Back

Establish, implement, and maintain a system security plan.


CONTROL ID
01922
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658

This Control has the following implementation support Control(s):
  • Include a system description in the system security plan., CC ID: 16467
  • Include a description of the operational context in the system security plan., CC ID: 14301
  • Include the results of the security categorization in the system security plan., CC ID: 14281
  • Include the information types in the system security plan., CC ID: 14696
  • Include the security requirements in the system security plan., CC ID: 14274
  • Include threats in the system security plan., CC ID: 14693
  • Include network diagrams in the system security plan., CC ID: 14273
  • Include roles and responsibilities in the system security plan., CC ID: 14682
  • Include the results of the privacy risk assessment in the system security plan., CC ID: 14676
  • Include remote access methods in the system security plan., CC ID: 16441
  • Disseminate and communicate the system security plan to interested personnel and affected parties., CC ID: 14275
  • Include a description of the operational environment in the system security plan., CC ID: 14272
  • Include the security categorizations and rationale in the system security plan., CC ID: 14270
  • Include the authorization boundary in the system security plan., CC ID: 14257
  • Align the enterprise architecture with the system security plan., CC ID: 14255
  • Include security controls in the system security plan., CC ID: 14239
  • Create specific test plans to test each system component., CC ID: 00661
  • Approve the system security plan., CC ID: 14241
  • Adhere to the system security plan., CC ID: 11640
  • Validate all testing assumptions in the test plans., CC ID: 00663


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to formulate the medium- to long-term system plans in such a way that it is consistent with a part or whole of the medium- to long-term management plan, considering the personnel and management resources required to implement the plan, and obtain the approval of management. (C2.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Especially in the computer center and other departments responsible for operation and management of computer equipment and other system resources, crime prevention organization should focus on the significance of the resources. (C11.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Given that today's banking is largely dependent on IT systems and since most of the internal processing requirements of banks are electronic, it is essential that adequate security systems are fully integrated into the IT systems of banks. It would be optimal to classify these based on the risk anal… (Boards of Directors/Senior Management ¶ 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. (Article 45(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Systems have a system security plan that includes a description of the system and an annex that covers both security controls from this document (based on the system's classification, functionality and technologies) and any additional security controls that have been identified for the system. (Security Control: 0041; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Systems have a system security plan that includes a description of the system and an annex that covers both applicable controls from this document and any additional controls that have been identified. (Control: ISM-0041; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Systems have a system security plan that includes a description of the system and an annex that covers both applicable controls from this document and any additional controls that have been identified. (Control: ISM-0041; Revision: 5, Australian Government Information Security Manual, September 2023)
  • The organization must ensure that each system is covered by a System Security Plan. (Control: 0041, Australian Government Information Security Manual: Controls)
  • The assessor must review the System Security Plan to ensure that all the relevant controls from this manual are included. (Control: 0802, Australian Government Information Security Manual: Controls)
  • policies on risk analysis and information system security; (Article 21 2(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • A security concept must be drawn up in order to achieve the set security objectives. For greater clarity, a separate chapter has been provided to explain how a security concept can be planned and implemented and how the level of information security can be maintained and improved. The results of the… (§ 7.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The management level must define the security objectives knowing all of the relevant framework conditions, the environmental analysis, and based on the business objectives of the company or the role of the government agency and must create the prerequisites for their implementation. The approach is … (§ 7 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • In order to maintain the level of security, the security safeguards identified as being appropriate must be applied on the one hand and, on the other hand, the security concept must be updated continuously. Furthermore, security incidents must be detected in due time and quick and appropriate reacti… (§ 8.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • In the case of changes to routine operation (e.g. the introduction of new business processes, modifications to the organisation, or introduction of new IT systems), the security concept and its associated documents (such as a list of the spheres of responsibility or a list of the IT systems) must be… (§ 8.3 Subsection 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Achieving and/or maintaining an appropriate and sufficient level of information security in the organisation requires a planned approach on the one hand and an adequate organisational structure on the other hand. Furthermore, it is required to define security objectives and a strategy for achieving … (§ 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • When delimiting the scope, not only the technical, but also organisational aspects should be considered so that the responsibility and competences can be clearly defined. In any case it should be clear which information, specialised tasks or business processes are explicitly considered in the securi… (§ 3.3.4 ¶ 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • It must be ensured that all documentations are kept up-to-date. For this, the documentation must be involved in the change process. (§ 5.2.