Establish, implement, and maintain an information security program.

Back

CONTROL ID
00812

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

This Control has the following implementation support Control(s):

Include physical safeguards in the information security program., CC ID: 12375
Include technical safeguards in the information security program., CC ID: 12374
Include administrative safeguards in the information security program., CC ID: 12373
Include system development in the information security program., CC ID: 12389
Include system maintenance in the information security program., CC ID: 12388
Include system acquisition in the information security program., CC ID: 12387
Include access control in the information security program., CC ID: 12386
Include operations management in the information security program., CC ID: 12385
Include communication management in the information security program., CC ID: 12384
Include environmental security in the information security program., CC ID: 12383
Include physical security in the information security program., CC ID: 12382
Include human resources security in the information security program., CC ID: 12381
Include asset management in the information security program., CC ID: 12380
Include a continuous monitoring program in the information security program., CC ID: 14323
Include how the information security department is organized in the information security program., CC ID: 12379
Include risk management in the information security program., CC ID: 12378
Provide management direction and support for the information security program., CC ID: 11999
Monitor and review the effectiveness of the information security program., CC ID: 12744
Establish, implement, and maintain an information security policy., CC ID: 11740
Define thresholds for approving information security activities in the information security program., CC ID: 15702
Assign ownership of the information security program to the appropriate role., CC ID: 00814
Disseminate and communicate the information security policy to interested personnel and affected parties., CC ID: 11739
Establish, implement, and maintain a social media governance program., CC ID: 06536
Establish, implement, and maintain operational control procedures., CC ID: 00831
Establish, implement, and maintain the Acceptable Use Policy., CC ID: 01350
Establish, implement, and maintain an Intellectual Property Right program., CC ID: 00821
Establish, implement, and maintain an e-mail policy., CC ID: 06439
Protect policies, standards, and procedures from unauthorized modification or disclosure., CC ID: 10603

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The organization should establish procedures for developing executive and director remuneration policies. (¶ 2.5.10, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
The hardware and software systems and procedures of an Authentication Service provider shall provide a reasonable level of reliability, availability, and correct operation. (§ 30(3)(b), The Electronic Communications and Transactions Act, 2002)
AIs should develop formal policies and procedures on data security to safeguard customer data, covering areas on, among others, system controls, physical security controls, mobile computing, and outside service providers. The policies and procedures should be in line with the relevant supervisory gu… (Annex B. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
The licensed corporation should maintain an effective governance process for (a) the acquisition, deployment and use of software applications or services which read, write or modify Relevant Information, and (b) ensuring the security, authenticity, reliability, integrity, confidentiality and timely … (13., Circular to Licensed Corporations - Use of external electronic data storage)
Licensed corporations are reminded of their obligations under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission (a) to have effective policies and procedures for the proper management of risks to which the fir… (11., Circular to Licensed Corporations - Use of external electronic data storage)
The organization must develop guidelines based on the "Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector." (Art 1, Japan Handbook Concerning Protection Of Personal Data, February 1998)
The procedures that are developed, maintained, and used to implement this agreement's requirements shall be fair and equitable, protect the rights of all participants, shall not be unnecessarily costly or complicated, and shall not have unreasonable time limits or unwarranted delays. (Art 6 ¶ 2, Anti-Counterfeiting Trade Agreement)
App 2-1 Item Number I.1.1(1): The organization must establish a policy on IT governance. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control. App 2-1 Item Number I.1.1(4): The organization must define the information system model for th… (App 2-1 Item Number I.1.1(1), App 2-1 Item Number I.1.1(4), App 2-1 Item Number I.4(1), App 2-1 Item Number VI.1.1(2) thru App 2-1 Item Number VI.1.1(5), App 2-1 Item Number VI.1.2(2), App 2-1 Item Number VI.5.1(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
The Government must establish a basic policy for protecting personal information. The policy must ensure there are comprehensive and integrated measures to protect personal information. This policy must cover the following: the basic direction for promoting the measures to protect personal informati… (Art 7, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
Standard Â§ I.2(6): Policies and procedures should be developed to achieve organizational objectives and for responding to IT inside and outside of the organization during business activities. If the organization relies on IT heavily, response to IT serves as an assessment criteria for internal cont… (Standard § I.2(6), Standard § I.2(6).1, Standard § I.2(6).2, Practice Standard § I.2(3).B, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
O4: The organization shall develop system management procedures to operate the system smoothly and safely and to prevent illegal conduct. O4.1: The organization shall develop operation, management, and usage approval procedures for the system. O5: The organization shall develop data management proce… (O4, O4.1, O5, O5.1, O6, O6.1, O23, O50, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
O1: The organization shall prepare documentation concretely specifying security management methods and defining responsibilities to execute appropriate security management. O10.2: The organization shall establish regulations requiring managing important confidential data, such as private keys and cu… (O1, O10.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
O10: The organization shall establish regulations defining the responsibilities and authority of each unit in charge of operation, disaster prevention, and crime prevention to operate and manage its computer system. O10.1: Regarding the unit in charge of operation, disaster prevention, and crime pre… (O10, O10.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
It is necessary to establish regulations that define the following in order to implement system security measures. (C1.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
It is necessary to establish a security management system and designate security managers, as appropriate for the size and structure of the organization, under the overall control of the person who is responsible for security for the company as a whole. (C4.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
A personal information processor entrusting the processing of certain personal information to a party shall reach an agreement with the entrusted party on the purposes, period and means of processing, the categories of personal information to be processed and the protection measures, as well as the … (Article 21 ¶ 1, Personal Information Protection Law of the People's Republic of China)
Information and the knowledge based on it have increasingly become recognized as 'information assets', which are vital enablers of business operations. Hence, they require organizations to provide adequate levels of protection. For banks, as purveyors of money in physical form or in bits and bytes, … (Introduction ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
To achieve effective information security governance, bank management must establish and maintain a framework to guide the development and maintenance of a comprehensive information security programme. (Introduction ¶ 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Banks need to frame Board approved Information Security Policy and identify and implement appropriate information security management measures/practices keeping in view their business needs. (Critical components of information security 1) 1), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The policies need to be supported with relevant standards, guidelines and procedures. A policy framework would, inter-alia, incorporate/take into consideration the following: (Critical components of information security 1) 2), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The major role of top management involves implementing the Board approved information security policy, establishing necessary organizational processes for information security and providing necessary resources for successful information security. It is essential that senior management establish an e… (Boards of Directors/Senior Management ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Supporting the development and implementation of a bank-wide information security management programme (Information Security Committee ¶ 3 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Information security governance consists of the leadership, organizational structures and processes that protect information and mitigation of growing information security threats like the ones detailed above. (Information Security Governance ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Analysis/evaluation and improvement of the weakness of information protection; (Article 45-3(3)(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; (Article 45-3(3)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. (Article 45-3(3)(7), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of tran… (Article 57(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
Establish and enforce ICT security policies, standards and procedures. (Annex A1: Standards, policies and procedures 3, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
The CISO regularly reviews and updates their organisation's cyber security program to ensure its relevance in addressing cyber threats and harnessing business and cyber security opportunities. (Security Control: 1617; Revision: 0, Australian Government Information Security Manual, March 2021)
An APRA-regulated entity's information security policy framework is commonly structured as a hierarchy, with higher level policies supported by underlying standards, guidelines and procedures. A policy framework would normally be informed by a set of information security principles that guide decisi… (21., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
Under CPS 234, an APRA-regulated entity must actively maintain an information security capability with respect to changes in vulnerabilities and threats. Accordingly, an entity would typically adopt an adaptive and forward-looking approach to maintaining its information security capability, includin… (20., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
In order to systematically test information security controls, an APRA-regulated entity would normally outline the population of information security controls across the regulated entity, including any group of which it is a part, and maintain a program of testing which validates the design and oper… (78., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
All security documents should be classified at the same level as the system it covers. (§ 2.2.17 thru § 2.2.19, Australian Government ICT Security Manual (ACSI 33))
The organization should have security policies, security plans, security risk assessments, and disposal procedures covering all systems the organization owns. E-mail policies, procedures, and plans should be developed and should include authentication procedures; e-mail integrity requirements; how t… (§ 2.2.4, § 2.2.6, § 3.4.30, § 3.5.52, § 3.10.59, Australian Government ICT Security Manual (ACSI 33))
Organizations should develop Standard Operating Procedures (SOP) for each system the organization owns. The SOPs should include instructions on how to comply with the System Security Plan, such as the procedures for how to update virus signature files. (§ 2.2.8, § 2.2.12, Australian Government ICT Security Manual (ACSI 33))
Discusses "standards tactics" for designing a recordkeeping system, citing interoperability, maintainability, portability, extensibility and possible focuses of standards within an organization. (§ E.4.1, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
The financial report must be reviewed, and any requirements that the financial report does not comply with must be identified, along with the reasons it does not comply and the actions necessary to make it comply. (Sched 2 ¶ 4, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
The incident prevention plan may include a security audit of technical security and physical security. (Step 4 Bullet 1, Key Steps for Organizations in Responding to Privacy Breaches)
Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availabil… (Art. 9.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate to support the performance of their activities and the provision of services and adequately protect availability, authenticity, integrity and confidentiality of data… (Art. 16.1. ¶ 2(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
Information security is a cross-sectional function and must therefore be integrated in all processes and projects of the organisation processing information. Examples of this include: (§ 4.1(3) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Projects frequently fail because the objectives that have been set are unrealistic or too ambitious. This is no different in the field of information security. In order to achieve the reasonable security objective, many small steps and a long-term, continuous process of improvement without high inve… (§ 4.1(4) ¶1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
In this situation, it is useful to examine how the security concept and the security organisation have performed to date. In chapter 8 Security concept, various activities are described for reviewing the performance of individual security safeguards. The results gathered there should be taken into a… (§ 4.3 ¶ 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
The planned security safeguards must be implemented in accordance with the implementation plan. In this, information security must be integrated in the pan-organisation procedures and processes. If difficulties arise during implementation, they should be communicated immediately so that solutions ca… (§ 8.2 Subsection 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Once the security safeguards have been selected they must be implemented according to an implementation plan. The following steps should be followed during implementation: (§ 8.2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Survey the it systems to check if the existing databases or overviews of the existing or planned it systems are fit for use as the starting point for further procedures. (4.2.4 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Implement the security concept by providing reasons for, and documenting the order of, the implementation of safeguards. (5 Bullet 7, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Document the basic procedure used in the organization for checking and improving the information security process in a corresponding policy and submit the policy to management for approval. (6.1 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Document all sub-aspects of the entire information security process understandably and keep the documentation up-to-date. (6.2 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Secure the flow of information in the information security process by evaluating the quality of the documentation and improve or update it wherever necessary. (6.2 Bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
Achieving and/or maintaining an appropriate and sufficient level of information security in the organisation requires a planned approach on the one hand and an adequate organisational structure on the other hand. Furthermore, it is required to define security objectives and a strategy for achieving … (§ 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Many internal conditions may affect information security, and these must be determined correspondingly. The analysis of business processes and specialised tasks provides statements about the effects of security incidents on the business activity and the fulfilment of tasks. At this early stage it is… (§ 3.2.1 Subsection 2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Above all, the management must ensure that information security is integrated into all relevant business processes, specialised procedures and projects. Experience has demonstrated that the ISO requires the full support of management in order to be integrated into each key activity by the person res… (§ 3.1 ¶ 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Business goals: Which factors are essential for success of the company or public agency? Which products, offers and orders form the basis of the business activities? What are the general goals of the organisation? Which role does information security play in this regard? (§ 3.2.1 Subsection 1 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Then it should be documented for which area and with which schedule a Basic Protection, Standard Protection and/or Core Protection should be implemented. The corresponding scopes of the information domain should be defined. (§ 3.3.5 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In order to secure direct access to the organisation's administration or management, these roles should be organised as a staff department. At management level, the information security role should be clearly assigned to one manager to whom the ISO then reports directly. (§ 4 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
If this is not possible, because the organisation of parts of the specialised tasks or business processes considered depends on external partners, for example, within the scope of outsourcing, the interfaces should be clearly defined, so that this can be taken into account within the scope of the se… (§ 3.3.4 ¶ 7 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Documentation of decision and time schedule for implementation (§ 3.3.5 Subsection 4 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Information security management is only one of many management tasks, but it influences almost every area within an organisation. Therefore, information security management must be appropriately integrated into the existing organisational structures, and a contact person must be appointed. Tasks and… (§ 4.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Identification: It is desirable to identify all information already at the time of generation of the same to be able to protect them appropriately and consistently during their whole life cycle. However, experience shows that this is difficult. This is because a classification scheme is easy to crea… (§ 5.1 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
For the security concept, organisational, infrastructural and technical requirements from the IT- Grundschutz Compendium should be met for the components of business processes, applications and IT systems. These are classified in modules so that they can build on each other. (§ 6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
IT-Grundschutz modelling entails determining whether and how the modules of a given layer can be used to map the information domain. Depending on the considered module, the target objects of such mapping can be of different types: individual business processes or components, groups of components, bu… (§ 6.2.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The essential security requirements must be fulfilled early and corresponding security safeguards must be implemented to cover basic risks and establish holistic information security. Thus, IT- Grundschutz proposes an order for the modules to be implemented. (§ 6.2.2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Information security must be lived. To enable the maintenance and continuous improvement of the security level, you not only need to implement and continuously update the required security safeguards, but also need to check the whole process of information security regularly in terms of its effectiv… (§ 6.5 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The results of the IT-Grundschutz Check should be documented such that all those involved can understand them, and they can be used as the basis for implementation planning for those requirements and measures where deficits still exist. Suitable aids providing support for drawing up and updating any… (§ 6.3 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Fulfilment of the standard requirements in IT-Grundschutz normally offers sufficient and adequate protection. In case of high or very high protection needs, as being regularly applicable within the scope of Core Protection, it should be verified whether there are additional security requirements, co… (§ 7.8 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
A distribution effect often will occur if corresponding redundancies already have been used for considering the requirements on high protection needs when creating or developing target objects. Basically, this is an anticipation of considerations required within the scope of risk analysis. That is w… (§ 8.2.2 ¶ 9, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In order to determine the protection needs of the device, the potential damage to the relevant business processes must be considered in its entirety. The results of defining the protection needs of devices should be documented in a table if such results have an impact on information security. Only d… (§ 8.2.6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
This label only shows the reasonable temporal order for implementation of the requirements of the respective module and does not represent an weighting of the modules with regard to each other. Basically, all modules of the IT-Grundschutz Compendium relevant for the corresponding information domain … (§ 8.3.3 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Determining an order for implementation of the modules (§ 8.3.7 Subsection 1 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
they must be sufficiently concrete for being usable in the present information domain, i.e. they must include e.g. sufficient technical details. (§ 8.3.6 ¶ 3 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Generally, the requirements of the IT-Grundschutz modules always must be implemented analogously. All changes compared to the IT-Grundschutz Compendium should be documented so that the reasons can still be understood later. (§ 8.3.6 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Check suitability and up-to-datedness of security objectives, strategies and concept (§ 10.3 Subsection 1 Bullet 9, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
From a longer term perspective it is necessary to check the security objectives set and the framework conditions. In particular in rapidly changing industries, appropriate alterations in the security policy and strategy are of essential importance. (§ 10.2 Subsection 1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The ISMS must be further developed continuously and adapted to recent knowledge e.g. resulting from checking the information security process. (§ 10.2 Subsection 4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
the chosen approach should be supplemented (e.g. from Basic Protection to Standard Protection) and/or (§ 10.2 Subsection 5 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Information security is a cross-sectional function that is connected to almost all areas of an organisation. That is why it is necessary to integrate the information security into the existing processes of an organisation. Examples of this include: (§ 10.1.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Check whether work regarding information security should be made transparent by means of an ISO 27001 certificate on the basis of IT-Grundschutz (§ 11 Subsection 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Security architecture and safeguards for the protection of data, IT applications and IT infrastructures which are managed by the cloud provider or third parties (Section 5.2 SA-01 Basic requirement ¶ 1 Bullet 5, Cloud Computing Compliance Controls Catalogue (C5))
The instruments and methods used allow a comprehensible control of the following tasks and activities to permanently maintain and ensure information security: Planning, implementing the plan and/or carrying out the project (Section 5.1 OIS-01 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
Planning, implementation, maintenance and continuous improvement of a framework regarding information security within the organisation. (Section 5.1 Objective, Cloud Computing Compliance Controls Catalogue (C5))
Policies and instructions with technical and organisational safeguards in order to avoid losing data are documented, communicated and provided according to SA-01. They provide reliable procedures for the regular backup (backup as well as snapshots, where applicable) and restoration of data. The scop… (Section 5.6 RB-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Ensuring the protection of information in networks and the corresponding information-processing systems. (Section 5.9 Objective, Cloud Computing Compliance Controls Catalogue (C5))
Legal and regulatory requirements, including data protection, intellectual property right, copyright, handling of meta data (see RB-11) as well as a description as to how they are ensured (e. g. site of data processing and liability, see surrounding parameters for transparency) (Section 5.12 DLL-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
The information risk management and information security management under sections 3 and 4 of the BAIT shall take the CIP objective into account and adopt measures to ensure that it is achieved. In particular, risks that have the potential to impair critical services to a significant degree shall be… (II.9.59, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
Information security management makes provisions for information security, defines processes and manages the implementation thereof (see AT 7.2 number 2 of MaRisk). Information security management follows a continuous process that comprises a planning, implementation, success monitoring, optimisatio… (II.4.15, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
