventive | |
Document payments to third parties. CC ID 08905 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Preventive | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Preventive | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Preventive | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Preventive | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Preventive | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Preventive | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Preventive | |
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
Assign senior management to approve functional requirements in the system requirements specification. CC ID 13067 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
Scan for malicious code, as necessary. CC ID 11941 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Technical security | Detective | |
Inspect device surfaces to detect tampering. CC ID 11868 | Physical and environmental protection | Detective | |
Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Physical and environmental protection | Detective | |
Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Detective | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Detective | |
Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Detective | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Detective | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Detective | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Detective | |
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Preventive | |
Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Preventive | |
Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Preventive | |
Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Preventive | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Preventive | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Preventive | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Preventive | |
Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Detective | |
Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Detective | |
Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Preventive | |
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Preventive | |
Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Preventive | |
Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Preventive | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Detective | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Detective | |
Detect unauthorized access to systems. CC ID 06798 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Monitoring and measurement | Detective | |
Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Detective | |
Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Detective | |
Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Detective | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Preventive | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Detective | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Preventive | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Detective | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Detective | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Detective | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Detective | |
Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Detective | |
Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Corrective | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Detective | |
Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Preventive | |
Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)] | Privacy protection for information and data | Corrective | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Preventive | |
Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Preventive | |
Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Preventive | |
Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and environmental protection | Preventive | |
Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Preventive | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Preventive | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Preventive | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Preventive | |
Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Preventive | |
Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Preventive | |
Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Preventive | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Preventive | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Preventive | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Detective | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Preventive | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Preventive | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Corrective | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Preventive | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Preventive | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Preventive | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Preventive | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Preventive | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Preventive | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Preventive | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Preventive | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Preventive | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Preventive | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Preventive | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Preventive | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Preventive | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Preventive | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Preventive | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Preventive | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Preventive | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Preventive | |
Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Preventive | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Preventive | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Preventive | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Preventive | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Detective | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Preventive | |
Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Detective | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Preventive | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Preventive | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Preventive | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Physical and environmental protection | Preventive | |
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Preventive | |
Restrict physical access to distributed assets. CC ID 11865 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Physical and environmental protection | Preventive | |
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Preventive | |
Protect electronic storage media with physical access controls. CC ID 00720 | Physical and environmental protection | Preventive | |
Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Preventive | |
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Preventive | |
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Preventive | |
Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Preventive | |
Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Preventive | |
Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Preventive | |
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Preventive | |
Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Preventive | |
Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Detective | |
Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Preventive | |
Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Corrective | |
Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Preventive | |
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Preventive | |
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Preventive | |
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Preventive | |
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Preventive | |
Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Preventive | |
Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Preventive | |
Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Preventive | |
Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Preventive | |
Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Preventive | |
Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Detective | |
Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Preventive | |
Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Preventive | |
Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Preventive | |
Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Preventive | |
Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Preventive | |
Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Preventive | |
Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Preventive | |
Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Preventive | |
Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Detective | |
Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Preventive | |
Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Preventive | |
Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Detective | |
Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Preventive | |
Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Preventive | |
Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Preventive | |
Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Preventive | |
Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Preventive | |
Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Preventive | |
Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Preventive | |
Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Preventive | |
Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Preventive | |
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Preventive | |
Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Preventive | |
Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Preventive | |
Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and environmental protection | Preventive | |
Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Preventive | |
Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Preventive | |
Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Preventive | |
Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Preventive | |
Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Preventive | |
Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Preventive | |
Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Preventive | |
Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Preventive | |
Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Preventive | |
Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Preventive | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Preventive | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Preventive | |
Enforce the network segmentation requirements. CC ID 16381 | Technical security | Preventive | |
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Detective | |
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Detective | |
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 | Technical security | Detective | |
Update application layer firewalls to the most current version. CC ID 12037 | Technical security | Preventive | |
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Corrective | |
Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Preventive | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Preventive | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Preventive | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Preventive | |
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Preventive | |
Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Corrective | |
Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Preventive | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Preventive | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b) The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Preventive | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Operational management | Corrective | |
Contain the incident to prevent further loss. CC ID 01751 | Operational management | Corrective | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
Define the location requirements for network elements and network devices. CC ID 16379 [{refrain from situating} {unapproved location} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: situate any VPN device used in conjunction with an Electronic Connection in any location other than the Institution's or its Service Provider's premises within the United States or its territories; 4.4 ¶ 1(a)] | System hardening through configuration management | Preventive | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Preventive | |
Discourage the modification of vendor-supplied software. CC ID 12016 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2] | Third Party and supply chain oversight | Preventive | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Audits and risk management | Preventive | |
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Preventive | |
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Physical and environmental protection | Preventive | |
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Preventive | |
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Preventive | |
Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Preventive | |
Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Preventive | |
Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Records management | Preventive | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Detective | |
Include recordkeeping documentation standards in the system requirements specification. CC ID 01038 | Systems design, build, and implementation | Detective | |
Include archives and record management standards in the system requirements specification. CC ID 01039 | Systems design, build, and implementation | Detective | |
Include file format standards in the system requirements specification. CC ID 01041 | Systems design, build, and implementation | Detective | |
Include record retention requirements in the system requirements specification. CC ID 01042 | Systems design, build, and implementation | Detective | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Preventive | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Corrective | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Preventive | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Preventive | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Preventive | |
Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Preventive | |
Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Corrective | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Preventive | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Preventive | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Corrective | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Implement gateways between security domains. CC ID 16493 | Technical security | Preventive | |
Apply security controls to each level of the information classification standard. CC ID 01903 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)] | Operational management | Preventive | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a system requirements specification. CC ID 01035 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Systems design, build, and implementation | Preventive | |
Include relevant resources needed for the system design project in the system requirements specification. CC ID 01036 | Systems design, build, and implementation | Detective | |
Include system interoperability in the system requirements specification. CC ID 16256 | Systems design, build, and implementation | Preventive | |
Include pertinent legal requirements in the system requirements specification. CC ID 01037 | Systems design, build, and implementation | Detective | |
Include privacy requirements in the system requirements specification. CC ID 01040 | Systems design, build, and implementation | Detective | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
Include all system components in the access control system. CC ID 11939 | Technical security | Preventive | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Preventive | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Preventive | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Preventive | |
Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Preventive | |
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical security | Preventive | |
Identify and control all network access controls. CC ID 00529 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1] | Technical security | Preventive | |
Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 | Technical security | Detective | |
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Preventive | |
Manage all internal network connections. CC ID 06329 | Technical security | Preventive | |
Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109 | Technical security | Preventive | |
Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124 | Technical security | Preventive | |
Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095 | Technical security | Preventive | |
Plan for and approve all network changes. CC ID 00534 | Technical security | Preventive | |
Manage all external network connections. CC ID 11842 | Technical security | Preventive | |
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116 | Technical security | Preventive | |
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Preventive | |
Implement a fault-tolerant architecture. CC ID 01626 | Technical security | Preventive | |
Implement segregation of duties. CC ID 11843 | Technical security | Preventive | |
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 | Technical security | Preventive | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Preventive | |
Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Preventive | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Preventive | |
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Preventive | |
Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Preventive | |
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Preventive | |
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Preventive | |
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Preventive | |
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Preventive | |
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Preventive | |
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Preventive | |
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical security | Preventive | |
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 | Technical security | Corrective | |
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 | Technical security | Preventive | |
Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Preventive | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Preventive | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Preventive | |
Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647 | Technical security | Preventive | |
Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605 | Technical security | Preventive | |
Review and approve information exchange system connections. CC ID 07143 | Technical security | Preventive | |
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Preventive | |
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical security | Preventive | |
Block uncategorized sites using URL filtering. CC ID 12140 | Technical security | Preventive | |
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical security | Detective | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Technical security | Preventive | |
Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Preventive | |
Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Preventive | |
Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
Bind keys to each identity. CC ID 12337 | Technical security | Preventive | |
Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Preventive | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Preventive | |
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Preventive | |
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Preventive | |
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical security | Preventive | |
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
Install and maintain container security solutions. CC ID 16178 | Technical security | Preventive | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Preventive | |
Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Preventive | |
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Preventive | |
Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Preventive | |
Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Preventive | |
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Preventive | |
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Preventive | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
Isolate compromised systems from the network. CC ID 01753 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)] | Operational management | Corrective | |
Patch the operating system, as necessary. CC ID 11824 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Operational management | Corrective | |
Configure security and protection software to check for phishing attacks. CC ID 04569 | System hardening through configuration management | Detective | |
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Acquisition or sale of facilities, technology, and services | Preventive | |
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)] | Audits and risk management | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Detective | |
Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210 | Technical security | Detective | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Technical security | Detective | |
Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
Implement non-repudiation for transactions. CC ID 00567 | Technical security | Detective | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Detective | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Detective | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Preventive | |
Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Preventive | |
Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Detective | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Detective | |
Test the recovery plan, as necessary. CC ID 13290 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Detective | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Detective | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Detective | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Detective | |
Configure security and protection software to check for up-to-date signature files. CC ID 00576 | System hardening through configuration management | Detective | |
Configure security and protection software to check e-mail messages. CC ID 00578 | System hardening through configuration management | Preventive | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Detective | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Third Party and supply chain oversight | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary. CC ID 11903 | Technical security | Technical Security | |
Revoke membership in the whitelist, as necessary. CC ID 13827 | Technical security | Establish/Maintain Documentation | |
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Data and Information Management | |
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Data and Information Management | |
Remove malware when malicious code is discovered. CC ID 13691 | Technical security | Process or Activity | |
Notify interested personnel and affected parties when malware is detected. CC ID 13689 | Technical security | Communicate | |
Report damaged property to interested personnel and affected parties. CC ID 13702 | Physical and environmental protection | Communicate | |
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463 | Physical and environmental protection | Physical and Environmental Protection | |
Document all lost badges in a lost badge list. CC ID 12448 | Physical and environmental protection | Establish/Maintain Documentation | |
Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Physical and Environmental Protection | |
Remove dormant systems from the network, as necessary. CC ID 13727 | Physical and environmental protection | Process or Activity | |
Log an incident if unauthorized restricted data or unauthorized restricted information is discovered on a mobile device. CC ID 08708 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Systems Continuity | |
Report changes in the continuity plan to senior management. CC ID 12757 | Operational and Systems Continuity | Communicate | |
Restore systems and environments to be operational. CC ID 13476 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain the continuity procedures. CC ID 14236 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 | Operational and Systems Continuity | Systems Continuity | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Coordinate incident response activities with interested personnel and affected parties. CC ID 13196 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3 {be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Operational management | Process or Activity | |
Contain the incident to prevent further loss. CC ID 01751 | Operational management | Process or Activity | |
Isolate compromised systems from the network. CC ID 01753 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)] | Operational management | Technical Security | |
Share incident information with interested personnel and affected parties. CC ID 01212 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Operational management | Data and Information Management | |
Share data loss event information with the media. CC ID 01759 | Operational management | Behavior | |
Share data loss event information with interconnected system owners. CC ID 01209 | Operational management | Establish/Maintain Documentation | |
Report data loss event information to breach notification organizations. CC ID 01210 | Operational management | Data and Information Management | |
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 | Operational management | Behavior | |
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 {breach notification} Each Institution and any Service Provider shall include within its security breach related notification procedures and processes (e.g., within disaster recovery, hazard, business continuity, cyber security, and other appropriate procedures and processes) the obligation to immediately notify Federal Reserve Financial Services by telephone at (888) 333-7010, with written confirmation via email at ccc.technical.support@kc.frb.org, in the event of a known, suspected, or threatened compromise, cyber event, fraud, malware detection, or other security incident or breach that would render the Electronic Connection vulnerable to misconduct. Appendix A 1.2(c)] | Operational management | Communicate | |
Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
Patch the operating system, as necessary. CC ID 11824 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Operational management | Technical Security | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The Institution shall adopt policies and procedures that are designed to ensure the prompt management of compromised devices or fraudulent transactions. Appendix A 2.1(h)] | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Business Processes |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain logging and monitoring operations. CC ID 00637 | Monitoring and measurement | Log Management | |
Monitor systems for inappropriate usage and other security violations. CC ID 00585 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Monitor systems for access to restricted data or restricted information. CC ID 04721 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Detect unauthorized access to systems. CC ID 06798 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Report audit findings by the internal audit manager directly to senior management. CC ID 01152 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)] | Audits and risk management | Testing | |
Establish and maintain audit assertions, as necessary. CC ID 14871 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Audits and risk management | Audits and Risk Management | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
Review past audit reports. CC ID 01155 | Audits and risk management | Establish/Maintain Documentation | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Log Management | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Testing | |
Place Intrusion Detection Systems and Intrusion Response Systems in network locations where they will be the most effective. CC ID 04589 | Technical security | Technical Security | |
Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 | Technical security | Process or Activity | |
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams. CC ID 13737 | Technical security | Process or Activity | |
Establish, implement, and maintain a sensitive information inventory. CC ID 13736 | Technical security | Establish/Maintain Documentation | |
Register all Domain Names associated with the organization to the organization and not an individual. CC ID 07210 | Technical security | Testing | |
Include testing and approving all network connections through the firewall in the firewall and router configuration standard. CC ID 01270 | Technical security | Process or Activity | |
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174 | Technical security | Configuration | |
Configure firewalls to perform dynamic packet filtering. CC ID 01288 | Technical security | Testing | |
Configure network access and control points to organizational standards. CC ID 12442 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Technical security | Configuration | |
Subscribe to a URL categorization service to maintain website category definitions in the URL filter list. CC ID 12139 | Technical security | Technical Security | |
Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
Implement non-repudiation for transactions. CC ID 00567 | Technical security | Testing | |
Scan for malicious code, as necessary. CC ID 11941 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Technical security | Investigate | |
Test all removable storage media for viruses and malicious code. CC ID 11861 | Technical security | Testing | |
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311 | Technical security | Testing | |
Conduct external audits of the physical security plan. CC ID 13314 | Physical and environmental protection | Audits and Risk Management | |
Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Monitor for evidence of when tampering indicators are being identified. CC ID 11905 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Inspect device surfaces to detect tampering. CC ID 11868 | Physical and environmental protection | Investigate | |
Inspect device surfaces to detect unauthorized substitution. CC ID 11869 | Physical and environmental protection | Investigate | |
Inspect for tampering, as necessary. CC ID 10640 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
Detect anomalies in physical barriers. CC ID 13533 | Physical and environmental protection | Investigate | |
Secure physical entry points with physical access controls or security guards. CC ID 01640 | Physical and environmental protection | Physical and Environmental Protection | |
Test locks for physical security vulnerabilities. CC ID 04880 | Physical and environmental protection | Testing | |
Lock all lockable equipment cabinets. CC ID 11673 | Physical and environmental protection | Physical and Environmental Protection | |
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Report anomalies in the visitor log to appropriate personnel. CC ID 14755 | Physical and environmental protection | Investigate | |
Log when the vault is accessed. CC ID 06725 | Physical and environmental protection | Log Management | |
Log when the cabinet is accessed. CC ID 11674 | Physical and environmental protection | Log Management | |
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Monitor physical entry point alarms. CC ID 01639 | Physical and environmental protection | Physical and Environmental Protection | |
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Monitor for alarmed security doors being propped open. CC ID 06684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Track restricted storage media while it is in transit. CC ID 00967 | Physical and environmental protection | Data and Information Management | |
Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Physical and Environmental Protection | |
Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Inspect mobile devices for the storage of restricted data or restricted information. CC ID 08707 | Physical and environmental protection | Investigate | |
Inspect the physical integrity of all containers before loading the containers. CC ID 02209 | Physical and environmental protection | Physical and Environmental Protection | |
Restrict the length of fiber optic flying leads to 5 meters. CC ID 08639 | Physical and environmental protection | Physical and Environmental Protection | |
Inspect network cabling at distances determined by security classification. CC ID 08644 | Physical and environmental protection | Physical and Environmental Protection | |
Monitor and evaluate business continuity management system performance. CC ID 12410 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain the organization's call tree. CC ID 01167 | Operational and Systems Continuity | Testing | |
Determine the cause for the activation of the recovery plan. CC ID 13291 | Operational and Systems Continuity | Investigate | |
Test the recovery plan, as necessary. CC ID 13290 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Testing | |
Test the backup information, as necessary. CC ID 13303 | Operational and Systems Continuity | Testing | |
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Test the continuity plan, as necessary. CC ID 00755 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Testing | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Testing | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
Test the continuity plan at the alternate facility. CC ID 01174 | Operational and Systems Continuity | Testing | |
Review all third party's continuity plan test results. CC ID 01365 | Operational and Systems Continuity | Testing | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Testing | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Testing | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Respond to and triage when an incident is detected. CC ID 06942 | Operational management | Monitor and Evaluate Occurrences | |
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 | Operational management | Log Management | |
Configure security and protection software to check for up-to-date signature files. CC ID 00576 | System hardening through configuration management | Testing | |
Configure security and protection software to check for phishing attacks. CC ID 04569 | System hardening through configuration management | Technical Security | |
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 | Records management | Records Management | |
Include relevant resources needed for the system design project in the system requirements specification. CC ID 01036 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include pertinent legal requirements in the system requirements specification. CC ID 01037 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include recordkeeping documentation standards in the system requirements specification. CC ID 01038 | Systems design, build, and implementation | Records Management | |
Include archives and record management standards in the system requirements specification. CC ID 01039 | Systems design, build, and implementation | Records Management | |
Include privacy requirements in the system requirements specification. CC ID 01040 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include file format standards in the system requirements specification. CC ID 01041 | Systems design, build, and implementation | Records Management | |
Include record retention requirements in the system requirements specification. CC ID 01042 | Systems design, build, and implementation | Records Management | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
Include a termination provision clause in third party contracts. CC ID 01367 [An Institution may terminate its agreement to use Reserve Bank services and/or applications through an Electronic Connection and its agreement to the terms of this Circular by giving not less than thirty (30) calendar days' prior written notice to the Reserve Bank(s) with which it has Electronic Connections. A Reserve Bank may terminate an Institution's or its Service Provider's authority to use an Electronic Connection on similar notice. In addition, a Reserve Bank immediately may terminate an Institution's or its Service Provider's Electronic Connection if the Reserve Bank, in its sole discretion, determines that continued use of the Electronic Connection poses a risk to the Reserve Bank or others, or the Reserve Bank believes that the Institution or its Service Provider is in violation of this Circular. 7.1 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Testing | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 | Third Party and supply chain oversight | Testing | |