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Basic requirements accompanying the implementation It is particularly important to design basic requirements accompanying the implementation, e.g. training, in advance and to include them when planning the implementation. (§ 6.4 ¶ 2 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Reviewing the results of the study: As a first step, the missing or only partially fulfilled basic requirements should be evaluated in an overall view. (§ 6.4 ¶ 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Specification of the tasks and responsibilities The persons and the time for fulfilment of the basic requirements must be specified. (§ 6.4 ¶ 2 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Basic Protection is an IT-Grundschutz approach for entry to be able to identify and implement the most important security recommendations for the selected field of use in a timely manner, respectively. Thus, the objective is to create a complete security concept in accordance with Standard Protectio… (§ 6.5 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Determining the implementation order of the basic requirements: If the existing budget or staffing resources are not sufficient to be able to implement all the missing basic requirements immediately, the order in which these requirements will be implemented must be determined. (§ 6.4 ¶ 2 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The security concept for the organisation will be drawn up after initiating an information security process, identifying the essential framework conditions as well as the processes, applications and IT systems to be protected and selecting an approach. For such purpose, organisational, personnel- re… (§ 7 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In case of the IT-Grundschutz Check to be employed here for Basic Protection, only the basic requirements must be fulfilled. In case of a standard or Core Protection, a separate IT-Grundschutz Check that also includes the standard requirements of the corresponding modules is to be performed within s… (§ 6.3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • After implementing Basic Protection, it should be decided promptly when to start with the required process of improvement. Depending of the security requirements and the available resources it should be decided whether the next step should include drawing up of a security concept according to the St… (§ 6.5 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • First, the area for which the security concept should be drawn up and implemented must be defined. This area comprises, amongst others, all (partial) business processes, applications, IT systems, infrastructures required for processing the particularly critical business processes and information. Th… (§ 7.2 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • When stipulating the limit between "normal" and "high", the fact that the IT-Grundschutz basic and standard security safeguards measures should be adequate for normal protection requirements should be considered. The stipulations made are to be appropriately documented in the security concept becaus… (§ 8.2.1 ¶ 12, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • For defining the protection needs in the various areas of an information domain, first the protection needs of the business processes and the relevant information must be determined. Based on this, the protection needs of the individual applications, IT systems, ICS and other devices, rooms and comm… (§ 8.2.3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to define the protection needs of an IT system, the applications that directly relate to the IT system must be considered first. A summary of the applications that are relevant for the various IT systems have been determined within the scope of the structure analysis (see Section 8.1). The … (§ 8.2.4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Now, for drawing up of a security concept or for an audit, the individual requirements must be processed and suitable security safeguards must be formulated based on this. (§ 8.3.6 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The safeguards proposed in the implementation recommendations also should be adapted to the relevant framework conditions of an organisation. For example, it can be reasonable (§ 8.3.6 ¶ 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If security requirements are included or changed additionally, this must be documented in the security concept. This also simplifies performance of the IT-Grundschutz Check. (§ 8.3.6 ¶ 9, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • When selecting and adapting the security safeguards based on the requirements, it must be observed that they should always be appropriate. Appropriate means: (§ 8.3.6 ¶ 10, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The essential security requirements must be fulfilled early and corresponding security safeguards must be implemented to cover basic risks and establish holistic information security. Thus, IT- Grundschutz proposes an order for the modules to be implemented. (§ 8.3.3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Carefully read security requirements of the identified modules and determine relevant security safeguards on such basis (§ 8.3.7 Subsection 1 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Check whether the security safeguards have been accepted and improve if necessary (§ 10.3 Subsection 1 Bullet 6, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Consolidate security safeguards, i.e. delete unnecessary safeguards, adapt general safeguards to the particular situation, and check all safeguards for suitability (§ 9.5 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The requirements of the IT-Grundschutz modules to be fulfilled must be specified for security safeguards based on the organisational and technical situation of the organisation. The implementation recommendations of IT-Grundschutz provide