The requirements for information security have been determined and documented: (1.1.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
The organizational management has commissioned and approved the ISMS. (1.2.1 Requirements (must) Bullet 3, Information Security Assessment, Version 5.1)
For exceptional situations, information security aspects are taken into consideration in methods, processes and procedures. (3.1.2 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
Where encryption is not feasible, information must be protected by similarly effective measures. (5.1.2 Additional requirements for high protection needs Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
Where this is technically not feasible, information is protected by similarly effective measures. (3.1.4 Additional requirements for high protection needs Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
Indications regarding technical and organizational measures (e.g. disciplinary action). (1.6.1 Requirements (must) Bullet 3 Sub-Bullet 5, Information Security Assessment, Version 5.1)
Where encryption is not feasible, information shall be protected by similarly effective measures. (4.2.1 Additional requirements for very high protection needs Bullet 1 Sub-Bullet 2, Information Security Assessment, Version 5.1)
The formal work plan, managing director's instruction, and reporting instruction must be written in a clear, detailed, and functional way to serve as guiding documents for the organization's work. (¶ III.3.5.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
The organization must develop a code of conduct and post it on its web site. The organization must develop procedures for the layout and reporting of financial reports. The Supervisory Board regulations must include paragraphs on dealing with the Management Board, shareholders, and the works council… (¶ II.1.3, ¶ III.1.1, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
The minister who is responsible for public administration, in consultation with the minister responsible for information, will determine how to keep and the scope of the documentation, along with the basic technical and organizational conditions to be fulfilled by the computer systems and devices th… (Art 39a, Poland Protection of Personal Data Act)
Firms should be alert to the financial crime risks associated with holding customer data and have written data security policies and procedures which are proportionate, accurate, up to date and relevant to the day-to-day work of staff. (5.2.1 ¶ 2, Financial Crime Guide: A Firmâs Guide to Countering Financial Crime Risks, Release 11)
Policy owership Â¶ 3: The senior information risk officer is responsible for developing and implementing the information risk policy and reviewing it regularly. Content Â¶5: The content of the information risk policy should be sufficiently generic so as to be applicable across the organization and i… (Policy owership ¶ 3, Content ¶ 5, Guidance on the Departmental Information Risk Policy, March 2009)
Purpose Â¶ 2: The information risk policy must define how information risk must be managed by the organization and its delivery partners and how the effectiveness of the policy must be assessed. The policy should support the strategic aims and objectives of the organization and allow employees to id… (Purpose ¶ 2, Content ¶ 4, Guidance on the Departmental Information Risk Policy, March 2009)
The organization should state the overall scope of the quarterly risk assessments in the information risk policy, and the scope should be consistent with the goals of that policy. (Scope ¶ 2, Guidance on the scope of Quarterly Risk Assessments, March 2009)
The organization must have Business Continuity Management arrangements that are robust, up to date, flexible, and fit for the purpose and are supported by competent staff. The arrangements must follow best practices (bs 25999 or equivalent). (Mandatory Requirement 70, HMG Security Policy Framework, Version 6.0 May 2011)
The organization should implement a content checking/blocking policy. (Mandatory Requirement 39.d, HMG Security Policy Framework, Version 6.0 May 2011)
The counter-terrorist protective security policy must include roles and responsibilities, including third parties and contractors. (Mandatory Requirement 66.b, HMG Security Policy Framework, Version 6.0 May 2011)
The counter-terrorist protective security policy must include the testing of the plan. (Mandatory Requirement 66.e, HMG Security Policy Framework, Version 6.0 May 2011)
The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support operation of essential functions. (B1. ¶ 1, NCSC CAF guidance, 3.1)
The purpose of the information security management practice is to protect the information needed by the organization to conduct its business. This includes understanding and managing risks to the confidentiality, integrity, and availability of information, as well as other aspects of information sec… (5.1.3 ¶ 1, ITIL Foundation, 4 Edition)
The rating systems design and operational details should be documented. The organization should develop a disclosure policy stating which disclosures will be made and how to control the disclosure process. The disclosure policy should include ensuring disclosures are appropriate through a validation… (¶ 418, ¶ 821, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
Is management's view of e-security reflected in documented policies and day-to-day procedures? (§ I.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
If a comprehensive information policy and auditing process has been established, what areas are covered? (Table Row II.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
What is the process for maintaining and configuring rule sets and routing controls? (Table Row VII.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
Does the organization have evidentiary data guidelines and preservation practices? (Table Row XII.25, OECD / World Bank Technology Risk Checklist, Version 7.3)
Prior to delegating functions to another entity, the organization should establish and implement a process to conduct a review of the potential contractor's written policies and documented procedures and capacity to perform delegated functions. (CORE - 7(a), URAC Health Utilization Management Standards, Version 6)
The organization as part of its quality management program, should provide written documentation of objectives and approaches utilized in the quality management activities. (CORE - 21(a), URAC Health Utilization Management Standards, Version 6)
Manage IT security at the highest appropriate organisational level, so the management of security actions is in line with business requirements. (DS5.1 Management of IT Security, CobiT, Version 4.1)
Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, softw… (DS5.2 IT Security Plan, CobiT, Version 4.1)
Manage information to be secure, relevant, reliable, and available when needed. (OCEG GRC Capability Model, v 3.0, A5.7 Develop the Information Management Structure, OCEG GRC Capability Model, v 3.0)
The organization must ensure employee information security policies are communicated. (§ 1a, American Express Data Security Standard (DSS))
PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes: (12.5.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes: (12.5.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes: (12.5.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
An information governance program shall be constructed to ensure an appropriate level of protection to information assets that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection. (Principle of Protection:, Generally Accepted Recordkeeping PrinciplesÂ®, For the Web)
A business continuity management system must be developed, implemented, maintained, and continuously improved by the organization in accordance with sections 3.2 to 3.4. (§ 3.1, BS 25999-2, Business continuity management. Specification, 2007)
IT policy statements should include, but not be restricted to: a general policy on the organization's security and privacy level (should be consistent with relevant national and international legislation); the rights of access and classification of information at each level (should also define use l… (§ 5.3.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
Standards support policy requirements and are intended to define the ways to achieve the organization's required objectives. Standards promote efficiency and enable the IT operating environment to be maintained more efficiently. Standards should be adopted for data structures. This will ensure consi… (§ 5.3.2 ¶ 1. § 5.3.2 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
The organization must implement an effective privacy program that includes: a privacy statement; controls and processes; written procedures and policies; privacy governance and accountability; training; roles and responsibilities; information security practices; monitoring and auditing; privacy laws… (§ 2.2 (Privacy Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
The organization's policy statement must ensure, within the scope of the organizational resilience management system, it is appropriate for the scale and nature of the potential risks, threats, hazards, and impacts to the organization's products, services, functions, and activities; includes, as its… (§ 4.2.1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
The documents required for this Standard and the organizational resilience management system must be controlled. The organization must develop, implement, and maintain procedures to approve the adequacy of documents prior to issuance; review, update, and then re-approve documents; ensure that docume… (§ 4.4.5, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
The organization should develop and implement an ethics program. An ethics program can improve employees' understanding of ethical behavior and promote the confidential reporting of any known issues before they become a problem. The organization should ensure a program is in place to protect sensiti… (Pg 1-II-16, Pg 1-I-A2, Pg 4-II-5, Pg 8-II-22, Pg 8-II-23, Pg 12-III-20, Pg 13-II-2, Pg 13-II-3, Pg 23-VI-2 thru Pg 23-VI-4, Revised Volume 1 Pg 8-II-23, Revised Volume 1 Pg 8-III-4, Protection of Assets Manual, ASIS International)
The document management process should be supported by an automated Document Management System (or equivalent) to maintain the confidentiality, integrity, and availability of each document during its lifecycle (e.g., by automatically encrypting, digitally signing, time-stamping, or backing up docume… (CF.03.02.08b, The Standard of Good Practice for Information Security)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including creation (e.g., by a business user or by an automated business process). (CF.03.02.06a, The Standard of Good Practice for Information Security)
The document management process should be supported by an automated Document Management System (or equivalent) to maintain the confidentiality, integrity, and availability of each document during its lifecycle (e.g., by automatically encrypting, digitally signing, time-stamping, or backing up docume… (CF.03.02.08b, The Standard of Good Practice for Information Security, 2013)
There should be a process in place for managing the organization's documents throughout the complete document lifecycle, including creation (e.g., by a business user or by an automated business process). (CF.03.02.06a, The Standard of Good Practice for Information Security, 2013)
An Information Security Management Program (ISMP) shall be developed, documented, approved, and implemented that includes administrative, technical, and physical safeguards to protect assets and data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The security progra… (GRM-04, Cloud Controls Matrix, v3.0)
Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM. (GRC-05, Cloud Controls Matrix, v4.0)
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and proced… (DSP-01, Cloud Controls Matrix, v4.0)
Management shall approve a formal information security policy document which shall be communicated and published to employees, contractors and other relevant external parties. (IS-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
Policies and procedures shall be established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities. (RM-01, The Cloud Security Alliance Controls Matrix, Version 1.3)
An organization should include ICT security as a component of all planning, implementation and operational activities. Protection should continue throughout the life cycle of information and ICT systems, from planning to acquisition, testing and operation. An organizational structure should support … (§ 5.2.2, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
Â¶ 8.1 Baseline Approach. An organization could apply baseline security to all IT systems by selecting standard safeguards. A variety of standard safeguards are suggested in baseline documents and codes of practice. If all of an organization's IT systems have only a low level of security requirement… (¶ 8.1, ¶ 8.2, ¶ 8.3, ¶ 8.4, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