Establish the third party's service continuity. CC ID 00797 | Third Party and supply chain oversight | Testing | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i) The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Data and Information Management | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Third Party and supply chain oversight | Business Processes | |
Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Systems Continuity | |
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Third Party and supply chain oversight | Testing | |
Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
Request attestation of compliance from third parties. CC ID 12067 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Third Party and supply chain oversight | Business Processes | |
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Third Party and supply chain oversight | Technical Security | |
Implement physical security controls at all supply chain member locations. CC ID 08933 | Third Party and supply chain oversight | Business Processes |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Technical security CC ID 00508 | Technical security | IT Impact Zone | |
Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) When a Settlement Instruction is issued, the Offline Security Procedure involves a telephone call initiated by an authorized employee of the Settlement Agent followed by the transmission by e-mail or facsimile of a Settlement Instruction signed (in the case of a facsimile) by an authorized employee of the Settlement Agent or sent from the e-mail address of an authorized employee of the Settlement Agent. Appendix A 2.3(c) ¶ 5] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information classification standard. CC ID 00601 ["Confidential Information" shall include all information, provided in writing, electronically or orally, which is designated by Reserve Bank herein or by other means as "Confidential." All security-related information, including information regarding Access Control Features and security procedures, whether or not it is labeled as "Confidential," is hereby designated as "Confidential," unless a Reserve Bank makes any such information generally available to the public (i.e., places it on its unrestricted public Web site or otherwise publishes it to the general public). Confidential Information contains trade secrets, proprietary information or security information of Reserve Banks or others. Unauthorized disclosure of Confidential Information likely would cause a Reserve Bank immediate and irreparable damage for which there may be no adequate remedy at law. 5.4 ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement of the Institution's responsibility to adhere to the Security Requirements; Appendix A 3.2 ¶ 1(i)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain intrusion management operations. CC ID 00580 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Monitoring and measurement | Configuration | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Establish Roles | |
Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
Audit in scope audit items and compliance documents. CC ID 06730 | Audits and risk management | Audits and Risk Management | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Audits and risk management | Records Management | |
Audit policies, standards, and procedures. CC ID 12927 [As further described in Section 3 of Appendix A, the Institution and its Service Providers, if any, shall (i) conduct, at least annually, a self-assessment of its adherence to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, as well as any additional security measures established by the Institution or Service Provider, and (ii) upon the request of the Reserve Bank, attest to its completion of such self-assessment in a form and manner acceptable to the Reserve Bank. 5.3 ¶ 2 {annual basis} Each Institution and, if applicable, any Service Provider, shall at least annually conduct a self-assessment of its compliance with the Security Requirements ("Self-Assessment"). The Self-Assessment may be calibrated based on an Institution's analysis of the risks it faces. However, the Reserve Banks may in their discretion require that the Self-Assessment be conducted or reviewed by an independent third party, an internal audit function, or an internal compliance function. Appendix A 3.1 ¶ 2] | Audits and risk management | Audits and Risk Management | |
Establish and maintain organizational audit reports. CC ID 06731 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
Include the word independent in the title of audit reports. CC ID 07003 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii) {independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)] | Audits and risk management | Actionable Reports or Measurements | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A confirmation that the Institution has conducted a Self-Assessment within the time period requested by the Reserve Banks; Appendix A 3.2 ¶ 1(ii)] | Audits and risk management | Establish/Maintain Documentation | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [{independent internal department} Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, a confirmation that the Self-Assessment was either (i) conducted by an independent third party, (ii) conducted by an independent internal function such as internal audit or compliance, or (iii) to the extent the Self-Assessment was conducted by a non-independent party or function, an independent third party reviewed the work conducted in connection with the Self-Assessment to establish that it was designed and conducted in a manner reasonably sufficient to identify any material noncompliance with the Security Requirements; Appendix A 3.2 ¶ 1(iii)] | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
Include recommended corrective actions in the audit report. CC ID 16197 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: A statement that the Institution has remediation plans in place, including procedures to escalate concerns to the appropriate leaders within the Institution, to promptly address any areas of noncompliance with the Security Requirements; and Appendix A 3.2 ¶ 1(v)] | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
Include items that pertain to third parties in the audit report. CC ID 07008 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: If applicable, an acknowledgement that the Institution is responsible for its Service Provider's compliance with the Security Requirements; Appendix A 3.2 ¶ 1(iv)] | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: Appendix A 3.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [Each Institution shall maintain, consistent with its records management policy, the records of the Self-Assessment, the appropriate documentation supporting the results of the Self-Assessment, and a copy of the Attestation itself. Appendix A 3.3 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Audits and Risk Management | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain access control policies. CC ID 00512 [An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a)] | Technical security | Establish/Maintain Documentation | |
Include compliance requirements in the access control policy. CC ID 14006 | Technical security | Establish/Maintain Documentation | |
Include coordination amongst entities in the access control policy. CC ID 14005 | Technical security | Establish/Maintain Documentation | |
Include management commitment in the access control policy. CC ID 14004 | Technical security | Establish/Maintain Documentation | |
Include roles and responsibilities in the access control policy. CC ID 14003 | Technical security | Establish/Maintain Documentation | |
Include the scope in the access control policy. CC ID 14002 | Technical security | Establish/Maintain Documentation | |
Include the purpose in the access control policy. CC ID 14001 | Technical security | Establish/Maintain Documentation | |
Document the business need justification for user accounts. CC ID 15490 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
Enable access control for objects and users on each system. CC ID 04553 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1 {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Technical security | Configuration | |
Include all system components in the access control system. CC ID 11939 | Technical security | Technical Security | |
Set access control for objects and users to "deny all" unless explicitly authorized. CC ID 06301 | Technical security | Process or Activity | |
Enable access control for objects and users to match restrictions set by the system's security classification. CC ID 04850 | Technical security | Technical Security | |
Enable attribute-based access control for objects and users on information systems. CC ID 16351 | Technical security | Technical Security | |
Enable role-based access control for objects and users on information systems. CC ID 12458 | Technical security | Technical Security | |
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323 | Technical security | Establish Roles | |
Enforce access restrictions for restricted data. CC ID 01921 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Technical security | Data and Information Management | |
Establish, implement, and maintain a system use agreement for each information system. CC ID 06500 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical security | Establish/Maintain Documentation | |
Accept and sign the system use agreement before data or system access is enabled. CC ID 06501 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain User Access Management procedures. CC ID 00514 | Technical security | Technical Security | |
Establish, implement, and maintain an authority for access authorization list. CC ID 06782 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Technical security | Establish/Maintain Documentation | |
Review and approve logical access to all assets based upon organizational policies. CC ID 06641 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Technical security | Technical Security | |
Establish, implement, and maintain access control procedures. CC ID 11663 | Technical security | Establish/Maintain Documentation | |
Grant access to authorized personnel or systems. CC ID 12186 | Technical security | Configuration | |
Document approving and granting access in the access control log. CC ID 06786 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3 The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442 | Technical security | Communicate | |
Establish, implement, and maintain an identification and authentication policy. CC ID 14033 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain identification and authentication procedures. CC ID 14053 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the identification and authentication procedures to interested personnel and affected parties. CC ID 14223 | Technical security | Communicate | |
Identify and control all network access controls. CC ID 00529 [The Reserve Banks require the use of specified Access Control Features to establish an Electronic Connection, and/or to permit access to certain services or applications over the connection. A Reserve Bank may provide, on request and where appropriate, either Computer Interface Protocol Specifications, product specifications, or Software (including documentation) to enable a connection to the Reserve Banks' network. 4.2 ¶ 1] | Technical security | Technical Security | |
Establish, implement, and maintain a network configuration standard. CC ID 00530 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain network segmentation requirements. CC ID 16380 | Technical security | Establish/Maintain Documentation | |
Enforce the network segmentation requirements. CC ID 16381 | Technical security | Process or Activity | |
Ensure the data plane, control plane, and management plane have been segregated according to organizational standards. CC ID 16385 | Technical security | Technical Security | |
Establish, implement, and maintain a network security policy. CC ID 06440 | Technical security | Establish/Maintain Documentation | |
Include compliance requirements in the network security policy. CC ID 14205 | Technical security | Establish/Maintain Documentation | |
Include coordination amongst entities in the network security policy. CC ID 14204 | Technical security | Establish/Maintain Documentation | |
Include management commitment in the network security policy. CC ID 14203 | Technical security | Establish/Maintain Documentation | |
Include roles and responsibilities in the network security policy. CC ID 14202 | Technical security | Establish/Maintain Documentation | |
Include the scope in the network security policy. CC ID 14201 | Technical security | Establish/Maintain Documentation | |
Include the purpose in the network security policy. CC ID 14200 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the network security policy to interested personnel and affected parties. CC ID 14199 | Technical security | Communicate | |
Establish, implement, and maintain system and communications protection procedures. CC ID 14052 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the system and communications protection procedures to interested personnel and affected parties. CC ID 14206 | Technical security | Communicate | |
Establish, implement, and maintain a wireless networking policy. CC ID 06732 | Technical security | Establish/Maintain Documentation | |
Include usage restrictions for Bluetooth in the wireless networking policy. CC ID 16443 | Technical security | Establish/Maintain Documentation | |
Maintain up-to-date network diagrams. CC ID 00531 | Technical security | Establish/Maintain Documentation | |
Include the date of the most recent update on the network diagram. CC ID 14319 | Technical security | Establish/Maintain Documentation | |
Include virtual systems in the network diagram. CC ID 16324 | Technical security | Data and Information Management | |
Include the organization's name in the network diagram. CC ID 14318 | Technical security | Establish/Maintain Documentation | |
Include Internet Protocol addresses in the network diagram. CC ID 16244 | Technical security | Establish/Maintain Documentation | |
Include Domain Name System names in the network diagram. CC ID 16240 | Technical security | Establish/Maintain Documentation | |
Accept, by formal signature, the security implications of the network topology. CC ID 12323 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 | Technical security | Communicate | |
Maintain up-to-date data flow diagrams. CC ID 10059 | Technical security | Establish/Maintain Documentation | |
Include information flows to third parties in the data flow diagram. CC ID 13185 | Technical security | Establish/Maintain Documentation | |
Document where data-at-rest and data in transit is encrypted on the data flow diagram. CC ID 16412 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the data flow diagrams to interested personnel and affected parties. CC ID 16407 | Technical security | Communicate | |
Manage all internal network connections. CC ID 06329 | Technical security | Technical Security | |
Employ Dynamic Host Configuration Protocol server logging when assigning dynamic IP addresses using the Dynamic Host Configuration Protocol. CC ID 12109 | Technical security | Technical Security | |
Establish, implement, and maintain separate virtual private networks to transport sensitive information. CC ID 12124 | Technical security | Technical Security | |
Establish, implement, and maintain separate virtual local area networks for untrusted devices. CC ID 12095 | Technical security | Technical Security | |
Plan for and approve all network changes. CC ID 00534 | Technical security | Technical Security | |
Manage all external network connections. CC ID 11842 | Technical security | Technical Security | |
Route outbound Internet traffic through a proxy server that supports decrypting network traffic. CC ID 12116 | Technical security | Technical Security | |
Prohibit systems from connecting directly to external networks. CC ID 08709 | Technical security | Configuration | |
Prohibit systems from connecting directly to internal networks outside the demilitarized zone (DMZ). CC ID 16360 | Technical security | Technical Security | |
Secure the Domain Name System. CC ID 00540 | Technical security | Configuration | |
Implement a fault-tolerant architecture. CC ID 01626 | Technical security | Technical Security | |
Implement segregation of duties. CC ID 11843 | Technical security | Technical Security | |
Configure the network to limit zone transfers to trusted servers. CC ID 01876 | Technical security | Configuration | |
Establish, implement, and maintain a Boundary Defense program. CC ID 00544 | Technical security | Establish/Maintain Documentation | |
Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary. CC ID 11891 | Technical security | Technical Security | |
Authorize the disclosure of private Internet Protocol addresses and routing information to external entities. CC ID 12034 | Technical security | Communicate | |
Segregate systems in accordance with organizational standards. CC ID 12546 | Technical security | Technical Security | |
Implement gateways between security domains. CC ID 16493 | Technical security | Systems Design, Build, and Implementation | |
Implement resource-isolation mechanisms in organizational networks. CC ID 16438 | Technical security | Technical Security | |
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533 | Technical security | Technical Security | |
Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310 | Technical security | Technical Security | |
Design Demilitarized Zones with proper isolation rules. CC ID 00532 | Technical security | Technical Security | |
Restrict outbound network traffic out of the Demilitarized Zone. CC ID 16881 | Technical security | Technical Security | |
Restrict inbound network traffic into the Demilitarized Zone. CC ID 01285 | Technical security | Data and Information Management | |
Restrict inbound network traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 | Technical security | Technical Security | |
Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 | Technical security | Technical Security | |
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 | Technical security | Data and Information Management | |
Establish, implement, and maintain a network access control standard. CC ID 00546 | Technical security | Establish/Maintain Documentation | |
Include assigned roles and responsibilities in the network access control standard. CC ID 06410 | Technical security | Establish Roles | |
Employ firewalls to secure network connections between networks of different security categorizations. CC ID 16373 | Technical security | Technical Security | |
Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 | Technical security | Technical Security | |
Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274 | Technical security | Configuration | |
Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 | Technical security | Configuration | |
Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 | Technical security | Configuration | |
Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588 | Technical security | Technical Security | |
Include configuration management and rulesets in the network access control standard. CC ID 11845 | Technical security | Establish/Maintain Documentation | |
Secure the network access control standard against unauthorized changes. CC ID 11920 | Technical security | Establish/Maintain Documentation | |
Employ centralized management systems to configure and control networks, as necessary. CC ID 12540 | Technical security | Technical Security | |
Establish, implement, and maintain a firewall and router configuration standard. CC ID 00541 | Technical security | Configuration | |
Include compensating controls implemented for insecure protocols in the firewall and router configuration standard. CC ID 11948 | Technical security | Establish/Maintain Documentation | |
Include restricting inbound network traffic in the firewall and router configuration standard. CC ID 11960 | Technical security | Establish/Maintain Documentation | |
Include restricting outbound network traffic in the firewall and router configuration standard. CC ID 11961 | Technical security | Establish/Maintain Documentation | |
Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard. CC ID 12435 | Technical security | Establish/Maintain Documentation | |
Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard. CC ID 12434 | Technical security | Establish/Maintain Documentation | |
Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard. CC ID 12426 | Technical security | Establish/Maintain Documentation | |
Deny or strictly control wireless traffic to applications or databases that contain restricted data or restricted information. CC ID 11847 | Technical security | Configuration | |
Include a protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00537 | Technical security | Establish/Maintain Documentation | |
Configure network ports to organizational standards. CC ID 14007 | Technical security | Configuration | |
Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 12547 | Technical security | Establish/Maintain Documentation | |
Include the use of protocols above and beyond common information service protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 00539 | Technical security | Establish/Maintain Documentation | |
Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard. CC ID 01280 | Technical security | Establish/Maintain Documentation | |
Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list. CC ID 12033 | Technical security | Establish/Maintain Documentation | |
Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration. CC ID 12032 | Technical security | Establish/Maintain Documentation | |
Install and configure firewalls to be enabled on all mobile devices, if possible. CC ID 00550 | Technical security | Configuration | |
Lock personal firewall configurations to prevent them from being disabled or changed by end users. CC ID 06420 | Technical security | Technical Security | |
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 | Technical security | Configuration | |
Protect data stored at external locations. CC ID 16333 | Technical security | Data and Information Management | |
Protect the firewall's network connection interfaces. CC ID 01955 | Technical security | Technical Security | |
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 | Technical security | Configuration | |
Allow local program exceptions on the firewall, as necessary. CC ID 01956 | Technical security | Configuration | |
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957 | Technical security | Configuration | |
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958 | Technical security | Configuration | |
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849 | Technical security | Configuration | |
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959 | Technical security | Configuration | |
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960 | Technical security | Configuration | |
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961 | Technical security | Configuration | |
Allow notification exceptions on the firewall, as necessary. CC ID 01962 | Technical security | Configuration | |
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964 | Technical security | Configuration | |
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965 | Technical security | Configuration | |
Allow local port exceptions on the firewall, as necessary. CC ID 01966 | Technical security | Configuration | |
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287 | Technical security | Configuration | |
Establish, implement, and maintain packet filtering requirements. CC ID 16362 | Technical security | Technical Security | |
Configure firewall filtering to only permit established connections into the network. CC ID 12482 | Technical security | Technical Security | |
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295 | Technical security | Data and Information Management | |
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271 | Technical security | Data and Information Management | |
Synchronize and secure all router configuration files. CC ID 01291 | Technical security | Configuration | |
Synchronize and secure all firewall configuration files. CC ID 11851 | Technical security | Configuration | |
Configure firewalls to generate an audit log. CC ID 12038 | Technical security | Audits and Risk Management | |
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165 | Technical security | Configuration | |
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105 | Technical security | Establish/Maintain Documentation | |
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107 | Technical security | Establish/Maintain Documentation | |
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106 | Technical security | Establish/Maintain Documentation | |
Install and configure application layer firewalls for all key web-facing applications. CC ID 01450 | Technical security | Configuration | |
Update application layer firewalls to the most current version. CC ID 12037 | Technical security | Process or Activity | |
Establish, implement, and maintain Voice over Internet Protocol Configuration Management standards. CC ID 11853 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard. CC ID 11854 | Technical security | Establish/Maintain Documentation | |
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards. CC ID 00751 | Technical security | Configuration | |
Remove all unauthorized Wireless Local Area Networks. CC ID 06309 | Technical security | Configuration | |
Establish, implement, and maintain Voice over Internet Protocol design specification. CC ID 01449 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain a Wireless Local Area Network Configuration Management program. CC ID 01646 | Technical security | Establish/Maintain Documentation | |
Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks. CC ID 01647 | Technical security | Technical Security | |
Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access. CC ID 01648 | Technical security | Configuration | |
Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points. CC ID 00605 | Technical security | Technical Security | |
Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks. CC ID 04830 | Technical security | Configuration | |
Remove all unauthorized wireless access points. CC ID 11856 | Technical security | Configuration | |
Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
Constrain the information flow of restricted data or restricted information. CC ID 06763 | Technical security | Data and Information Management | |
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Technical security | Data and Information Management | |
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii)] | Technical security | Establish/Maintain Documentation | |
Define risk tolerance to illicit data flow for each type of information classification. CC ID 01923 | Technical security | Data and Information Management | |
Establish, implement, and maintain a document printing policy. CC ID 14384 | Technical security | Establish/Maintain Documentation | |
Include printing to personal printers during a continuity event in the document printing policy. CC ID 14396 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain information flow procedures. CC ID 04542 | Technical security | Establish/Maintain Documentation | |
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Data and Information Management | |
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Data and Information Management | |
Establish, implement, and maintain information exchange procedures. CC ID 11782 [An Institution or its Service Provider must manage its Electronic Connection(s) so as to permit the Reserve Banks to send data to the Institution or the Service Provider, and to permit the Institution or the Service Provider to receive data from the Reserve Banks, on a timely basis throughout the day. A Reserve Bank is not responsible for any delay in sending data (or for notifying any party of such a delay), if the delay results from the Institution's or its Service Provider's failure to so manage its connection(s), or from any cause other than the Reserve Bank's failure to exercise ordinary care or to act in good faith. The Reserve Bank's records shall be determinative of when data has been received by a Reserve Bank or when a Reserve Bank sends data to, or makes it retrievable by, the Institution or its Service Provider. 5.5(a)] | Technical security | Establish/Maintain Documentation | |
Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Data and Information Management | |
Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Data and Information Management | |
Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Data and Information Management | |
Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Data and Information Management | |
Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Data and Information Management | |
Review and approve information exchange system connections. CC ID 07143 | Technical security | Technical Security | |
Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Log Management | |
Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services. CC ID 13104 | Technical security | Technical Security | |
Refrain from storing restricted data at unsafe Internet services or virtual servers. CC ID 13107 | Technical security | Technical Security | |
Establish, implement, and maintain whitelists and blacklists of domain names. CC ID 07097 | Technical security | Establish/Maintain Documentation | |
Deploy sender policy framework records in the organization's Domain Name Servers. CC ID 12183 | Technical security | Configuration | |
Block uncategorized sites using URL filtering. CC ID 12140 | Technical security | Technical Security | |
Establish, implement, and maintain whitelists and blacklists of web content. CC ID 15234 | Technical security | Data and Information Management | |
Establish, implement, and maintain whitelists and blacklists of software. CC ID 11780 | Technical security | Establish/Maintain Documentation | |
Implement information flow control policies when making decisions about information sharing or collaboration. CC ID 10094 | Technical security | Behavior | |
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Technical security | Technical Security | |
Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Establish/Maintain Documentation | |
Define the cryptographic boundaries. CC ID 06543 | Technical security | Establish/Maintain Documentation | |
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Establish/Maintain Documentation | |
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Establish/Maintain Documentation | |
Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Data and Information Management | |
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Establish/Maintain Documentation | |
Document the operation of the cryptographic module. CC ID 06546 | Technical security | Establish/Maintain Documentation | |
Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Technical Security | |
Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Establish/Maintain Documentation | |
Establish the security strength requirements for the digital signature process. CC ID 06578 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Establish/Maintain Documentation | |
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 | Technical security | Configuration | |
Encrypt in scope data or in scope information, as necessary. CC ID 04824 | Technical security | Data and Information Management | |
Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
Make key usage for data fields unique for each device. CC ID 04828 | Technical security | Technical Security | |
Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 | Technical security | Data and Information Management | |
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Communicate | |
Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Establish/Maintain Documentation | |
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
Bind keys to each identity. CC ID 12337 | Technical security | Technical Security | |
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
Generate strong cryptographic keys. CC ID 01299 | Technical security | Data and Information Management | |
Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Technical Security | |
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 | Technical security | Establish/Maintain Documentation | |
Disseminate and communicate cryptographic keys securely. CC ID 01300 | Technical security | Data and Information Management | |
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
Store cryptographic keys securely. CC ID 01298 | Technical security | Data and Information Management | |
Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
Store cryptographic keys in encrypted format. CC ID 06084 | Technical security | Data and Information Management | |
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Data and Information Management | |
Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
Control cryptographic keys with split knowledge and dual control. CC ID 01304 | Technical security | Data and Information Management | |
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Data and Information Management | |
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Human Resources Management | |
Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 | Technical security | Technical Security | |
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 | Technical security | Establish/Maintain Documentation | |
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 | Technical security | Establish/Maintain Documentation | |
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Technical Security | |
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Technical Security | |
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 | Technical security | Technical Security | |
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Establish/Maintain Documentation | |
Establish, implement, and maintain malicious code protection procedures. CC ID 15483 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1 The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Technical security | Establish/Maintain Documentation | |
Install security and protection software, as necessary. CC ID 00575 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | Technical security | Configuration | |
Install and maintain container security solutions. CC ID 16178 | Technical security | Technical Security | |
Establish, implement, and maintain a physical security program. CC ID 11757 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain physical security plans. CC ID 13307 | Physical and environmental protection | Establish/Maintain Documentation | |
Include a maintenance schedule for the physical security plan in the physical security plan. CC ID 13309 | Physical and environmental protection | Establish/Maintain Documentation | |
Document any reasons for modifying or refraining from modifying the physical security plan after it has been reviewed. CC ID 13315 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain physical security procedures. CC ID 13076 | Physical and environmental protection | Establish/Maintain Documentation | |
Analyze and evaluate engineering systems. CC ID 13080 | Physical and environmental protection | Physical and Environmental Protection | |
Analyze and evaluate facilities and their structural elements. CC ID 13079 | Physical and environmental protection | Physical and Environmental Protection | |
Analyze and evaluate mechanical systems, as necessary. CC ID 13078 | Physical and environmental protection | Physical and Environmental Protection | |
Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 | Physical and environmental protection | Configuration | |
Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 | Physical and environmental protection | Configuration | |
Alert interested personnel and affected parties when evidence of tampering is discovered. CC ID 15319 | Physical and environmental protection | Communicate | |
Protect assets from tampering or unapproved substitution. CC ID 11902 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain opening procedures for businesses. CC ID 16671 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain closing procedures for businesses. CC ID 16670 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 | Physical and environmental protection | Establish/Maintain Documentation | |
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311 | Physical and environmental protection | Behavior | |
Protect the facility from crime. CC ID 06347 | Physical and environmental protection | Physical and Environmental Protection | |
Define communication methods for reporting crimes. CC ID 06349 | Physical and environmental protection | Establish/Maintain Documentation | |
Include identification cards or badges in the physical security program. CC ID 14818 | Physical and environmental protection | Establish/Maintain Documentation | |
Protect facilities from eavesdropping. CC ID 02222 | Physical and environmental protection | Physical and Environmental Protection | |
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
Create security zones in facilities, as necessary. CC ID 16295 | Physical and environmental protection | Physical and Environmental Protection | |
Establish clear zones around any sensitive facilities. CC ID 02214 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain floor plans. CC ID 16419 | Physical and environmental protection | Establish/Maintain Documentation | |
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420 | Physical and environmental protection | Establish/Maintain Documentation | |
Post floor plans of critical facilities in secure locations. CC ID 16138 | Physical and environmental protection | Communicate | |
Post and maintain security signage for all facilities. CC ID 02201 | Physical and environmental protection | Establish/Maintain Documentation | |