practical recommendations for many modules and requirements. … (§ 9.1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to be able subsequently to understand how the concrete list of safeguards was drawn up and refined, this should be suitably documented. (§ 9.1 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Basically, the safeguards derived from the basic requirements must be implemented at first, followed by the standard requirements. The additional safeguards for increased protection needs should only be adapted and implemented subsequently. (§ 9.3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The decision on which security safeguards to undertake or initially delay and where residual risks can be accepted should be documented carefully for legal reasons. In case of doubt, additional opinions should be surveyed and these opinions should be documented as well to prove the duty to take good… (§ 9.3 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Specify, provide rationale for and document implementation order of safeguards (§ 9.5 Subsection 2 Bullet 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In this regard it is necessary to ascertain whether all the safeguards initially derived from the requirements can be afforded. If there are safeguards that are not economical, alternative safeguards for fulfilling such requirements should be considered. There are many possible solutions also regard… (§ 9.2 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If additional security safeguards must be added to the security safeguards already described in the security concept when treating the remaining threats, the security concept must subsequently be consolidated. Specifically, this means checking the security safeguards for each target object using the… (§ 7 ¶ 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • These supplemental security safeguards must be documented and earmarked. The risks are monitored, and as soon as they are no longer acceptable, the earmarked supplemental security safeguards are checked, updated if necessary and included in the security concept. The risk classification is correspond… (§ 6.2 ¶ 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The organisation has appropriate management policies and processes in place to govern its approach to the security of network and information systems. (A1. ¶ 1, NCSC CAF guidance, 3.1)
  • You have successfully implemented your security policies and processes and can demonstrate the security benefits achieved. (B1.b ¶ 1, NCSC CAF guidance, 3.1)
  • Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise's information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subs… (DS5.5 Security Testing, Surveillance and Monitoring, CobiT, Version 4.1)
  • An information security policy should be developed for the organization. This policy should be in accordance with the business requirements and any applicable laws and regulations. The policy should contain statements about objectives and scope; management intent; control objectives; compliance requ… (§ 5.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The governing body should ensure that the organization protects and restores those systems on which it depends. In this regard, the governing body should consider and manage risk associated with those decisions it makes that can impact the natural environmental, social and economic systems (see 6.9)… (§ 6.11.3.4 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the timelines and milestones of activities; and (§ 6.2 Guidance ¶ 5 Bullet 4, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the methods and measurements to evaluate whether the results achieve objectives, which includes timing of such evaluations. (§ 6.2 Guidance ¶ 5 Bullet 5, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from: (RC.IM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Develops a security plan for the information system that: (PL-2a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Develops a security plan for the information system that: (PL-2a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Develops a security plan for the information system that: (PL-2a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops a security plan for the information system that: (PL-2a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Protect the security and confidentiality of Nonpublic Information and the security of the Information System; (Section 4.B ¶ 1(1), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Op… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1. [Violation Risk Factor: Lower] [Time Horizon: Op… (B. R2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • All organizations subject to OMB Circular A-130 are required to have a Security Plan. All such organizations must modify their Security Plan to detail the methodologies and protective measures if they decide to use the Internet for transmittal of HCFA Privacy Act-protected and/or other sensitive HCF… (§ 8 ¶ 2, HIPAA HCFA Internet Security Policy, November 1998)
  • Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate… (§ 252.204-7012(b)(3), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (CA.2.157, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (CA.2.157, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (CA.2.157, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (CA.2.157, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (CA.L2-3.12.4 System Security Plan, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Uses security controls. (App A Objective 13:6h Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Safeguards systems against security threats and employs IAM, configuration management, and log monitoring. (App A Objective 13:6c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Mainframe controls, if applicable, to address unique risks associated with mainframes. (V Action Summary ¶ 2 Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Develops a security plan for the information system that: (PL-2a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops a security plan for the information system that: (PL-2a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops a security plan for the information system that: (PL-2a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the security plan for the information system [FedRAMP Assignment: at least annually]; (PL-2c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the security plan for the information system [FedRAMP Assignment: at least annually]; (PL-2c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews the security plan for the information system [FedRAMP Assignment: at least annually]; (PL-2c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develop security and privacy plans for the system that: (PL-2a., FedRAMP Security Controls High Baseline, Version 5)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., FedRAMP Security Controls High Baseline, Version 5)