Â¶ 8.1.1(1)(2) IT Security Management and Policies. An organization should implement safeguards is to achieve an appropriate and consistent level of security throughout an organization. This safeguard category contains all those safeguards dealing with the management of IT security, the planning of … (¶ 8.1.1(1)(2), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessa… (¶ 8.1.5(3), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Development of an Organization-wide Baseline. An organization should apply baseline security either to the whole organization or to parts of it and consider the following questions. â¢ Which parts of the organization or systems can be protected by the same baseline, and which require a different co… (¶ 12, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Â¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 11, ¶ 11.1, ¶ 11.2, ¶ 11.2 Table 2 Trust Environment "Low", ¶ 11.2 Table 2 Trust Environment "Medium"," ¶ 11.2 Table 2 Trust Environment "High", ¶ 11.2 Table 3 Row "Public Network Connection", ¶ 11.2 Table 3 Row "Private Network Connection", ¶ 11.2 Table 4 Row "LOW/PUBLIC", ¶ 11.2 Table 4 Row "MEDIUM/PUBLIC", ¶ 11.2 Table 4 Row "HIGH/PUBLIC", ¶ 11.2 Table 4 Row "LOW/PRIVATE", ¶ 11.2 Table 4 Row "MEDIUM/PRIVATE", ¶ 11.2 Table 4 Row "HIGH/PRIVATE", ¶ 12, ¶ 13, ¶ 13.1, ¶ 13.2, ¶ 13.3, ¶ 13.3.1, ¶ 13.7, ¶ 13.8, ¶ 13.9, ¶ 13.10, ¶ 14, ¶ 15, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
The organization shall ensure that the quality management system documentation includes quality objectives, a quality policy; a quality manual; procedures and records required by this ISO; documents needed for effectively planning, operating, and controlling processes; and other documentation specif… (§ 4.2.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
The organization shall establish procedures for issuing and implementing advisory notices at any time. (§ 8.5.1 ¶ 2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
The organization shall establish process management policies and procedures. (§ 6.2.1.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall document the Risk Management process. (§ 6.3.4.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall integrate the procedures for generating data, collecting data, analyzing data, and reporting data into the appropriate processes. (§ 6.3.7.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
All security requirements not referenced in the Common Criteria should be identified and justified, be measurable, and be able to be evaluated for compliance or noncompliance. (§ 9.6, § 10.6, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
The development or adoption of recordkeeping standards in addition to policies and procedures but does not provide details on the nature of standards is recommended. (§ 3.2.6(2b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
All security requirements for the product and the environment that are not explicitly stated in ISO/IEC 15408 should be identified, justified, use ISO/IEC 15408 as a model, be measurable, have evaluation requirements that compliance or noncompliance can be determined and demonstrated, clearly expres… (§ 8.3.6, § 9.3.7, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
The guidance documentation should be examined to ensure it is adequate for consumers to effectively use the security functions, administer the product, and detect any insecure states. (§ 12.10.1.6, § 13.10.1.6, § 13.10.1.7, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
The organization shall establish documented procedures, including authorities and responsibilities, for creating and approving documents prior to issue. (§ 4.3.2 ¶ 2(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
The service provider shall implement and operate technical, administrative, and physical Information Security controls to meet the information security policy requirements. (§ 6.6.2 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
All plans, policies, and provisions should be documented. Service providers should ensure operational procedures and policies for the physical facility and equipment are equally applicable to the associated software and firmware. Service providers should ensure day-to-day operational policies and pr… (§ 5.12, § 6.14.11, § 7.5.1 ¶ 2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
Management should review the information security policy on a routine basis. Policies and procedures should be developed to protect information when business systems are interconnected. They should address known system vulnerabilities; controls for information sharing; proper protection levels; and … (§ 5.1.2, § 10.8.5, ISO 27002 Code of practice for information security management, 2005)
have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. (§ 6.1.1 Health-specific control ¶ 1(b), ISO 27799:2016 Health informatics â Information security management in health using ISO/IEC 27002, Second Edition)
Â§ 4.3.2: The organization should ensure its objectives for and commitment to risk management are stated in its risk management policy. The risk management policy should address the organization's rationale for managing risks; links between its objectives and policies and its risk management policy;… (§ 4.3.2, § 5.7, ISO 31000 Risk management -- Principles and guidelines, 2009)
The organization should ensure there is authority, accountability, and competence for managing risk. This includes implementing and maintaining the risk management process and ensuring controls are adequate, effective, and efficient. To accomplish this, the organization should identify risk owners; … (§ 4.3.3, ISO 31000 Risk management -- Principles and guidelines, 2009)
the implementation of a risk-based information security management system (ISMS); (§ 6.8.3.4 ¶ 2 b), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Â§ 7.1.4: For software systems assigned to Class B and Class C software safety classes, the medical device manufacturer shall document in the risk management file potential causes of software items contributing to hazardous situations. Â§ 7.1.5: For software systems assigned to Class B and Class C s… (§ 7.1.4, § 7.1.5, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
ensuring the integration of the information security management system requirements into the organization's processes; (§ 5.1 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document. (§ 4.4 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. (§ 10.1 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
make changes to the information security management system, if necessary. (§ 10.2 ¶ 1 e), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
designing information security processes and systems; (§ 5.3 Guidance ¶ 2(c), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
determine the final scope: the refined scope should be evaluated by all management within the refined scope. If necessary, it should be adjusted and then precisely described; and (§ 4.3 Guidance ¶ 1(h), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
top management should ensure that ISMS requirements and controls are integrated into the organization's processes. How this is achieved should be tailored to the specific context of the organization. For example, an organization that has designated process owners can delegate the responsibility to i… (§ 5.1 Guidance ¶ 1(b), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The organization establishes information security objectives and plans to achieve them at relevant functions and levels. (§ 6.2 Required activity, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
the information and communication technology scope, boundaries and interfaces; and (§ 4.3 Guidance ¶ 3(k), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
the physical scope, boundaries and interfaces. (§ 4.3 Guidance ¶ 3(l), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
see c) above. Information security objectives should be aligned with information security needs; for this reason, risk assessment and treatment results should be used as inputs when setting information security objectives; (§ 6.2 Guidance ¶ 4 Bullet 3, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
the activities to be done; (§ 6.2 Guidance ¶ 5 Bullet 1, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The organization plans, implements and controls the processes to meet its information security requirements and to achieve its information security objectives. (§ 8.1 Required activity ¶ 1, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
suitability of the ISMS, considering if the external and internal issues, requirements of the interested parties, established information security objectives and identified information security risks are properly addressed through planning and implementation of the ISMS and information security cont… (§ 10.2 Guidance ¶ 1(a), ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
Measures to ensure information security and confidentiality should be determined considering auditees and other relevant party requirements. Other party requirements can include relevant legal and contractual requirements. (§ 5.3.2, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection â Guidelines for information security management systems auditing, Third Edition)
the importance of preserving the confidentiality, integrity and availability of information within the scope of the ISMS; (§ 5.4.3.2 e), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection â Guidelines for information security management systems auditing, Third Edition)
identified information security requirements; (§ 5.2.2 a), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection â Guidelines for information security management systems auditing, Third Edition)
evaluation of whether the ISMS adequately identifies and addresses information security requirements; (§ 5.5.2.2 a), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection â Guidelines for information security management systems auditing, Third Edition)
The organization has established, and maintains, a cybersecurity program designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite. (GV.SP-1.1, CRI Profile, v1.2)
The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. (GV.TE-2.1, CRI Profile, v1.2)
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. (Protective Technology (PR.PT), CRI Profile, v1.2)
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. (Information Protection Processes and Procedures (PR.IP), CRI Profile, v1.2)
The organization has a cybersecurity program that is continually measured and improved. (Security Program (GV.SP), CRI Profile, v1.2)
The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls: (§ 52.204-21(b)(1), Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems)
The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. (GV.TE-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
The organization has established, and maintains, a cybersecurity program designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite. (GV.SP-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Although a system may begin operation in a secure state, it is important to be able to monitor the system to ensure that it remains in that secure state. If an event impacts the security of a system, timely notification of the event may be critical to mitigating the associated risk. Asset owners sho… (10.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
All security management programs and procedures should be documented. (Pg 3, Responsible Care Security Code of Management Practices, American Chemistry Council)
The organization should ensure its privacy policies include providing notice to individuals about the purpose for collecting the information. (ID 2.1.0, ID 2.1.1, AICPA/CICA Privacy Framework)
The entity defines and documents its policies for the security of the system. (Security Prin. and Criteria Table § 1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity defines and documents its policies for the availability of its system. (Availability Prin. and Criteria Table § 1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity defines and documents its policies for the processing integrity of its system. (Processing Integrity Prin. and Criteria Table § 1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity defines and documents its policies related to the system protecting confidential information, as committed or agreed. (Confidentiality Prin. and Criteria Table § 1.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Personal information that is stored or accessed on mobile devices or portable media should be subject to the organization's retention, access, and destruction policies. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
Whether service organization management uses an appropriate security framework for managing its system processes and controls (for example, the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity" [NIST cybersecurity framework] or Internati… (¶ 3.82 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
The organization must develop policies, procedures, and reporting requirements. (PE 4, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
Commensurate with the size and complexity of the Licensee, the nature and scope of the Licensee's activities, including its use of Third-Party Service Providers, and the sensitivity of the Nonpublic Information used by the Licensee or in the Licensee's possession, custody or control, each Licensee s… (Section 4.A ¶ 1, Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
Require the Licensee's executive management or its delegates to develop, implement, and maintain the Licensee's Information Security Program; (Section 4.E ¶ 1(1), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be a… (Section 3 ¶ 1., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee's activities; (Section 7 ¶ 1.A., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
