Technical security

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an access classification scheme., CC ID: 00509
  • Establish, implement, and maintain a digital identity management program., CC ID: 13713
  • Establish, implement, and maintain an access control program., CC ID: 11702
  • Establish, implement, and maintain a system and information integrity policy., CC ID: 14034
  • Identify and control all network access controls., CC ID: 00529
  • Enforce information flow control., CC ID: 11781
  • Establish, implement, and maintain a data loss prevention program., CC ID: 13050
  • Secure access to each system component operating system., CC ID: 00551
  • Control all methods of remote access and teleworking., CC ID: 00559
  • Establish, implement, and maintain an Automated Teller Machine security program., CC ID: 13060
  • Manage the use of encryption controls and cryptographic controls., CC ID: 00570
  • Establish, implement, and maintain a malicious code protection program., CC ID: 00574
  • Establish, implement, and maintain an organizational website program., CC ID: 14815
  • Establish, implement, and maintain an application security policy., CC ID: 06438
  • Establish, implement, and maintain a virtual environment and shared resources security program., CC ID: 06551


  • Management should ensure the general controls and application controls that are relevant to IT are developed. (Practice Standard § I.5(1), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Publicly available electronic communications service providers must take appropriate organizational and technical measures to safeguard the security of its services, including its network. The measures must ensure the level of security is appropriate to the risks, taking into account the state of th… (Art 4.1, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
  • The use of personal data and identification data must be minimized by configuring the information systems and software in a way to rule out processing, if the purpose can be achieved by either anonymous data or suitable arrangements to allow identifying data subjects only when necessary. The process… (§ 3, § 34, Italy Personal Data Protection Code)
  • Information security must be maintained by telecommunications operators and value added service providers for all of their services and by corporate subscribers for handling their users' identification data and geographic information. Information security is maintained if measures are taken for ensu… (§ 19(1), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • The organization must implement controls that only allow authorized personnel access to protectively marked data and that protects the data when it is not in use. The organization may require additional technical controls for networks that extend outside the secure area. (App 3 ¶ 12, The Contractual process, Version 5.0 October 2010)
  • (§, § 4.1, OGC ITIL: Security Management)
  • The organization should implement robust procedures and policies to control residual risks. (¶ 115, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • The organization should adhere to the requirements of the Payment Card Industry (PCI) Data Security Standards. (Pg 59, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The technical infrastructure layer includes operating systems, databases, and networks. Audits of technical infrastructures focus on technical configuration settings rather than processes. (§ 3.2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Security personnel should not attempt a quick fix to a problem. They should ask questions to determine the actual problem(s) and then create a comprehensive assets protection program. Human factors should always be considered when the organization is developing security strategies. Internal controls… (Pg 11-III-19, Revised Volume 1 Pg 2-I-14, Protection of Assets Manual, ASIS International)
  • An information security management program (ismp) has been developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security progra… (IS-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Service providers should ensure that, in their recovery site, the selection, development, and use of security controls are adequate for the assessed risks and services that are provided to the organization. (§ 7.5.1 ¶ 2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The auditor should only consider safeguarding controls that affect the reliability of financial reporting. When considering which controls need to be assessed, the auditor's primary concern is how the specific control activity prevents or detects and corrects material misstatements. Those controls t… (§ 314.52, § 314.91, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Products that are covered by this part shall comply with all applicable requirements. An agency shall ensure products comply with the requirements when developing, procuring, maintaining, or using electronic and information technology, unless it would impose an undue burden. (§ 1194.2(a), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • All classified and unclassified-sensitive information, hardware, software, firmware, and documentation should be protected against unauthorized modification, unauthorized use, unauthorized access, unauthorized disclosure, unauthorized destruction, and denial of service. (§ 1-5.b, § 2-14.c(4), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must provide industry standard levels of security and integrity to protect data being maintained by computers. (Principle III.B.2, BBBOnline Code of Online Business Practices)
  • Standards that are more stringent than those promulgated by the Secretary of Commerce may be used by a Federal agency for cost-effective security and to protect the privacy of sensitive information in Federal information systems, if the standards contain, at a minimum, the compulsory and binding sta… (§ 5131(b), § 5131(c), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The Director of the Office of Management and Budget must oversee agency information security policies and practices, including requiring agencies to identify and provide information security protections that are commensurate with the magnitude and risk of harm resulting from unauthorized access to o… (§ 3543(a)(2)(B), § 3543(b), § 3543(c), § 3544(a)(1)(A)(ii), § 3547(1), Federal Information Security Management Act of 2002)
  • Measures appropriate for the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to protect sensitive personally identifiable information while it is being used, transmitted, stored, and disposed by encryption, redaction, or access contro… (§ 302(a)(4)(B)(iii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • Unauthorized onsite and/or remote access to critical processes must be prevented to deter cyber sabotage. (§ 27.230(a)(8), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The organization should implement security procedures and controls to ensure the integrity of data, the confidentiality of transmissions, and the authenticity of communications. (Pg 34, Exam Tier I Obj 1.2, Exam Tier II Obj 3.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The hardware and software should be configured to control access to the system. (Pg 20, Exam Tier I Obj 1.2, Exam Tier I Obj 2.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization must develop, document, distribute, and continuously update a system and communications protection policy that includes roles, responsibilities, compliance requirements, and the procedures for the implementation of the system and communications protection security controls. The orga… (§ 5.6.15, Exhibit 4 SC-1, Exhibit 4 SI-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • The organization should use a systematic approach for determining the appropriate LAN security measures to implement. (§ 3 ¶ 1, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.2.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the system and communications protection policy and procedures and the system and information integrity policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined fo… (SC-1, SI-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • (§ 2.5 thru § 2.5.3, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1)
  • Handheld devices should have additional prevention and detection software installed to defend against malware and other forms of attacks. These products usually include capabilities for one or more of the following: encryption, firewall, antivirus, spam prevention, intrusion detection, authenticatio… (§ 4.1.9, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Licensees who are subject to this section's requirements must provide high assurance that all digital computer and communications systems and networks have been adequately protected against cyber attacks, up to and including the design basis threat described in section 73.1. (§ 73.54(a), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • Airline computer reservation systems must use the best technology available to ensure that unauthorized users cannot gain access to reservations, manifests, or other nonpublic information. (§ 117, Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)
  • Airport operators and air carriers must work with the Under Secretary to strengthen and implement controls to eliminate the weaknesses to the access control system. (§ 44903(g)(2)(A), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • § A.3.a.2.f: The organization shall ensure that the general support system security products and techniques are appropriately used and cost-effective. § A.3.b.2.e: The application security controls shall be specified, designed into, tested, and accepted in accordance with National Institute of Sta… (§ A.3.a.2.f, § A.3.b.2.e, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)