Inspect items brought into the facility. CC ID 06341 | Physical and environmental protection | Physical and Environmental Protection | |
Maintain all physical security systems. CC ID 02206 | Physical and environmental protection | Physical and Environmental Protection | |
Maintain all security alarm systems. CC ID 11669 | Physical and environmental protection | Physical and Environmental Protection | |
Identify and document physical access controls for all physical entry points. CC ID 01637 | Physical and environmental protection | Establish/Maintain Documentation | |
Control physical access to (and within) the facility. CC ID 01329 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain physical access procedures. CC ID 13629 | Physical and environmental protection | Establish/Maintain Documentation | |
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419 | Physical and environmental protection | Physical and Environmental Protection | |
Configure the access control system to grant access only during authorized working hours. CC ID 12325 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a visitor access permission policy. CC ID 06699 | Physical and environmental protection | Establish/Maintain Documentation | |
Escort visitors within the facility, as necessary. CC ID 06417 | Physical and environmental protection | Establish/Maintain Documentation | |
Check the visitor's stated identity against a provided government issued identification. CC ID 06701 | Physical and environmental protection | Physical and Environmental Protection | |
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330 | Physical and environmental protection | Testing | |
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702 | Physical and environmental protection | Behavior | |
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048 | Physical and environmental protection | Establish/Maintain Documentation | |
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436 | Physical and environmental protection | Establish/Maintain Documentation | |
Authorize physical access to sensitive areas based on job functions. CC ID 12462 | Physical and environmental protection | Establish/Maintain Documentation | |
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain physical identification procedures. CC ID 00713 | Physical and environmental protection | Establish/Maintain Documentation | |
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030 | Physical and environmental protection | Human Resources Management | |
Implement physical identification processes. CC ID 13715 | Physical and environmental protection | Process or Activity | |
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717 | Physical and environmental protection | Process or Activity | |
Issue photo identification badges to all employees. CC ID 12326 | Physical and environmental protection | Physical and Environmental Protection | |
Implement operational requirements for card readers. CC ID 02225 | Physical and environmental protection | Testing | |
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819 | Physical and environmental protection | Establish/Maintain Documentation | |
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334 | Physical and environmental protection | Physical and Environmental Protection | |
Manage constituent identification inside the facility. CC ID 02215 | Physical and environmental protection | Behavior | |
Direct each employee to be responsible for their identification card or badge. CC ID 12332 | Physical and environmental protection | Human Resources Management | |
Manage visitor identification inside the facility. CC ID 11670 | Physical and environmental protection | Physical and Environmental Protection | |
Issue visitor identification badges to all non-employees. CC ID 00543 | Physical and environmental protection | Behavior | |
Secure unissued visitor identification badges. CC ID 06712 | Physical and environmental protection | Physical and Environmental Protection | |
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331 | Physical and environmental protection | Behavior | |
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598 | Physical and environmental protection | Establish/Maintain Documentation | |
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714 | Physical and environmental protection | Process or Activity | |
Include error handling controls in identification issuance procedures. CC ID 13709 | Physical and environmental protection | Establish/Maintain Documentation | |
Include an appeal process in the identification issuance procedures. CC ID 15428 | Physical and environmental protection | Business Processes | |
Include information security in the identification issuance procedures. CC ID 15425 | Physical and environmental protection | Establish/Maintain Documentation | |
Include identity proofing processes in the identification issuance procedures. CC ID 06597 | Physical and environmental protection | Process or Activity | |
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426 | Physical and environmental protection | Establish/Maintain Documentation | |
Include an identity registration process in the identification issuance procedures. CC ID 11671 | Physical and environmental protection | Establish/Maintain Documentation | |
Restrict access to the badge system to authorized personnel. CC ID 12043 | Physical and environmental protection | Physical and Environmental Protection | |
Enforce dual control for badge assignments. CC ID 12328 | Physical and environmental protection | Physical and Environmental Protection | |
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327 | Physical and environmental protection | Physical and Environmental Protection | |
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599 | Physical and environmental protection | Establish/Maintain Documentation | |
Assign employees the responsibility for controlling their identification badges. CC ID 12333 | Physical and environmental protection | Human Resources Management | |
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306 | Physical and environmental protection | Establish/Maintain Documentation | |
Prevent tailgating through physical entry points. CC ID 06685 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a door security standard. CC ID 06686 | Physical and environmental protection | Establish/Maintain Documentation | |
Install doors so that exposed hinges are on the secured side. CC ID 06687 | Physical and environmental protection | Configuration | |
Install emergency doors to permit egress only. CC ID 06688 | Physical and environmental protection | Configuration | |
Install contact alarms on doors, as necessary. CC ID 06710 | Physical and environmental protection | Configuration | |
Use locks to protect against unauthorized physical access. CC ID 06342 | Physical and environmental protection | Physical and Environmental Protection | |
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650 | Physical and environmental protection | Configuration | |
Secure unissued access mechanisms. CC ID 06713 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748 | Physical and environmental protection | Establish/Maintain Documentation | |
Change cipher lock codes, as necessary. CC ID 06651 | Physical and environmental protection | Technical Security | |
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a window security standard. CC ID 06689 | Physical and environmental protection | Establish/Maintain Documentation | |
Install contact alarms on openable windows, as necessary. CC ID 06690 | Physical and environmental protection | Configuration | |
Install glass break alarms on windows, as necessary. CC ID 06691 | Physical and environmental protection | Configuration | |
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204 | Physical and environmental protection | Establish/Maintain Documentation | |
Install and maintain security lighting at all physical entry points. CC ID 02205 | Physical and environmental protection | Physical and Environmental Protection | |
Use vandal resistant light fixtures for all security lighting. CC ID 16130 | Physical and environmental protection | Physical and Environmental Protection | |
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210 | Physical and environmental protection | Physical and Environmental Protection | |
Secure the loading dock with physical access controls or security guards. CC ID 06703 | Physical and environmental protection | Physical and Environmental Protection | |
Isolate loading areas from information processing facilities, if possible. CC ID 12028 | Physical and environmental protection | Physical and Environmental Protection | |
Screen incoming mail and deliveries. CC ID 06719 | Physical and environmental protection | Physical and Environmental Protection | |
Protect access to the facility's mechanical systems area. CC ID 02212 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain elevator security guidelines. CC ID 02232 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain stairwell security guidelines. CC ID 02233 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain glass opening security guidelines. CC ID 02234 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain after hours facility access procedures. CC ID 06340 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish a security room, if necessary. CC ID 00738 | Physical and environmental protection | Physical and Environmental Protection | |
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 | Physical and environmental protection | Physical and Environmental Protection | |
Establish and maintain equipment security cages in a shared space environment. CC ID 06711 | Physical and environmental protection | Physical and Environmental Protection | |
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain vault physical security standards. CC ID 02203 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain emergency exit procedures. CC ID 01252 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, Implement, and maintain a camera operating policy. CC ID 15456 | Physical and environmental protection | Establish/Maintain Documentation | |
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461 | Physical and environmental protection | Communicate | |
Establish and maintain a visitor log. CC ID 00715 | Physical and environmental protection | Log Management | |
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700 | Physical and environmental protection | Establish/Maintain Documentation | |
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649 | Physical and environmental protection | Behavior | |
Record the visitor's name in the visitor log. CC ID 00557 | Physical and environmental protection | Log Management | |
Record the visitor's organization in the visitor log. CC ID 12121 | Physical and environmental protection | Log Management | |
Record the visitor's acceptable access areas in the visitor log. CC ID 12237 | Physical and environmental protection | Log Management | |
Record the date and time of entry in the visitor log. CC ID 13255 | Physical and environmental protection | Establish/Maintain Documentation | |
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466 | Physical and environmental protection | Establish/Maintain Documentation | |
Retain all records in the visitor log as prescribed by law. CC ID 00572 | Physical and environmental protection | Log Management | |
Establish, implement, and maintain a physical access log. CC ID 12080 | Physical and environmental protection | Establish/Maintain Documentation | |
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641 | Physical and environmental protection | Log Management | |
Store facility access logs in off-site storage. CC ID 06958 | Physical and environmental protection | Log Management | |
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
Configure video cameras to cover all physical entry points. CC ID 06302 | Physical and environmental protection | Configuration | |
Configure video cameras to prevent physical tampering or disablement. CC ID 06303 | Physical and environmental protection | Configuration | |
Retain video events according to Records Management procedures. CC ID 06304 | Physical and environmental protection | Records Management | |
Establish, implement, and maintain physical security threat reports. CC ID 02207 | Physical and environmental protection | Establish/Maintain Documentation | |
Build and maintain fencing, as necessary. CC ID 02235 | Physical and environmental protection | Physical and Environmental Protection | |
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352 | Physical and environmental protection | Physical and Environmental Protection | |
Physically segregate business areas in accordance with organizational standards. CC ID 16718 | Physical and environmental protection | Physical and Environmental Protection | |
Employ security guards to provide physical security, as necessary. CC ID 06653 | Physical and environmental protection | Establish Roles | |
Establish, implement, and maintain a facility wall standard. CC ID 06692 | Physical and environmental protection | Establish/Maintain Documentation | |
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372 | Physical and environmental protection | Physical and Environmental Protection | |
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693 | Physical and environmental protection | Configuration | |
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980 | Physical and environmental protection | Behavior | |
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981 | Physical and environmental protection | Behavior | |
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982 | Physical and environmental protection | Business Processes | |
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983 | Physical and environmental protection | Behavior | |
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984 | Physical and environmental protection | Behavior | |
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 [{physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Physical and environmental protection | Physical and Environmental Protection | |
Control the transiting and internal distribution or external distribution of assets. CC ID 00963 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Physical and environmental protection | Records Management | |
Log the transiting, internal distribution, and external distribution of restricted storage media. CC ID 12321 | Physical and environmental protection | Log Management | |
Encrypt digital media containing sensitive information during transport outside controlled areas. CC ID 14258 | Physical and environmental protection | Technical Security | |
Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964 | Physical and environmental protection | Records Management | |
Use locked containers to transport non-digital media outside of controlled areas. CC ID 14286 | Physical and environmental protection | Physical and Environmental Protection | |
Transport restricted media using a delivery method that can be tracked. CC ID 11777 | Physical and environmental protection | Business Processes | |
Restrict physical access to distributed assets. CC ID 11865 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Physical and environmental protection | Physical and Environmental Protection | |
House network hardware in lockable rooms or lockable equipment cabinets. CC ID 01873 | Physical and environmental protection | Physical and Environmental Protection | |
Protect electronic storage media with physical access controls. CC ID 00720 | Physical and environmental protection | Physical and Environmental Protection | |
Protect physical assets with earthquake-resistant mechanisms. CC ID 06360 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a media protection policy. CC ID 14029 | Physical and environmental protection | Establish/Maintain Documentation | |
Include compliance requirements in the media protection policy. CC ID 14185 | Physical and environmental protection | Establish/Maintain Documentation | |
Include coordination amongst entities in the media protection policy. CC ID 14184 | Physical and environmental protection | Establish/Maintain Documentation | |
Include management commitment in the media protection policy. CC ID 14182 | Physical and environmental protection | Establish/Maintain Documentation | |
Include roles and responsibilities in the media protection policy. CC ID 14180 | Physical and environmental protection | Establish/Maintain Documentation | |
Include the scope in the media protection policy. CC ID 14167 | Physical and environmental protection | Establish/Maintain Documentation | |
Include the purpose in the media protection policy. CC ID 14166 | Physical and environmental protection | Establish/Maintain Documentation | |
Disseminate and communicate the media protection policy to interested personnel and affected parties. CC ID 14165 | Physical and environmental protection | Communicate | |
Establish, implement, and maintain media protection procedures. CC ID 14062 | Physical and environmental protection | Establish/Maintain Documentation | |
Disseminate and communicate the media protection procedures to interested personnel and affected parties. CC ID 14186 | Physical and environmental protection | Communicate | |
Establish, implement, and maintain removable storage media controls. CC ID 06680 | Physical and environmental protection | Data and Information Management | |
Control access to restricted storage media. CC ID 04889 | Physical and environmental protection | Data and Information Management | |
Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 | Physical and environmental protection | Physical and Environmental Protection | |
Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 | Physical and environmental protection | Records Management | |
Treat archive media as evidence. CC ID 00960 | Physical and environmental protection | Records Management | |
Log the transfer of removable storage media. CC ID 12322 | Physical and environmental protection | Log Management | |
Establish, implement, and maintain storage media access control procedures. CC ID 00959 | Physical and environmental protection | Establish/Maintain Documentation | |
Require removable storage media be in the custody of an authorized individual. CC ID 12319 | Physical and environmental protection | Behavior | |
Control the storage of restricted storage media. CC ID 00965 | Physical and environmental protection | Records Management | |
Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717 | Physical and environmental protection | Physical and Environmental Protection | |
Protect the combinations for all combination locks. CC ID 02199 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain electronic media storage container repair guidelines. CC ID 02200 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish and maintain eavesdropping protection for vaults. CC ID 02231 | Physical and environmental protection | Physical and Environmental Protection | |