Each licensee shall establish and implement an information security program, including appropriate policies and systems pursuant to this regulation by [insert date]. (Section 11 ¶ 1., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
NFA Compliance Rules 2-9, 2-36 and 2-49, as applicable, require NFA Members to develop, maintain and implement an appropriate ISSP in light of the importance of protecting the integrity of their technology systems. NFA recognizes that the particulars of a Member's ISSP will vary based on the Member'… (Recordkeeping ¶ 2, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
NFA does not require a Member to utilize any of these resources in developing its ISSP, but each Member must formally adopt an ISSP appropriate for the Member's business. (Information Security Program Bullet 1 Written Program ¶ 3, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
Each Member firm should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks. In implementing an ISSP, each Member must adopt and enforce a written ISSP reasonably designed to provide sa… (Information Security Program Bullet 1 Written Program ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
Does the information security policy contain a policy for constituent accountability? (§ B.1.17, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
Is there a documented response program with policies and procedures to address privacy incidents and unauthorized disclosure, access, or breach of client confidential information? (§ P.3.10, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
For cloud computing services, is a standards based federated identification capability available to clients (e.g., saml or openid)? (§ V.1.14, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Is there a management approved process in place to ensure that image snapshots containing scoped data are authorized before being snapped? (§ V.1.16, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Â§ 422.202(b)(1): A Medicare Advantage (MA) organization must establish formal mechanisms for consulting with physicians about the medical policy, quality improvement programs, and medical management procedures and ensure practice and utilization management guidelines are based on reasonable medical… (§ 422.202(b)(1), § 422.503(b)(4)(vi)(A), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
Â§ 3.3 Â¶ 3: The organization shall document and maintain the systems security certification in the system security profile. The security certification validates that the certification, system security plans, risk assessment, Federal Information Security Management Act of 2002 (FISMA) annual securit… (§ 3.3 ¶ 3, § 3.7, CMS Business Partners Systems Security Manual, Rev. 10)
The organization must implement communication software to restrict access from specific workstations by verifying workstation identifications through: verifying userids and passwords for application access; controlling connections between workstations and systems; restricting the use of network faci… (CSR 10.10.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
As part of the personnel security program, the organization must establish and maintain personnel security policies and procedures. (CSR 1.4.1(5), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Business owners are required to complete a system security plan workbook, based on the system sensitivity level. This information is used to complete the main body of the system security plan. (§ 3.1.5, System Security Plan (SSP) Procedure, Version 1.1 Final)
The business owner shall use the system security plan template (http://www.cms.gov/informationsecurity/downloads/ssp_template.zip) to develop the system security plan. (§ 3, System Security Plan (SSP) Procedure, Version 1.1 Final)
Information Security Program. Each bank holding company shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank holding company and the nature and scope of its activities.… (§ II.A, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
Oversee the development, implementation, and maintenance of the bank holding company's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. (§ III.A(2), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
Effective date. Each bank holding company must implement an information security program pursuant to these Guidelines by July 1, 2001. (§ III.G(1), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
Section 501(b) of the GLBA required the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction that include administrative, technical, and physical safeguards, to protect the security and confidentiality of customer information. Accordingly, the Agencies… (Supplement A § I.A, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain th… (§242.1001(a)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls: (§ 52.204-21 (b)(1), 48 CFR Part 52.204-21, Basic Safeguarding of Covered Contractor Information Systems)
The bank should develop effective Office of Foreign Assets Control (OFAC) compliance programs. The program should include designating a person to monitor day-to-day compliance, maintaining strong lines of communications, an annual in-depth audit, and policies and procedures for filtering for possibl… (Pg 41, Obj 1 (Policy), Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
Determine if management has implemented policies and procedures for maintaining compliance with all applicable laws and regulations. Verify that the organization has comprehensive policies and procedures in place. (Pg 41, Obj 1 (Policy), Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
The Director of the Office of Management and Budget must oversee the development and implementation of standards and guidelines pertaining to Federal computer systems in accordance with the National Institute of Standards and Technology (NIST) Act. The Secretary of Commerce must promulgate the stand… (§ 5112(d), § 5131(a)(1), Clinger-Cohen Act (Information Technology Management Reform Act))
The Federal banking agencies, the National Credit Union Association, and the Federal Trade Commission have jointly established and maintain guidelines about identity theft and are required to keep the guidelines updated. These agencies require financial institutions and creditors to establish polici… (§ 114, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
The Federal banking agencies, the National Credit Union Association, and the Federal Trade Commission have jointly established and maintain guidelines about identity theft and are required to keep the guidelines updated. These agencies require financial institutions and creditors to establish polici… (§ 615(e), Fair Credit Reporting Act (FCRA), July 30, 2004)
The agency head must ensure senior agency officials implement policies and procedures to information and information systems that support operations and assets under their control in order to cost-effectively reduce risks to acceptable levels. The Chief Information Officer must develop and maintain … (§ 3544(a)(2)(C), § 3544(b)(3), Federal Information Security Management Act of 2002, Deprecated)
AGENCY PROGRAM.âEach agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, co… (§ 3554(b), Federal Information Security Modernization Act of 2014)
information collected or maintained by or on behalf of the agency; and (§ 3554(a)(1)(A)(i), Federal Information Security Modernization Act of 2014)
ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control, including throughâ (§ 3554(a)(2), Federal Information Security Modernization Act of 2014)
provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; (§ 3557 ¶ 1(1), Federal Information Security Modernization Act of 2014)
Healthcare providers shall maintain safeguards to ensure the integrity and confidentiality of health information. (§ 1173(d)(2)(A), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress, Deprecated)
Community Health Insurance Options shall follow the consumer protection laws of the state. (§ 1323(b)(7)(C), Patient Protection and Affordable Care Act, Public Law 111-148, 111th Congress)
Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections: (§ 252.204-7012(b), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor's responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicabl… (§ 252.204-7012(l), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
Once a DoD PA is granted, the CSP is expected to maintain the security posture of the CSO through continuous and periodic vulnerability scans, DoD annual assessments, incident management, and effective implementation of operational processes and procedures. Integral to this is periodic reporting to … (Section 5.3.1 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Basic-robustness commercial off the shelf products, as defined in the Protection Profile consistency guidance for basic robustness published under the Information Assurance technical framework, must be used for ensuring the availability of publicly released information and protecting it from malicio… (DCSR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Medium-robustness commercial off the shelf products, as defined in the Protection Profile consistency guidance for medium robustness published under the Information Assurance technical framework, must be used for protecting sensitive information that transits public networks or systems and is access… (DCSR-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The Facilities Security Officer (FSO) must develop procedures to effectively implement the requirements of this Manual. The protection measures that have been implemented to ensure the hardware, software, and/or firmware cannot be accessed by unauthorized individuals must be documented. (§ 1-202, § 8-613.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Â§ 3.106(b)(1)(i) A patient safety organization must monitor and evaluate written policies and procedures that protect the confidentiality, integrity, and availability of patient safety work product. Â§ 3.208(a) A provider or patient safety organization, having disclosed patient safety work product,… (§ 3.106(b)(1)(i), § 3.208(a), 42 CFR Part 3, Patient Safety and Quality Improvements, Final Rule)
Protected health information policies and procedures must be implemented to comply with the standards, implementation specifications, and other requirements. (§ 164.530(i)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (§ 164.308(a)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Procedures must be in place to ensure all information for clearing cargo is legible, accurate, and complete and is protected against the introduction, loss, or exchange of erroneous information; and information received from business partners is accurate and timely. (Documentation Processing, Manifesting Procedures, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
The following are sector security goals: the sector should strive to reduce the number of critical assets; ensure all personnel are vetted for employment suitability, reliability, and trustworthiness; determine the impact or consequence of critical DIB asset loss; identify all information that ident… (§ 1.3.1, Defense Industrial Base Information Assurance Standard)
The criminal justice information services systems officer shall establish, maintain, and enforce policy that governs the operation of system components that comprise and support a telecommunications network and criminal justice information services systems that process, store, or transmit criminal j… (§ 3.2.2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The criminal justice information services systems agency information security officer shall document the technical compliance with the security policy in order to assure the confidentiality, integrity, and availability of criminal justice information. (§ 3.2.8(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Procedures for handling and storage of information shall be established to protect that information from unauthorized disclosure, alteration or misuse. Using the requirements in this Policy as a starting point, the procedures shall apply to the handling, processing, storing, and communication of CJI… (§ 5.1.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
The CSA is responsible for establishing and administering an information technology security program throughout the CSA's user community, to include the local levels. The head of each CSA shall appoint a CJIS Systems Officer (CSO). The CSA may impose more stringent protection measures than outlined … (§ 3.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Procedures for handling and storage of information shall be established to protect that information from unauthorized disclosure, alteration or misuse. Using the requirements in this Policy as a starting point, the procedures shall apply to the handling, processing, storing, and communication of CJI… (§ 5.1.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
It is the responsibility of all agencies covered under this Policy to ensure the protection of CJI between the FBI CJIS Division and its user community. The following figure provides an abstract representation of the strategic functions and roles such as governance and operations. (§ 3.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Procedures must be developed by each organization included in the Emergency Operations Plan to state the specific actions necessary to be taken during an incident. (Chap III.B.2.a(2), National Incident Management System (NIMS), Department of Homeland Security, December 2008)