  • Include as part of control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; per… (CA-2(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Review the plans [FedRAMP Assignment: at least annually]; (PL-2c., FedRAMP Security Controls High Baseline, Version 5)
  • Develop security and privacy plans for the system that: (PL-2a., FedRAMP Security Controls Low Baseline, Version 5)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., FedRAMP Security Controls Low Baseline, Version 5)
  • Review the plans [FedRAMP Assignment: at least annually]; (PL-2c., FedRAMP Security Controls Low Baseline, Version 5)
  • Develop security and privacy plans for the system that: (PL-2a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review the plans [FedRAMP Assignment: at least annually]; (PL-2c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop security and privacy plans for the system that: (PL-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop security and privacy plans for the system that: (PL-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Develop security and privacy plans for the system that: (PL-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop security and privacy plans for the system that: (PL-2a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop security and privacy plans for the system that: (PL-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Develop security and privacy plans for the system that: (PL-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop security and privacy plans for the system that: (PL-2a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develops a security plan for the information system that: (PL-2a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops a security plan for the information system that: (PL-2a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops a security plan for the information system that: (PL-2a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A security plan for an ICS should build on appropriate existing IT security experience, programs, and practices. However, the critical differences between IT and ICS addressed in Section 2.4 will influence how security will be applied to the ICS. A forward-looking plan is needed to provide a method … (§ 6.2.12 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Devise, document, and validate cyber operation strategy and planning documents. (T0672, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review and approve security plans. (T0948, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (3.12.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. (3.12.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Devise, document, and validate cyber operation strategy and planning documents. (T0672, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review and approve security plans. (T0948, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Contribute to the development, staffing, and coordination of cyber operations policies, performance standards, plans and approval packages with appropriate internal and/or external decision makers. (T0629, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Define and/or implement policies and procedures to ensure protection of critical infrastructure as appropriate. (T0282, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develops a security plan for the information system that: (PL-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Develops a security plan for the information system that: (PL-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Develops a security plan for the information system that: (PL-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develops a security plan for the information system that: (PL-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop security and privacy plans for the system that: (PL-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review the plans [Assignment: organization-defined frequency]; (PL-2c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop security and privacy plans for the system that: (PL-2a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and (PL-2d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develops a security plan for the information system that: (PL-2a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Reviews the security plan for the information system [Assignment: organization-defined frequency]; (PL-2c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Develop a corporate security plan as described in Section 3; (2 ¶ 1 Bullet 1, Pipeline Security Guidelines)
  • § A.3.a.4: The use of each general support system shall be authorized in writing by management officials prior to beginning or making significant processing changes in the system. The authorization shall be based on the system security plan. The system shall be reauthorized at least every 3 years. … (§ A.3.a.4, § A.3.b.4, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • National security systems (NSS) store and process some of the Federal Government's most sensitive data and must be secured against a wide range of cyber and physical threats, including insider threats, cyber criminals, and the most sophisticated nation-state adversaries. The Director of the NSA, as … (STRATEGIC OBJECTIVE 1.5 Subsection 3 ¶ 1, National Cybersecurity Strategy)
  • All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior. The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses kn… (STRATEGIC OBJECTIVE 2.4 ¶ 2, National Cybersecurity Strategy)
  • Preserving and extending the open, free, global, interoperable, reliable, and secure Internet requires sustained engagement in standards development processes to instill our values and ensure that technical standards produce technologies that are more secure and resilient. As autocratic regimes seek… (STRATEGIC OBJECTIVE 4.1 ¶ 2, National Cybersecurity Strategy)