Serialize all removable storage media. CC ID 00949 | Physical and environmental protection | Configuration | |
Protect distributed assets against theft. CC ID 06799 | Physical and environmental protection | Physical and Environmental Protection | |
Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Communicate | |
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Process or Activity | |
Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Physical and Environmental Protection | |
Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Physical and Environmental Protection | |
Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Establish/Maintain Documentation | |
Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain end user computing device security guidelines. CC ID 00719 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a locking screen saver policy. CC ID 06717 | Physical and environmental protection | Establish/Maintain Documentation | |
Encrypt information stored on devices in publicly accessible areas. CC ID 16410 | Physical and environmental protection | Data and Information Management | |
Secure workstations to desks with security cables. CC ID 04724 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a mobile device management program. CC ID 15212 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a mobile device management policy. CC ID 15214 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain mobile device emergency sanitization procedures. CC ID 16454 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain mobile device security guidelines. CC ID 04723 | Physical and environmental protection | Establish/Maintain Documentation | |
Require users to refrain from leaving mobile devices unattended. CC ID 16446 | Physical and environmental protection | Business Processes | |
Wipe information from mobile devices after a predetermined number of unsuccessful logon attempts. CC ID 14242 | Physical and environmental protection | Data and Information Management | |
Include the expectation of data loss in the event of sanitizing the mobile device in the mobile device security guidelines. CC ID 12292 | Physical and environmental protection | Establish/Maintain Documentation | |
Include legal requirements in the mobile device security guidelines. CC ID 12291 | Physical and environmental protection | Establish/Maintain Documentation | |
Include the use of privacy filters in the mobile device security guidelines. CC ID 16452 | Physical and environmental protection | Physical and Environmental Protection | |
Include prohibiting the usage of unapproved application stores in the mobile device security guidelines. CC ID 12290 | Physical and environmental protection | Establish/Maintain Documentation | |
Include requiring users to create data backups in the mobile device security guidelines. CC ID 12289 | Physical and environmental protection | Establish/Maintain Documentation | |
Include the definition of mobile devices in the mobile device security guidelines. CC ID 12288 | Physical and environmental protection | Establish/Maintain Documentation | |
Refrain from responding to unsolicited Personal Identification Number requests. CC ID 12430 | Physical and environmental protection | Physical and Environmental Protection | |
Refrain from pairing Bluetooth devices in unsecured areas. CC ID 12429 | Physical and environmental protection | Physical and Environmental Protection | |
Encrypt information stored on mobile devices. CC ID 01422 | Physical and environmental protection | Data and Information Management | |
Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls. CC ID 00722 | Physical and environmental protection | Physical and Environmental Protection | |
Secure system components from unauthorized viewing. CC ID 01437 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain asset return procedures. CC ID 04537 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Physical and environmental protection | Establish/Maintain Documentation | |
Request the return of all appropriate assets upon notification of a personnel status change. CC ID 06678 | Physical and environmental protection | Behavior | |
Require the return of all assets upon notification an individual is terminated. CC ID 06679 | Physical and environmental protection | Behavior | |
Prohibit the use of recording devices near restricted data or restricted information, absent authorization. CC ID 04598 | Physical and environmental protection | Behavior | |
Prohibit usage of cell phones near restricted data or restricted information, absent authorization. CC ID 06354 | Physical and environmental protection | Behavior | |
Prohibit mobile device usage near restricted data or restricted information, absent authorization. CC ID 04597 | Physical and environmental protection | Behavior | |
Prohibit wireless technology usage near restricted data or restricted information, absent authorization. CC ID 08706 | Physical and environmental protection | Configuration | |
Establish, implement, and maintain open storage container procedures. CC ID 02198 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a clean desk policy. CC ID 06534 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain a clear screen policy. CC ID 12436 | Physical and environmental protection | Technical Security | |
Establish, implement, and maintain contact card reader security guidelines. CC ID 06588 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain contactless card reader security guidelines. CC ID 06589 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain Personal Identification Number input device security guidelines. CC ID 06590 | Physical and environmental protection | Establish/Maintain Documentation | |
Identify customer property within the organizational facility. CC ID 06612 | Physical and environmental protection | Physical and Environmental Protection | |
Protect customer property under the care of the organization. CC ID 11685 | Physical and environmental protection | Physical and Environmental Protection | |
Prohibit the unauthorized remote activation of collaborative computing devices. CC ID 06768 | Physical and environmental protection | Technical Security | |
Provide a physical disconnect of collaborative computing devices in a way that supports ease of use. CC ID 06769 | Physical and environmental protection | Configuration | |
Indicate the active use of collaborative computing devices to users physically present at the device. CC ID 10647 | Physical and environmental protection | Technical Security | |
Provide storage media shelving capable of bearing all potential loads. CC ID 11400 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain proper aircraft security. CC ID 02213 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a vehicle access program. CC ID 02216 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish parking requirements for vehicles. CC ID 02218 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain proper container security. CC ID 02208 | Physical and environmental protection | Physical and Environmental Protection | |
Lock closable storage containers. CC ID 06307 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain returned card procedures. CC ID 13567 | Physical and environmental protection | Establish/Maintain Documentation | |
Refrain from distributing returned cards to staff with the responsibility for payment card issuance. CC ID 13572 | Physical and environmental protection | Business Processes | |
Establish and maintain the physical security of non-issued payment cards. CC ID 06402 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish, implement, and maintain payment card disposal procedures. CC ID 16137 | Physical and environmental protection | Establish/Maintain Documentation | |
Control the issuance of payment cards. CC ID 06403 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a mailing control log. CC ID 16136 | Physical and environmental protection | Establish/Maintain Documentation | |
Assign roles and responsibilities for the issuance of payment cards. CC ID 16134 | Physical and environmental protection | Establish Roles | |
Inventory payment cards, as necessary. CC ID 13547 | Physical and environmental protection | Records Management | |
Store non-issued payment cards in a lockable cabinet or safe. CC ID 06404 | Physical and environmental protection | Physical and Environmental Protection | |
Deliver payment cards to customers using secure methods. CC ID 06405 | Physical and environmental protection | Physical and Environmental Protection | |
Activate payment cards sent to customers upon receiving instructions to activate the payment card. CC ID 13052 | Physical and environmental protection | Business Processes | |
Establish, implement, and maintain payment card usage security measures. CC ID 06406 | Physical and environmental protection | Establish/Maintain Documentation | |
Notify customers about payment card usage security measures. CC ID 06407 | Physical and environmental protection | Behavior | |
Establish, implement, and maintain payment card disposal procedures. CC ID 16135 | Physical and environmental protection | Establish/Maintain Documentation | |
Establish and maintain physical security of assets used for publicity. CC ID 06724 | Physical and environmental protection | Physical and Environmental Protection | |
Install and protect network cabling. CC ID 08624 | Physical and environmental protection | Physical and Environmental Protection | |
Control physical access to network cables. CC ID 00723 | Physical and environmental protection | Process or Activity | |
Install and protect fiber optic cable, as necessary. CC ID 08625 | Physical and environmental protection | Physical and Environmental Protection | |
Restrict fiber optic cables to carry only specific security classification traffic. CC ID 08628 | Physical and environmental protection | Physical and Environmental Protection | |
Label fiber optic flying leads according to security classification of data being carried over the fiber optic cables. CC ID 08640 | Physical and environmental protection | Physical and Environmental Protection | |
Install network cable in a way that allows ease of inspecting. CC ID 08626 | Physical and environmental protection | Physical and Environmental Protection | |
Bundle network cables together at each inspection point by security classification of data being carried over that cable. CC ID 08649 | Physical and environmental protection | Physical and Environmental Protection | |
Establish and maintain security classifications for network cabling. CC ID 08627 | Physical and environmental protection | Establish/Maintain Documentation | |
Label conduit according to security classification of data being carried over the network cable inside the conduit. CC ID 08630 | Physical and environmental protection | Physical and Environmental Protection | |
Label each end of a network cable run. CC ID 08632 | Physical and environmental protection | Physical and Environmental Protection | |
Terminate approved network cables on the patch panel. CC ID 08633 | Physical and environmental protection | Physical and Environmental Protection | |
Color code cables in accordance with organizational standards. CC ID 16422 | Physical and environmental protection | Physical and Environmental Protection | |
Establish and maintain documentation for network cabling schemes. CC ID 08641 | Physical and environmental protection | Establish/Maintain Documentation | |
Prevent installing network cabling inside walls shared with third parties. CC ID 08648 | Physical and environmental protection | Physical and Environmental Protection | |
Install network cabling specifically for maintenance purposes. CC ID 10613 | Physical and environmental protection | Physical and Environmental Protection | |
Install and maintain network jacks and outlet boxes. CC ID 08635 | Physical and environmental protection | Physical and Environmental Protection | |
Color code outlet boxes in accordance with organizational standards. CC ID 16451 | Physical and environmental protection | Physical and Environmental Protection | |
Maintain wiring circuits and outlets that are separate from the computer room. CC ID 16142 | Physical and environmental protection | Physical and Environmental Protection | |
Implement physical controls to restrict access to publicly accessible network jacks. CC ID 11989 | Physical and environmental protection | Physical and Environmental Protection | |
Label network cabling outlet boxes. CC ID 08631 | Physical and environmental protection | Physical and Environmental Protection | |
Enable network jacks at the patch panel, as necessary. CC ID 06305 | Physical and environmental protection | Configuration | |
Implement logical controls to enable network jacks, as necessary. CC ID 11934 | Physical and environmental protection | Physical and Environmental Protection | |
Identify network jacks by security classification according to security classification of data being carried over the cable. CC ID 08634 | Physical and environmental protection | Physical and Environmental Protection | |
Identify network cable faceplates by security classification according to security classification of data being carried over the cable. CC ID 08643 | Physical and environmental protection | Physical and Environmental Protection | |
Install and maintain network patch panels. CC ID 08636 | Physical and environmental protection | Physical and Environmental Protection | |
Separate network patch panels in different network cabinets according to security classification of data being carried over the cables. CC ID 08637 | Physical and environmental protection | Physical and Environmental Protection | |
Assign access to network patch panels on a need to know basis. CC ID 08638 | Physical and environmental protection | Physical and Environmental Protection | |
Encase network cabling in conduit or closed cable reticulation systems, as necessary. CC ID 08647 | Physical and environmental protection | Physical and Environmental Protection | |
Install conduit on walls connecting to network cable outlet boxes, as necessary. CC ID 08646 | Physical and environmental protection | Physical and Environmental Protection | |
Seal data conduit couplings and data conduit fitting bodies. CC ID 08629 | Physical and environmental protection | Physical and Environmental Protection | |
Install cable reticulation systems as close to the network cabinets as possible. CC ID 08642 | Physical and environmental protection | Physical and Environmental Protection | |
Partition cable bundles in cable reticulation systems by security classification of data being carried over the network cable. CC ID 08645 | Physical and environmental protection | Physical and Environmental Protection | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity plan. CC ID 00752 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Identify all stakeholders in the continuity plan. CC ID 13256 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 | Operational and Systems Continuity | Communicate | |
Maintain normal security levels when an emergency occurs. CC ID 06377 | Operational and Systems Continuity | Systems Continuity | |
Execute fail-safe procedures when an emergency occurs. CC ID 07108 | Operational and Systems Continuity | Systems Continuity | |
Lead or manage business continuity and system continuity, as necessary. CC ID 12240 | Operational and Systems Continuity | Human Resources Management | |
Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 | Operational and Systems Continuity | Human Resources Management | |
Include the in scope system's location in the continuity plan. CC ID 16246 | Operational and Systems Continuity | Systems Continuity | |
Include the system description in the continuity plan. CC ID 16241 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain redundant systems. CC ID 16354 | Operational and Systems Continuity | Configuration | |
Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 | Operational and Systems Continuity | Behavior | |
Include identification procedures in the continuity plan, as necessary. CC ID 14372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the continuity strategy in the continuity plan. CC ID 13189 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Document and use the lessons learned to update the continuity plan. CC ID 10037 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 | Operational and Systems Continuity | Technical Security | |
Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 | Operational and Systems Continuity | Process or Activity | |
Record business continuity management system performance for posterity. CC ID 12411 | Operational and Systems Continuity | Monitor and Evaluate Occurrences | |
Coordinate continuity planning with community organizations, as necessary. CC ID 13259 | Operational and Systems Continuity | Process or Activity | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include incident management procedures in the continuity plan. CC ID 13244 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the use of virtual meeting tools in the continuity plan. CC ID 14390 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 | Operational and Systems Continuity | Establish Roles | |
Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 | Operational and Systems Continuity | Communicate | |
Document the uninterrupted power requirements for all in scope systems. CC ID 06707 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725 | Operational and Systems Continuity | Configuration | |
Install a generator sized to support the facility. CC ID 06709 | Operational and Systems Continuity | Configuration | |
Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 | Operational and Systems Continuity | Acquisition/Sale of Assets or Services | |
Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include notifications to alternate facilities in the continuity plan. CC ID 13220 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 | Operational and Systems Continuity | Systems Continuity | |
Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain damage assessment procedures. CC ID 01267 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a recovery plan. CC ID 13288 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 | Operational and Systems Continuity | Communicate | |
Include procedures to restore network connectivity in the recovery plan. CC ID 16250 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include addressing backup failures in the recovery plan. CC ID 13298 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 | Operational and Systems Continuity | Human Resources Management | |
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the criteria for activation in the recovery plan. CC ID 13293 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include escalation procedures in the recovery plan. CC ID 16248 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 | Operational and Systems Continuity | Communicate | |
Include restoration procedures in the continuity plan. CC ID 01169 | Operational and Systems Continuity | Establish Roles | |
Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the recovery plan in the continuity plan. CC ID 01377 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 | Operational and Systems Continuity | Communicate | |
Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 | Operational and Systems Continuity | Systems Continuity | |
Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 | Operational and Systems Continuity | Systems Continuity | |
Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Testing | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Testing | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 | Operational and Systems Continuity | Testing | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Testing | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 | Operational and Systems Continuity | Actionable Reports or Measurements | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Human Resources management | Communicate | |
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Human Resources Management | |
Train all personnel and third parties, as necessary. CC ID 00785 | Human Resources management | Behavior | |
Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 [In the event the Institution or its Service Provider become aware of any suspected or confirmed unauthorized disclosure or use of the Confidential Information, the Institution or Service Provider must immediately notify Reserve Bank in accordance with Section 1.4 herein of the suspected or confirmed unauthorized disclosure or use, and must take all reasonable efforts necessary to prevent further unauthorized disclosure or use. 5.4 ¶ 4] | Human Resources management | Behavior | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [{technical control} {operational control} {managerial control} At a minimum, such technical, operational, managerial, and procedural controls shall not conflict with any part of the Reserve Bank Security Procedure selected for use by the Institution (see section 2.1(c) through 2.1(g) below), must be consistent with the controls described in section 4.1 below, and shall be consistent with guidance provided by the FFIEC, including its guidance regarding Authentication in an Internet Banking Environment. Appendix A 1.2(b)] | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Establish, implement, and maintain an information security program. CC ID 00812 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 [In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 [The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b) The Institution is responsible for choosing a Security Procedure that is appropriate for the Institution taking into account, among other things, the nature and scale of the Institution's business and the nature of its technical environment and information security policies and procedures. Appendix A 2.1(b)] | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 [An Institution that wishes to use the Offline Security Procedure shall provide to the Appropriate Reserve Bank Staff (as defined in Operating Circular 6) the names of employees who are authorized to send or authenticate Offline messages, including payment orders. The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Institution. Appendix A 2.3(c) ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2] | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 [{foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {foreign country} Use of an Electronic Connection from outside of the U.S. and its territories is permissible only in accordance with the Reserve Banks' policies and procedures pertaining to foreign access. Institution acknowledges and understands that it and its Service Provider, if any, will be required to agree to additional terms and conditions governing any regular and on-going foreign access (including contingency arrangements) prior to such use of an Electronic Connection. 4.4 ¶ 2 {physical security measure} An Institution and its Service Providers, if any, agree to use the Access Control Features, and agree to conform to the security procedures, operating instructions, guidelines, and specifications applicable to an Electronic Connection that a Reserve Bank specifies from time to time, including the need for the Institution and its Service Provider, if any, to exercise their own independent judgment about the adequacy of existing security measures and to implement additional security measures as necessary with respect to their own operating environments. Notwithstanding the above, the Institution and its Service Providers, if any, are required and agree to implement appropriate physical and logical security to protect the Access Control Features, Software, computer(s) and any associated equipment that are used to exchange data with a Reserve Bank from unauthorized use. THE RESERVE BANKS MAKE NO WARRANTIES WITH RESPECT TO THE FOREGOING OR OTHERWISE IN CONNECTION WITH THE USE OF AN ELECTRONIC CONNECTION, EXCEPT AS EXPRESSLY SET FORTH IN THIS CIRCULAR. 5.3 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [Software includes trade secrets and proprietary information of the Reserve Banks and others, which may be copyrighted or patented, and must be handled in accordance with the requirements applicable to Confidential Information as set forth in Paragraph 5.4. 4.6 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 [{refrain from removing} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: remove any copyright or trademark notice contained in the Software. 4.4 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 [Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Operational management | Establish/Maintain Documentation | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 Each Institution must at all times comply with the measures, protections, and requirements established under the Reserve Bank Program described in Section 1.1 of this Appendix A, the Institution Program described in Section 1.2 of this Appendix A, and any applicable Security Procedures (collectively, the "Security Requirements"). Appendix A 3.1 ¶ 1 In addition, as part of each of the Online Security Procedures, the Reserve Banks (i) provide implementation guides and technical documents that prescribe policies, procedures, and controls that the Institution must follow and (ii) issue and manage access credentials in accordance with Operating Circular 5, including the applicable Certification Practice Statement. Each Institution is responsible for implementing the policies, procedures, and controls set forth in the applicable documentation provided to it by the Reserve Banks, as well as any subsequent modification to the policies, procedures and controls that are designed to strengthen the Security Procedures. If the Institution changes a default setting without prior written authorization from its Administrative Reserve Bank (as defined in Operating Circular 1) or fails to implement any other requirement in the documentation provided by the Reserve Banks, then the Institution is regarded as having unilaterally altered the Security Procedure and solely bears any resulting loss. Appendix A 2.1(e)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
Apply security controls to each level of the information classification standard. CC ID 01903 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Each Institution shall also prevent any disclosure, except on a "need to know" basis, of any aspects of the Security Procedure agreed to by it with the Reserve Bank holding its Master Account (as defined in Operating Circular 1). The Institution shall notify the Reserve Banks immediately in accordance with Section 1.4 of Operating Circular 5, if the confidentiality of the Security Procedures is compromised, and shall act to prevent the Security Procedure from being further compromised. Appendix A 2.1(g) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)] | Operational management | Systems Design, Build, and Implementation | |
Establish, implement, and maintain the systems' confidentiality level. CC ID 01904 | Operational management | Establish/Maintain Documentation | |
Define confidentiality controls. CC ID 01908 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' availability level. CC ID 01905 | Operational management | Establish/Maintain Documentation | |
Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 | Operational management | Process or Activity | |
Define integrity controls. CC ID 01909 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the systems' integrity level. CC ID 01906 | Operational management | Establish/Maintain Documentation | |
Define availability controls. CC ID 01911 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a software accountability policy. CC ID 00868 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain software license management procedures. CC ID 06639 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c) {refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
Automate software license monitoring, as necessary. CC ID 07057 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 | Operational management | Establish/Maintain Documentation | |
Perform periodic maintenance according to organizational standards. CC ID 01435 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1] | Operational management | Behavior | |
Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
Include detection procedures in the Incident Management program. CC ID 00588 | Operational management | Establish/Maintain Documentation | |
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 | Operational management | Data and Information Management | |
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
Include legal requirements for data loss event notifications in the Incident Response program. CC ID 11954 [Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi) Upon the request of the Reserve Banks which shall not exceed more than once during any consecutive 12-month period, each Institution and, if applicable, any Service Provider, shall attest to having completed a Self-Assessment by submitting an attestation in a form and manner acceptable to the Reserve Banks ("Attestation"). The Attestation sought by the Reserve Banks will generally include the following: An acknowledgement that the Institution must immediately notify the Federal Reserve Banks of any suspected or confirmed fraud, infringement, or security breach relating to any Electronic Connection. Appendix A 3.2 ¶ 1(vi)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
Include incident response team structures in the Incident Response program. CC ID 01237 | Operational management | Establish/Maintain Documentation | |
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 | Operational management | Establish Roles | |
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 | Operational management | Establish Roles | |
Establish, implement, and maintain a change control program. CC ID 00886 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
Establish, implement, and maintain a Configuration Management program. CC ID 00867 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Establish/Maintain Documentation | |
Include contact information in the system tracking documentation. CC ID 15280 [The names and e-mail addresses of the employees of the Settlement Agent who are authorized to issue a Settlement Instruction must be provided by the Settlement Agent to the Processing Reserve Bank (as defined in Operating Circular 12). The list of authorized employees must be in writing and must be signed by an individual vested with authority to conduct business on behalf of the Settlement Agent. Appendix A 2.3(c) ¶ 6] | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
Establish, implement, and maintain network parameter modification procedures. CC ID 01517 | System hardening through configuration management | Establish/Maintain Documentation | |
Review and restrict network addresses and network protocols. CC ID 01518 | System hardening through configuration management | Configuration | |
Define the location requirements for network elements and network devices. CC ID 16379 [{refrain from situating} {unapproved location} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: situate any VPN device used in conjunction with an Electronic Connection in any location other than the Institution's or its Service Provider's premises within the United States or its territories; 4.4 ¶ 1(a)] | System hardening through configuration management | Process or Activity | |
Configure security and protection software according to Organizational Standards. CC ID 11917 [The Institution and its Service Provider, if any, agree to take all commercially reasonable precautions and protections to prevent the introduction of Malware that might disrupt the operations of a Reserve Bank's, or other Institutions' or Service Providers', computers or software, including the installation, operation and proper configuration of commercially reasonable anti-Malware software. Certain Software that a Reserve Bank supplies may not be compatible with all types of commercial anti-Malware software. Accordingly, an Institution or its Service Provider may need to use an alternative type of commercial anti-Malware software on certain computers that contain Access Control Feature(s) or that are otherwise engaged in Electronic Connection(s) with a Reserve Bank. The Institution and its Service Provider, if any, shall institute and/or reinforce procedural controls, such as the timely patching of software (including, but not limited to, operating systems, applications, and firmware), and regular scanning/assessment of the enterprise environment for vulnerabilities and other exposures. 4.8 ¶ 1] | System hardening through configuration management | Configuration | |
Configure security and protection software to automatically run at startup. CC ID 12443 | System hardening through configuration management | Configuration | |
Configure security and protection software to enable automatic updates. CC ID 11945 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | System hardening through configuration management | Configuration | |
Configure security and protection software to check e-mail messages. CC ID 00578 | System hardening through configuration management | Testing | |
Configure security and protection software to check e-mail attachments. CC ID 11860 | System hardening through configuration management | Configuration | |
Configure Windows Defender Remote Credential Guard to organizational standards. CC ID 16515 | System hardening through configuration management | Configuration | |
Configure Windows Defender Credential Guard to organizational standards. CC ID 16514 | System hardening through configuration management | Configuration | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
Define each system's disposition requirements for records and logs. CC ID 11651 | Records management | Process or Activity | |
Establish, implement, and maintain records disposition procedures. CC ID 00971 | Records management | Establish/Maintain Documentation | |
Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Records management | Records Management | |
Place printed records awaiting destruction into secure containers. CC ID 12464 | Records management | Physical and Environmental Protection | |
Destroy printed records so they cannot be reconstructed. CC ID 11779 | Records management | Physical and Environmental Protection | |
Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 | Records management | Data and Information Management | |
Maintain disposal records or redeployment records. CC ID 01644 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Records management | Establish/Maintain Documentation | |
Include the name of the signing officer in the disposal record. CC ID 15710 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain security label procedures. CC ID 06747 [{refrain from copying} {refrain from sublicensing} {refrain from transferring} {copyright notice} {trademark notice} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: copy, sublicense or transfer the Software for any reason except that Software may be copied for back-up, testing or archival purposes, and all such copies shall include the Reserve Bank's and any third party's copyright, trademark and proprietary notices externally in the distribution medium and internally in machine-readable form; or, 4.4 ¶ 1(c)] | Records management | Establish/Maintain Documentation | |
Label restricted storage media appropriately. CC ID 00966 | Records management | Data and Information Management | |
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 | Records management | Establish/Maintain Documentation | |
Conspicuously locate the restricted record's overall classification. CC ID 01890 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893 | Records management | Establish/Maintain Documentation | |
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894 | Records management | Establish/Maintain Documentation | |
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896 | Records management | Data and Information Management | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain system design requirements. CC ID 06618 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Implement dual authorization in systems with critical business functions, as necessary. CC ID 14922 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a system requirements specification. CC ID 01035 [An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include system interoperability in the system requirements specification. CC ID 16256 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include equipment interoperability in the system requirements specification. CC ID 16257 | Systems design, build, and implementation | Acquisition/Sale of Assets or Services | |
Assign senior management to approve functional requirements in the system requirements specification. CC ID 13067 | Systems design, build, and implementation | Human Resources Management | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish and maintain access rights to source code based upon least privilege. CC ID 06962 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)] | Systems design, build, and implementation | Technical Security | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain payment systems. CC ID 13539 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Document the business need justification for payment page scripts. CC ID 15480 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Acquisition or sale of facilities, technology, and services | Technical Security | |