The National Incident Management System (NIMS) Integration Center is responsible for developing data standards for notifying and reporting incidents, reporting the status of incidents, and collecting and transmitting data for analysis and for developing data standards for the interoperability of wir… (Chap V.B.2.b, Chap VI.B.2, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
All elements of the information security program are coordinated enterprise-wide. (Domain 1: Assessment Factor: Governance, STRATEGY/POLICIES Baseline 2 ¶ 7, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Uses the results of the data classification process to implement controls to safeguard data, including sensitive data. (App A Objective 3:5b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Focuses on identifying, managing, and securing the data; identifying business uses; and providing appropriate access regardless of how the data are stored. (App A Objective 3:6g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Verify that management implemented effective database security controls, such as the following: (App A Objective 3:7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Employs appropriate data protection and data loss prevention tools. (App A Objective 4:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Governance and use of information or data, protection of that data, and derivation of maximum value from it. (App A Objective 2:9b Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: (App A Objective 14:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Appropriate controls over vulnerability scanning tools, including controls to protect against unauthorized use or access to sensitive information. (App A Objective 15:3a Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Implementation of the information security program by clearly communicating responsibilities and holding appropriate individuals accountable for carrying out these responsibilities. (App A Objective 2.5.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether the board approves a written information security program and receives a report on the effectiveness of the information security program at least annually. Determine whether the report to the board describes the overall status of the information security program and discusses mater… (App A Objective 2.4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Establishment of appropriate policies, standards, and procedures to support the information security program. (App A Objective 2.5.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether the information security program is subject to periodic review and whether management provides for continual improvement in the program's effectiveness. Verify whether that review does the following: (App A Objective 9.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Security policies, standards, and procedures that are designed to support and to align with the policies in the lines of business. (App A Objective 3.2.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether management of the information security program is appropriate and supports the institution's ITRM process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program. (App A Objective 3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should develop and implement an information security program that does the following: - Supports the institution's IT risk management (ITRM) process by identifying threats, measuring risk, defining information security requirements, and implementing controls. - Integrates with lines of … (II Information Security Program Management, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
As part of the governance structure, financial institution management should ensure development, implementation, and maintenance of the following: - An effective IT risk management structure. - A comprehensive information security program. - A formal project management process. - An enterprise-wide … (I.B IT Responsibilities and Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether management has a board-approved written information security program and verify that it is maintained and updated according to regulatory requirements. (App A Objective 3:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
Board approval of the information security program and other IT-related policies. (App A Objective 2:1 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
Exam Tier II Obj D.1 Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether âª A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; âª E… (Exam Tier II Obj D.1, Exam Tier II Obj E.2, Exam Tier II Obj E.3, FFIEC IT Examination Handbook - Audit, August 2003)
Management should ensure all hardware and software has associated documentation. (Pg 11, FFIEC IT Examination Handbook - Development and Acquisition)
Organizations should establish standards, policies, and procedures that meet the organizational and project requirements and help reduce risks to the project. (Pg 2, FFIEC IT Examination Handbook - Development and Acquisition)
Determine if IT management has adequate standards and procedures governing the following items through examination or by discussing the issues with other examiners performing reviews in these areas: âª Risk assessment, âª Personnel administration, âª Development and acquisition, âª Computer oper… (Exam Obj 6.1, FFIEC IT Examination Handbook - Management)
Policies should be developed by the organization to reduce the risk exposure of the organization. Policies should cover personnel, physical and logical security, change management, and continuity plans. (Pg 15, FFIEC IT Examination Handbook - Operations, July 2004)
Procedures should be developed by management for all critical operations and should be reviewed and updated on a regular basis and when changes occur. Procedures should exist for the administration of the network, telecommunications, data storage, and the data library; the maintenance of the equipme… (Pg 16, Pg 17, FFIEC IT Examination Handbook - Operations, July 2004)
The organization should develop standards for hardware, software, and the operating environment. Management should implement standardization for all platforms in order to improve performance, reduce costs, enhance reliability, and improve integration and interoperability. (Pg 16, FFIEC IT Examination Handbook - Operations, July 2004)
Determine whether the financial institution has adopted adequate policies and procedures regarding ACH transactions involving Internet-initiated (WEB) entries. Determine whether they: â¢ Are in writing and approved by the board or a designated committee. â¢ Adequately address ODFI or RDFI responsi… (Exam Tier II Obj 11.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
(Exam Tier I Obj 3.7, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
Determine if the institution has guidelines for the information to be obtained from a customer making a funds transfer request. The request should contain: âª The account name and number. âª A sequence number. âª The amount to be transferred. âª The person or source initiating the request. âª T… (Exam Tier II Obj 4.7, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
The organization should have procedures to verify all processed payment orders. Procedures to prevent fraud or errors in the system should include call backs, using code words, and/or only authorizing certain employees to send payment orders. The organization's policies and procedures should include… (Pg 19, Pg 32, Exam Tier II Obj 3.1, Exam Tier II Obj 7.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (d) of this section; any material changes to your operations or business arrangements; the results of risk assessments performed under paragraph (b)(2) of this section; o… (§ 314.4 ¶ 1(g), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature a… (§ 314.3(a), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Each federally insured credit union will develop a written security program within 90 days of the effective date of insurance. (§ 748.0 (a), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the credit union's activities. Each credit union must consider whether the following security measures are appropriate for the credit u… (§ 748 Appendix A. III.C.1., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Objectives. A credit union's information security program should be designed to: ensure the security and confidentiality of member information; protect against any anticipated threats or hazards to the security or integrity of such information; protect against unauthorized access to or use of such i… (§ 748 Appendix A. II.B., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Credit unions have an affirmative duty to protect their members' information against unauthorized access or use. Notifying members of a security incident involving the unauthorized access or use of the member's information in accordance with the standard set forth below is a key part of that duty. (§ 748 Appendix B. III.i., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Millions of Americans, throughout the country, have been victims of identity theft. Identity thieves misuse personal information they obtain from a number of sources, including credit unions, to perpetrate identity theft. Therefore, credit unions should take preventative measures to safeguard member… (§ 748 Appendix B. II.i., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Are there written policies for each implemented service and appliance, such as websites, internet banking, firewalls, and Intrusion Detection Systems? (IT - General Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does the Credit Union conform to the Certification Authority standards established by the Internet Engineering Task Force and National Institute of Standards and Technology? (IT - Authentication Q 27, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Does the Credit Union have a formal, written policy for how networked applications are approved, prioritized, acquired, developed, and maintained? (IT - Networks Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Establish and collaborate with a threat-informed security program. (3.4.2. ¶ 1 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Â§ 2.2.1 Â¶ 3: The organization should include a requirement for authentication in its LAN policies. Â§ 2.2.2 Â¶ 7: The types of information needed to be exchanged between servers should be stated in the LAN policy. Any information that is not needed to be shared should be restricted. (§ 2.2.1 ¶ 3, § 2.2.2 ¶ 7, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. (PR.PT Protective Technology, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. (PR.IP Information Protection Processes and Procedures, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. (PR.IP Information Protection Processes and Procedures, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. (PR.PT Protective Technology, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
An organization should have a computer security policy. A computer security policy allows senior management to create a computer security program, establishing goals and assigning responsibilities. Policy is also defined to refer to the specific security rules for certain systems. There are also oth… (§ 3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Standards may be developed due to the broad nature of policies. (§ 3.1.4.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1 Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Develops and disseminates an organization-wide information security program plan that: (PM-1a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and (PM-1a.3., Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization should plan for and address the security aspects for all organization-owned PDAs and cell phones. (Pg ES-2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
Lead and align information technology (IT) security priorities with the security strategy. (T0134, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Co… (T0271, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities. (T0553, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Ensure that security improvement actions are evaluated, validated, and implemented as required. (T0089, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Assess and design security management functions as related to cyberspace. (T0556, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Provide input to the identification of cyber-related success criteria. (T0592, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Identify functional- and security-related features to find opportunities for new capability development to exploit or mitigate vulnerabilities. (T0410, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Provide input for the development and refinement of the cyber operations objectives, priorities, strategies, plans, and programs. (T0787, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Develop cyber operations plans and guidance to ensure that execution and resource allocation decisions align with organization objectives. (T0658, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Create auditable evidence of security measures. (T0274, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Develop content for cyber defense tools. (T0020, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Security and privacy policies (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data. (Data Protection Policies, Processes, and Procedures (PR.PO-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The organization should develop comprehensive policies and procedures for handling Personally Identifiable Information at the organizational level, the program level, and the system level. (§ 4.1.1 ¶ 1, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