  • Federal civilian executive branch (FCEB) agencies are responsible for managing and securing their own IT and OT systems. With different agency structures, missions, capabilities, and resourcing FCEB cybersecurity outcomes vary. We must continue to build a model for Federal cybersecurity that balance… (STRATEGIC OBJECTIVE 1.5 Subsection1 ¶ 1, National Cybersecurity Strategy)
  • We will build upon these successes to enable more sustained and effective disruption of adversaries. Our efforts will require greater collaboration by public and private sector partners to improve intelligence sharing, execute disruption campaigns at scale, deny adversaries use of U.S.-based infrast… (PILLAR TWO ¶ 3, National Cybersecurity Strategy)
  • Protect the security and confidentiality of nonpublic information and the security of the information system. (Section 27-62-4(b)(1), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 6-1-1304 (3)(a)(X), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Protect the security and confidentiality of the nonpublic information and the security of the information system; (Part VI(c)(2)(A)(i), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Protect the security and confidentiality of nonpublic information and the security of the information system. (§ 8604.(b)(1), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security. (§ 501.716(1)(g), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security. (§ 501.716(1)(g), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Protect the security and confidentiality of nonpublic information and the security of the information system; (§431:3B-202(a)(1), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Protect the security and confidentiality of nonpublic information and information systems. (Sec. 16.(b)(1), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Preserve the integrity or security of systems. (§ 715D.7.1.h., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Preserve the integrity or security of systems. (§ 715D.7.1.h., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Protect the security and confidentiality of nonpublic information and the security of the licensee’s information system. (507F.4 2.a., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Protect the security and confidentiality of nonpublic information and the security of the information system. (§2504.B.(1), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Protect the security and confidentiality of nonpublic information and the security of the licensee's information systems; (§2264 2.A., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Protect the security and confidentiality of nonpublic information and the security of the information system. (Sec. 555.(2)(a), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • protect the security and confidentiality of nonpublic information and the security of the information system; (§ 60A.9851 Subdivision 2(1), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Protect the security and confidentiality of nonpublic information and the security of the information system; (§ 83-5-807 (2)(a), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act 2023)
  • Protect the security and confidentiality of nonpublic information and the security of the information system. (§ 420-P:4 II.(a), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 507-H:10 I.(i), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • systems and network security; (§ 500.03 Cybersecurity Policy (g), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • systems operations and availability concerns; (§ 500.03 Cybersecurity Policy (f), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • systems and network security and monitoring; (§ 500.3 Cybersecurity Policy (g), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • systems and application security and development and quality assurance; (§ 500.3 Cybersecurity Policy (i), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Protect the security and confidentiality of nonpublic information and the security of the information system; (26.1-02.2-03. 2.a., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Protect the security and confidentiality of nonpublic information and the security of the information system; (Section 3965.02 (B)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • Preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems; (Section 2 (3)(e), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • protect the security and confidentiality of nonpublic information and the security of the information system; (SECTION 38-99-20. (B)(1), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Protect the security and confidentiality of nonpublic information and the security of the information system; (§ 56-2-1004 (2)(A), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Develops a security plan for the information system that: (PL-2a., TX-RAMP Security Controls Baseline Level 1)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., TX-RAMP Security Controls Baseline Level 1)
  • Reviews the security plan for the information system [TX-RAMP Assignment: at least annually]; (PL-2c., TX-RAMP Security Controls Baseline Level 1)
  • Develops a security plan for the information system that: (PL-2a., TX-RAMP Security Controls Baseline Level 2)
  • Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and (PL-2d., TX-RAMP Security Controls Baseline Level 2)
  • Reviews the security plan for the information system [TX-RAMP Assignment: at least annually]; (PL-2c., TX-RAMP Security Controls Baseline Level 2)
  • preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security; (§ 541.201 (a)(7), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security; (§ 541.201 (a)(7), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • preserve the integrity or security of systems; or (13-61-304 (1)(i)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • preserve the integrity or security of systems; or (13-61-304 (1)(i)(i), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)
  • Protect the security and confidentiality of nonpublic information and the security of the information system; (§ 38.2-623.B.1., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)