Restrict transaction activities, as necessary. CC ID 16334 [{physical security} In addition, each Institution issuing or receiving instructions over an Electronic Connection must, as part of any Online Security Procedure, implement its own physical and logical security, as well as management controls, that appropriately protects the hardware, software, and access controls used in the transaction process from unauthorized access and use. An Institution that is sending instructions to a Reserve Bank must have controls in place to (i) ensure that initiation of instructions occurs only from locations authorized by the Institution and (ii) require action by more than one of its employees or authorized personnel of a Service Provider, using separate devices, to initiate any Fedwire® or National Settlement Service instruction. Appendix A 2.1(f)] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Notwithstanding any other provision of this Appendix, when a sender or a receiving bank (or a Service Provider) chooses to use one of the Security Procedures, it rejects other Security Procedures, and if any one of the rejected Security Procedures is commercially reasonable for such sender or receiving bank, the sender or receiving bank agrees to be bound by any payment order, whether or not authorized, if it was issued in the sender's or the receiving bank's name and accepted by a Reserve Bank in compliance with the Security Procedure selected, subject to Section 4A-203 of Article 4A of the Uniform Commercial Code. Appendix A 2.3(b)] | Acquisition or sale of facilities, technology, and services | Behavior | |
Acquire products or services. CC ID 11450 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Discourage the modification of vendor-supplied software. CC ID 12016 [{refrain from modifying} {refrain from deriving} In addition to restrictions contained in Paragraph 4.1, an Institution or its Service Provider may not, except with a Reserve Bank's prior written consent: modify, add to, translate, reverse assemble, reverse compile, decompile or otherwise attempt to derive the source code from any Software; 4.4 ¶ 1(b)] | Acquisition or sale of facilities, technology, and services | Process or Activity | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data transparency program. CC ID 00375 | Privacy protection for information and data | Data and Information Management | |
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 | Privacy protection for information and data | Establish/Maintain Documentation | |
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 | Privacy protection for information and data | Data and Information Management | |
Establish and maintain a disclosure accounting record. CC ID 13022 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure date in the disclosure accounting record. CC ID 07133 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the disclosure purpose in the disclosure accounting record. CC ID 07135 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141 | Privacy protection for information and data | Establish/Maintain Documentation | |
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 | Privacy protection for information and data | Establish/Maintain Documentation | |
Dispose of media and restricted data in a timely manner. CC ID 00125 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2] | Privacy protection for information and data | Data and Information Management | |
Refrain from destroying records being inspected or reviewed. CC ID 13015 | Privacy protection for information and data | Records Management | |
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Records Management | |
Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain data handling procedures. CC ID 11756 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
Define the organization's liability based on the applicable law. CC ID 00504 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 [{be liable} A Reserve Bank's fees relating to Electronic Connections (including, for example, installation support and training) are published separately and are subject to change on thirty (30) calendar days' prior notice. A Reserve Bank charges these fees to the Institution's (or its correspondent's) account on a Reserve Bank's books. By designating a Service Provider, an Institution agrees that the Service Provider may be billed directly by the Reserve Bank for any fees related to the Service Provider's Electronic Connection. Notwithstanding any such direct billing, the Institution shall remain liable for any unpaid fees. 6.1 ¶ 1 An Institution and its Service Provider, if any, are liable for the payment of any taxes, however designated, levied on its possession or use of equipment, services and/or applications or Software a Reserve Bank has supplied, including, without limitation, state and local sales, use, value-added and property taxes. 6.3 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 The Institution and its Service Provider, if any, agree to take all reasonable measures to protect and ensure the secrecy of and affirmatively avoid unauthorized disclosure and use of Confidential Information. Without limiting the foregoing, the Institution and its Service Provider, if any, shall protect the Confidential Information with at least the same degree of care that the Institution uses to protect its own highly confidential information and comply with all handling instructions that are provided with the Confidential Information. The Institution and its Service Provider, if any, are responsible for destroying or returning any Confidential Information to Reserve Bank upon the request of Reserve Bank or when the Confidential Information is no longer needed. 5.4 ¶ 2 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Business Processes | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1 Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2 {business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in third party contracts. CC ID 13487 [{be responsible} An Institution and its Service Provider, if any, are solely responsible for the proper operation of their electronic information systems. A Reserve Bank in its discretion may suspend or disconnect an Electronic Connection in the event that such access to the Reserve Bank's systems generates error conditions, causes denials or disruptions of the Reserve Bank's systems, or appears to have been compromised with respect to information security or integrity. In the event of any such suspension or disconnection, the Reserve Bank and the Institution and its Service Provider, if any, will cooperate to investigate, identify, and correct the problem or problems affecting access to the Reserve Bank's systems. 7.1 ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) An Institution and its Service Provider, if any: must use all Access Control Features specified by a Reserve Bank, but may use any Access Control Features supplied by a Reserve Bank or by a vendor specified by a Reserve Bank only for authorized access to a Reserve Bank's services and/or applications; 5.1 ¶ 1(a) Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 [An Institution is responsible for ensuring that its and its Service Provider's, if any, computer(s) and associated equipment and software comply with Reserve Bank requirements (which a Reserve Bank may change from time to time) and for maintaining its own equipment. The Reserve Banks reserve the right to approve or disapprove the use of an Institution's or its Service Provider's equipment and software, and/or to make recommendations regarding the equipment and software that the Institution uses. The Reserve Bank's knowledge of any noncompliance with its requirements for computer(s) and associated equipment and software used to establish an Electronic Connection does not constitute the Reserve Bank's approval of such noncompliance. Any such noncompliance shall be solely at the risk of the Institution and its Service Provider, where applicable. THE RESERVE BANKS DO NOT HAVE ANY OBLIGATION FOR, AND DO NOT MAKE ANY WARRANTY OR REPRESENTATION OF ANY KIND WITH RESPECT TO, ANY COMMUNICATION FACILITY, NETWORK, BROWSER, OPERATING SYSTEM, SERVER, OR ANY OTHER EQUIPMENT OR SOFTWARE NOT SUPPLIED, OWNED OR OPERATED BY A RESERVE BANK. 2.0 ¶ 1 An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b) An Institution and its Service Provider, if any, are responsible for reviewing the current Reserve Bank hardware, software and connection requirements ("System Requirements") on a regular basis and updating their operating systems accordingly. A Reserve Bank shall make best efforts to provide notice (which may be in electronic form) of changes to the System Requirements. An Institution or its Service Provider must also update in a timely manner all applicable workstation operating systems, anti-Malware software and any other software used in connection with or comprising the Institution's or its Service Provider's Electronic Connections. The Reserve Banks shall not be responsible or liable in any manner for any loss or damage to an Institution or its Service Provider that could have been prevented had an update been installed when such update was made available by the applicable vendor. The Reserve Banks shall also not be responsible or liable in any manner for any loss or damage caused directly or indirectly by the installation of any such update whether or not the update was directly provided by a Reserve Bank. 5.5(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [{logical access control} {physical access control} An Institution and its Service Provider, if any: acknowledge that their Electronic Connection(s) and the Access Control Features can be used to originate funds transfer messages, other value transfer messages and non-value messages and should be appropriately restricted to ensure access is logically and physically limited to authorized staff; 5.1 ¶ 1(b) {unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to access Reserve Bank services and applications (as described in section 1.2 of Operating Circular 5) or to send or receive data over an Electronic Connection; or Appendix A 1.2(a)(i)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [{business continuity plan} An Institution and its Service Provider agree to establish and regularly test business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. 5.6 ¶ 2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 [{refrain from encumbering}{refrain from removing}{refrain from transferring} Reserve Bank supplied or designated equipment may not be altered, encumbered, relocated, removed or transferred to a third party, except with the Reserve Bank's prior written approval. The Institution and its Service Provider, if any, are liable for any loss of and damage to Reserve Bank supplied or designated equipment, ordinary wear and tear excepted. 4.1 ¶ 2 An Institution and its Service Provider, if any: except as otherwise provided in this Circular, assume sole responsibility and the entire risk of use and operation of their Electronic Connection(s) and the Access Control Features; 5.1 ¶ 1(c) Except for a liability, claim or loss arising exclusively from the Reserve Bank's failure to exercise ordinary care or act in good faith in providing an Electronic Connection, and except to the extent prohibited by law or regulation, the Institution shall indemnify, defend, and hold harmless the Reserve Bank with respect to any liability, claim or loss, whether alleged by the Institution, any customer of the Institution, its Service Provider or any third party, arising in connection with the use by the Institution (or its Service Provider or other agents) of the Electronic Connection. This indemnification shall survive the termination of access provided under this Agreement. 5.2 ¶ 4 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include early termination contingency plans in the third party contracts. CC ID 06526 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include disclosure requirements in third party contracts. CC ID 08825 [The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3 The Institution and its Service Provider, if any, shall disclose the Confidential Information to their employees or third parties only on a "need to know" basis. The Institution and its Service Provider, if any, shall maintain a written record of all third parties to whom Confidential Information is disclosed (indicating the recipient, date and description of content of the disclosure), and shall provide such record to the Reserve Bank upon request. The Institution and its Service Provider must take all necessary steps to enforce the obligations of Paragraph 5.4 with their employees. Before disclosure to any third party, the Institution and its Service Provider, if any, must have a written agreement with such party sufficient to require that party to treat the Confidential Information in accordance with Paragraph 5.4. The Institution and its Service Provider, if any, are liable for any unauthorized disclosure of Confidential Information by any of their employees or third parties to whom they have disclosed Confidential Information. 5.4 ¶ 3] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2 In addition, before sending a National Settlement Service settlement file to a Reserve Bank, a Settlement Agent must execute a security procedure agreement with the Host Reserve Bank (as defined in Operating Circular 12) in the form attached as Appendix B-1 to Operating Circular 12. Appendix A 2.3(a) ¶ 3] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [Before issuing a payment order to or receiving a payment order from a Reserve Bank, a sender or receiving bank, or its Service Provider, must execute a security procedure agreement with the Reserve Bank holding its Master Account in the form prescribed by the Reserve Bank. See, for example, Appendix A-1 to Operating Circular 6 if the payment order is a Fedwire® funds transfer; Appendix A-1 to Operating Circular 4 if the payment order is an ACH credit item; and Appendix A to Operating Circular 8 if the payment order is a FedNowSM Service transfer. Appendix A 2.3(a) ¶ 2] | Third Party and supply chain oversight | Process or Activity | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: used to process, store, retransmit, or modify information received from those IT systems that use an Electronic Connection to exchange data or access Reserve Bank services and applications, including hardware, software, and access controls the Institution uses with its customers. Appendix A 1.2(a)(ii) {technical control} {operational control} {managerial control} Each Institution agrees for itself and any Service Provider to implement technical, operational, managerial, and procedural controls designed to protect the security of the information technology ("IT") environment, including systems (physical or virtual), and processes of or for the Institution and that are: Appendix A 1.2(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [Upon termination, an Institution and its Service Provider, if any, promptly must: (a) disable (by removing the battery or otherwise) any encryption card, or other card that supports encryption and communication, but only after the workstation has been disconnected from production network connections; (b) return all Reserve Bank supplied or designated equipment (or properly dispose of it, if a Reserve Bank authorizes it to do so); (c) destroy or return, as required herein any Software and Confidential information provided to the Institution and its Service Provider, if any; (d) delete as required herein any installed copies of such Software or saved copies of Confidential information; and (e) upon request of a Reserve Bank, provide written certification that all relevant Software and Confidential information has been destroyed and deleted. Notwithstanding the foregoing, the Reserve Bank retains the right to require that an Institution and its Service Provider, if any, promptly return all relevant Software, hardware and Confidential information upon termination. The Institution's and its Service Provider's obligations pertaining to confidentiality, nondisclosure and cooperation with a Reserve Bank's defense of any Software infringement claim survive any termination of the Institution's and its Service Provider's agreement to this Circular. 7.2 ¶ 1] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{unauthorized physical access} {unauthorized network access} An Institution and its Service Provider, if any: are responsible for (i) establishing, instituting and enforcing policies and procedures for controlling, detecting and preventing unauthorized physical and network access to all applicable Access Control Features; (ii) immediately contacting the Reserve Bank in accordance with Section 1.4 herein if they have a reasonable basis to know or suspect that any applicable Access Control Feature is missing, has been compromised or shows evidence of tampering, and (iii) documenting within such policies and procedures the requirement to immediately contact the Reserve Banks by telephone at (888) 333-7010, with written confirmation via email to ccc.technical.support@kc.frb.org. 5.1 ¶ 1(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain a third party payment system. CC ID 08903 [{electronic transmission} Problems with hardware, software, or data transmission may on occasion delay or prevent a Reserve Bank from sending or receiving payments or other data electronically. Accordingly, an Institution and its Service Provider, if any, should be prepared to send or receive payments or other data by other means. 5.6 ¶ 1] | Third Party and supply chain oversight | Business Processes | |
Disclose payments made to third parties. CC ID 08904 | Third Party and supply chain oversight | Data and Information Management | |
Document payments to third parties. CC ID 08905 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Make third party payments freely and proportionate to the furnished services. CC ID 08906 | Third Party and supply chain oversight | Business Processes | |
Establish a trust to pay for supply chain security forces. CC ID 08907 | Third Party and supply chain oversight | Business Processes | |
Notify third parties of revenue collection weaknesses. CC ID 08909 | Third Party and supply chain oversight | Business Processes | |
Avoid cash purchases of supplies from third parties. CC ID 08910 | Third Party and supply chain oversight | Business Processes | |
Pay third parties through official banking channels. CC ID 08911 | Third Party and supply chain oversight | Business Processes | |
Disclose payments made to supply chain security forces. CC ID 10031 | Third Party and supply chain oversight | Data and Information Management | |
Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 [{unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d) {unauthorized physical access} {unauthorized network access} {preventative control} An Institution and its Service Provider, if any: are responsible for unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features and for implementing additional preventative and detective controls necessary to mitigate the risk of unauthorized physical and network access to their Electronic Connection(s) and applicable Access Control Features; and 5.1 ¶ 1(d)] | Third Party and supply chain oversight | Business Processes | |
Assign unique reference numbers to all products and their subcomponents. CC ID 08932 | Third Party and supply chain oversight | Business Processes |