The organization must develop procedures to implement the Awareness and Training security policy and requirements. (SG.AT-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Audit and Accountability policy must include the objectives, roles, and responsibilities of the program. (SG.AU-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Audit and Accountability policy must include the scope of the program. (SG.AU-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the Audit and Accountability policy and the associated protection requirements. (SG.AU-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The security assessment and authorization policy must include the objectives, roles, and responsibilities for the security assessment and authorization security program. (SG.CA-1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The security assessment and authorization policy must include the scope of the security assessment and authorization security program. (SG.CA-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the security assessment and authorization policy and the associated protection requirements. (SG.CA-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop a security assessment plan that describes the scope, including the security requirements and security enhancements. (SG.CA-2 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop a security assessment plan that describes the scope, including the procedures to determine the effectiveness of the security requirements. (SG.CA-2 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop a security assessment plan that describes the scope, to include the assessment team, the assessment roles and responsibilities, and the assessment environment. (SG.CA-2 Requirement 1.c, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the Configuration Management security policy and the associated protection requirements. (SG.CM-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should implement policies and procedures for adding, removing, and disposing of all Information System equipment. (SG.CM-9 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
the continuity of operations security policy must include the objectives, roles, and responsibilities of the program. (SG.CP-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Continuity Of Operations security policy must include the scope of the program. (SG.CP-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the Continuity Of Operations security policy and the associated protection requirements. (SG.CP-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Identification and Authentication security policy must include the objectives, roles, and responsibilities of the program. (SG.IA-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Identification and Authentication security policy must include the scope of the program. (SG.IA-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the Identification and Authentication security policy and the associated protection requirements. (SG.IA-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The information and document management policy must include the objectives, roles, and responsibilities of the program. (SG.ID-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The information and document management policy must include the scope of the program. (SG.ID-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the information and document management policy and the associated protection requirements. (SG.ID-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the Incident Response security policy and the associated protection requirements. (SG.IR-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the smart grid information system maintenance security policy and the associated protection requirements. (SG.MA-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop policies and procedures for upgrading existing legacy systems, including security mitigating measures based on the Risk Tolerance and risk to the system. (SG.MA-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
the media protection security policy must include the objectives, roles, and responsibilities of the program. (SG.MP-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The Media Protection security policy must include the scope of the program. (SG.MP-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the Media Protection security policy and the associated protection requirements. (SG.MP-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the physical and environmental security policy and the associated protection requirements. (SG.PE-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the strategic planning policy and the associated protection requirements. (SG.PL-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop and implement a security program security policy. (SG.PM-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The security program security policy must include the objectives, roles, and responsibilities of the program. (SG.PM-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The security program security policy must include the scope of the program. (SG.PM-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the security program security policy and the associated protection requirements. (SG.PM-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop and implement a personnel security policy. (SG.PS-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The personnel security policy must include the objectives, roles, and responsibilities of the program. (SG.PS-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The personnel security policy must include the scope of the program. (SG.PS-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the personnel security policy and the associated protection requirements. (SG.PS-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the risk assessment security policy and the associated protection requirements. (SG.RA-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the smart grid Information System and services acquisition security policy and the associated protection requirements. (SG.SA-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop and implement a smart grid Information System and communication protection security policy. (SG.SC-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The smart grid Information System and communication protection security policy must include the objectives, roles, and responsibilities of the program. (SG.SC-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The smart grid Information System and communication protection security policy must include the scope of the program. (SG.SC-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the smart grid Information System and communication protection security policy and the associated protection requirements. (SG.SC-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop procedures for implementing the smart grid information System and Information Integrity security policy and the associated protection requirements. (SG.SI-1 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should protect the confidentiality of information during aggregation, packaging, and transformation prior to transmission. (App F § SC-9(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must implement controls to protect the integrity and availability of public information and applications. (App F § SC-14, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should develop a Security Concept of Operations that includes the system's purpose. (App F § PL-2(1)(a)(i), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should develop a Security Concept of Operations that includes a system architecture description. (App F § PL-2(1)(a)(ii), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should develop a Security Concept of Operations that includes a security authorization schedule. (App F § PL-2(1)(a)(iii), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should develop a Security Concept of Operations that includes the security categorizations and the factors that were considered to determine the categorizations. (App F § PL-2(1)(a)(iv), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System should maintain information integrity during aggregation, packaging, and transformation while preparing for transmission. (App F § SC-8(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Lead and align information technology (IT) security priorities with the security strategy. (T0134, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Develop cyber operations plans and guidance to ensure that execution and resource allocation decisions align with organization objectives. (T0658, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Provide input for the development and refinement of the cyber operations objectives, priorities, strategies, plans, and programs. (T0787, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Develop content for cyber defense tools. (T0020, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Co… (T0271, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Provide input to the identification of cyber-related success criteria. (T0592, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Assess and design security management functions as related to cyberspace. (T0556, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The information system maintains the {confidentiality} of information during preparation for transmission and during reception. (SC-8(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system maintains the {integrity} of information during preparation for transmission and during reception. (SC-8(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Develops and disseminates an organization-wide information security program plan that: (PM-1a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and (PM-1a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Develop and disseminate an organization-wide information security program plan that: (PM-1a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Reflects the coordination among organizational entities responsible for information security; and (PM-1a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Develop and disseminate an organization-wide information security program plan that: (PM-1a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Reflects the coordination among organizational entities responsible for information security; and (PM-1a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Develops and disseminates an organization-wide information security program plan that: (PM-1a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and (PM-1a.3., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Licensees must develop and maintain implementation procedures and written policies for implementing the cyber security plan. These plans and procedures do not need to be submitted to the Nuclear Regulatory Commission for approval, but are subject to inspection by the Commission on a periodic basis. (§ 73.54(f), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
Documentation should exist and should cover the following: each program's significance; the type of processing performed; the specific software on and hardware composing the system; access control programs; networks the system is connected to; key staff information; changes since the last evaluation… (Pg 34, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
Information Security Program. Each national bank or Federal savings association shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the national bank or Federal savings associa… (§ II. A., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
Bank management should ensure that policies, procedures, and systems are current and well-documented. (¶ 35, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
The auditor should evaluate management's documentation of its assessment to ensure it includes the following: the five components of internal control over financial reporting; the flow of information; controls designed to detect or prevent fraud; how "transactions are initiated, authorized, recorded… (¶ 42, PCAOB Auditing Standard No. 2)
The auditor should prepare documentation for each audit that he/she conducts. The documentation should provide sufficient detail on the purpose and the conclusions of the audit. (¶ 4, PCAOB Auditing Standard No. 3)
Develop and maintain a cyber/Supervisory Control and Data Acquisition (SCADA) security plan, or incorporate cyber/SCADA security measures in the corporate security plan; (2 ¶ 1 Bullet 5, Pipeline Security Guidelines)
Establish and maintain a cyber-incident response capability. (Table 2: Response Planning Baseline Security Measures Cell 2, Pipeline Security Guidelines)
Establish and distribute cybersecurity policies, plans, processes and supporting procedures commensurate with the current regulatory, risk, legal and operational environment. (Table 2: Governance Environment Baseline Security Measures Cell 1, Pipeline Security Guidelines)
Develop an operational framework to ensure coordination, communication and accountability for information security on and between the control systems and enterprise networks. (Table 2: Risk Management Strategy Baseline Security Measures Cell 1, Pipeline Security Guidelines)
Airports are required to develop an air transportation security program. The security program must provide a law enforcement presence for the protection of passengers. (§ 44903(c)(1), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
All agencies shall implement and maintain a security program for support systems and major applications to assure that all information collected, processed, transmitted, stored, or disseminated has adequate security. The security program shall implement standards, procedures, and policies that are c… (§ A.3, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
Commensurate with the size and complexity of the licensee, the nature and scope of the activities of the licensee, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the possession, custody, or control of the licensee, each… (Section 27-62-4(a), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
Require the executive management of the licensee or its delegates to develop, implement, and maintain the information security program of the licensee. (Section 27-62-4(e)(1), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modifi… (§ 1798.81.5(b), California Civil Code Title 1.81 Customer Records Â§ 1798.80-1798.84)
Not later than October 1, 2017, each company shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. Such security program shall be in writing and contain administrative,… (§ 38a-999b(b)(1), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
the size, scope and type of business of such company, (§ 38a-999b(b)(1)(A), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
the amount of data compiled or maintained by such company, and (§ 38a-999b(b)(1)(C), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
the need for security and confidentiality of such data. (§ 38a-999b(b)(1)(D), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
Each company shall update such security program as often as necessary and practicable but at least annually and shall include in such security program: (§ 38a-999b(b)(2), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
Any other safeguards the company believes will enhance its comprehensive information security program. (§ 38a-999b(b)(2)(L), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
Implementation of an information security program. Except as provided in subdivision (10) of this subsection, each licensee shall, not later than October 1, 2020, develop, implement and maintain a comprehensive written information security program that is based on the licensee's risk assessment and … (Part VI(c)(1), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Require the licensee's executive management or its delegates to develop, implement and maintain such licensee's information security program. (Part VI(c)(5)(A), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Implement and maintain a comprehensive data-security program for the protection of confidential information. The safeguards contained in such program shall be consistent with and comply with the safeguards for protection of confidential information as set forth in all applicable federal and state la… (¶ 4e-70(b)(2), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
A licensee shall develop, implement, and maintain a comprehensive, written information security program that is based on the licensee's risk assessment and contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system. (§ 8604.(a)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
An information security program under this section must be commensurate with the size and complexity of a licensee; the nature and scope of a licensee's activities, including the licensee's use of a third-party service provider; and the sensitivity of the nonpublic information that the licensee uses… (§ 8604.(a)(2), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program. (§ 8604.(e)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Implementation of an information security program. Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the license… (§431:3B-201, Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program; (§431:3B-204(1), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
A licensee shall develop, implement, and maintain a comprehensive, written information security program that: (Sec. 16.(a), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
If the licensee has a board of directors, the board of directors shall require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program. (Sec. 19.(a), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
Commensurate with the size and complexity of a licensee, the nature and scope of a licenseeâs activities including the licenseeâs use of third-party service providers, and the sensitivity of nonpublic information used by the licensee or that is in the licenseeâs possession, custody, or control… (507F.4 1.a., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
Develop, implement, and maintain an information security program as described in subsections 1 and 2. (507F.4 4.a., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
Develop, implement, and maintain the licenseeâs information security program. (507F.4 5.a.(1), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
A licensee shall monitor, evaluate, and adjust the licenseeâs information security program consistent with relevant changes in technology, the sensitivity of the licenseeâs nonpublic information, changes to the licenseeâs information systems, internal or external threats to the licenseeâs no… (507F.4 6., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
A licensee shall develop, implement, and maintain a comprehensive, written information security program which satisfies all of the following criteria: (§2504.A., Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Size and complexity of the licensee. (§2504.A.(3)(a), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Nature and scope of the licensee's activities including its use of third-party service providers. (§2504.A.(3)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Develop, implement, and maintain the licensee's information security program. (§2504.E.(1), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Develop, implement and maintain the licensee's information security program; and (§2264 5.A., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
Implementation of information security program. Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of 3rd-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's p… (§2264 1., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program. (Sec. 555.(5)(a), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee … (Sec. 555.(1), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
Implementation of an information security program. Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the license… (§ 60A.9851 Subdivision 1, Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program; (§ 60A.9851 Subdivision 5(1), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
Commensurate with the size and complexity of the licensee, the nature and scope of the licenseeâs activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licenseeâs possession, custody or control, each licens… (§ 83-5-807 (1), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
Require the licenseeâs executive management or its delegates to develop, implement and maintain the licenseeâs information security program; (§ 83-5-807 (5)(a), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. The controller or processor must, when applicable, consider the nature and purpose of the collection, use, or retention of the personal data collected, used, or retained pursuant to subs… (§ Section 11. (6)(b), Montana Consumer Data Privacy Act 2023)
To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebr… (§ 87-808(1), Nebraska Revised Statutes, Sections 87-801 thru 87-807, Data Protection and Consumer Notification of Data Security Breach Act of 2006)
Implementation of the program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possessi… (§ 420-P:4 I., New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program. (§ 420-P:4 V.(a), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
A person that owns or licenses personal identifying information of a New Mexico resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, … (57-12C-4 ¶ 1, 2017 New Mexico Statutes Chapter 57 - Trade Practices and Regulations Article 12C - Data Breach Notification Section 57-12C-1)
Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity's Information Systems. (500.02 Cybersecurity Program (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
A Covered Entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity. (§ 500.02 Cybersecurity Program (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
A covered entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the covered entity. (§ 500.2 Cybersecurity Program (d), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
Each covered entity shall implement and maintain a written policy or policies, approved at least annually by a senior officer or the covered entity's senior governing body for the protection of its information systems and nonpublic information stored on those information systems. Procedures shall be… (§ 500.3 Cybersecurity Policy, New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity's information systems and nonpublic information stored on those information systems. (§ 500.2 Cybersecurity Program (a), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
implements a data security program that includes the following: (§ 899-bb. 2(b)(ii), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
A small business as defined in paragraph (c) of subdivision one of this section complies with subparagraph (ii) of paragraph (b) of subdivision two of this section if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for … (§ 899-bb. 2(c), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including the licensee's use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, eac… (26.1-02.2-03. 1., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
Require the licensee's executive management or the licensee's delegates to develop, implement, and maintain the licensee's information security program. (26.1-02.2-03. 5.a., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment. The program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities including its use of th… (Section 3965.02 (A), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
Require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program; (Section 3965.02 (E)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
Commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee … (SECTION 38-99-20. (A), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
require the licensee's executive management or its delegates to develop, implement, and maintain the licensee's information security program; and (SECTION 38-99-20. (E)(1)(a), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
Commensurate with the size and complexity of the licensee and the nature and scope of its activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by or in the possession, custody, or control of the licensee, each licensee shall develop, i… (§ 56-2-1004 (1), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
Require the licensee's executive management or delegates to develop, implement, and maintain the licensee's information security program; (§ 56-2-1004 (5)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. (PL-2(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
Protect the security and confidentiality of nonpublic information and the security of the information system; (§ 38.2-623.B.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
Commensurate with the size and complexity of the licensee; the nature and scope of the licensee's activities, including its use of third-party service providers; and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee … (§ 38.2-623.A., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
Each licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its nonpublic information, internal or external threats to information, and the licensee's own changing business arrangements, su… (§ 38.2-623.F., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
If a licensee has a board of directors, the board or an appropriate committee of the board shall, at a minimum, require the licensee's information executive management or its delegates to (i) develop, implement, and maintain the licensee's information security program and (ii) report in writing (a) … (§ 38.2-623.D.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
Implementation of program. No later than November 1, 2022, a licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment under sub. (2) and consistent with the conditions of sub. (3) (a). The program shall contain admin… (§ 601.952(1), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
Require the licensee's executive management to develop, implement, and maintain the information security program under sub. (1). (§ 601.952(7)(a), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
Controllers and processors, within the scope of their competences, concerning processing of personal data, individually or in associations, may formulate rules for good practice and governance that set forth conditions of organization, a regime of operation, procedures, including for complaints and … (Art. 50, Brazilian Law No. 13709, of August 14, 2018)