Controls

Establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures for application security.

Establish, document, and maintain baseline requirements for securing different applications.

Define and implement technical and operational metrics in alignment with business objectives.

Define and implement a SDLC process for application design, development, deployment, and operation.

Implement a testing strategy, including criteria for acceptance of new information systems.

Automate deployment of applications using secure and standardized practices.

Define and implement a process to remediate application security vulnerabilities.

Establish, document, approve, communicate, apply, evaluate, and maintain audit and assurance policies and procedures.

Conduct independent audit and assurance assessments at least annually.

Perform independent audit and assurance assessments according to risk-based plans and policies.

Verify compliance with all applicable laws, statutes, regulations, and contractual requirements.

Define and implement an audit management process to support audit planning, risk analysis, security control assessment, conclusion, remediation, and reporting.

Establish, document, approve, communicate, apply, evaluate, and maintain a risk-based corrective action plan to remediate audit findings.

Establish, document, approve, communicate, apply, evaluate, and maintain business continuity policies and procedures.

Determine the impact of business disruptions and risks to establish criteria for developing business continuity and operational resilience strategies.

Establish strategies to reduce the impact of, withstand, and recover from business disruptions within established risk appetite.

Establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan.

Develop, identify, and acquire documentation relevant to support business continuity and operational resilience programs.

Periodically back up data stored in the cloud and store backups in a secure location.

Establish, document, approve, communicate, apply, evaluate, and maintain a disaster response plan.

Establish, document, approve, communicate, apply, evaluate, and maintain change management policies and procedures.

Follow a defined quality change control, approval and testing process with established baselines.

Manage the risks associated with applying changes to organization assets.

Restrict the unauthorized addition, removal, update, and management of organization assets.

Include provisions limiting changes directly impacting CSCs owned environments.

Establish change management baselines for all relevant authorized changes on organization assets.

Establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures for encryption and key management.

Define and document CEK roles and responsibilities.

Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.

Use encryption algorithms that are appropriate for data protection, considering classification of data, risks, and sensitivity.

Establish a standard change management procedure for cryptographic keys and their associated changes.

Manage and adopt changes to cryptography-, encryption-, and key management-related systems.

Establish and maintain encryption and key management roles and responsibilities.

Rotate cryptographic keys in accordance with the calculated cryptoperiod.

Establish policies for the secure disposal of equipment used outside the organizations premises.

Establish policies and procedures for maintaining a safe and secure working environment.

Establish policies and procedures for the secure transportation of physical media.

Use equipment identification as a method for connection authentication.

Locate equipment and information assets in an area to minimize risk of unauthorized access or tampering.

Establish, document, approve, communicate, apply, evaluate, and maintain data security and privacy policies and procedures.

Securely dispose of data as outlined in the data lifecycle management policies and procedures.

Create and maintain a data inventory, at least for any sensitive data and personal data.

Classify data according to its type and sensitivity level.

Create and maintain data flow documentation for sensitive data to identify sources, destinations, and data uses.

Develop systems, products, and business practices based upon the principle of security by design and industry best practices.

Establish measures to protect and govern sensitive data transfers, including those with third parties.

Define and implement a process that protects sensitive data.

Establish, document, approve, communicate, apply, evaluate, and maintain policies and procedures for governance, risk, and compliance.

Establish a formal, documented, and leadership-sponsored Enterprise Risk Management program.

Review all relevant organizational policies at least annually.

Establish a process for addressing exceptions to policies.

Develop and implement an information security program, including programs for all relevant areas.

Define and document governance roles and responsibilities across the organization.

Establish, document, and maintain policies and procedures for background verification.

Establish, document, and maintain a formal employment agreement process.

Define roles and responsibilities for performing employment termination.

Establish, document, approve, communicate, apply, evaluate, and maintain a security awareness training program.

Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and regulations.

Establish and maintain a clean desk policy.

Establish, document, approve, communicate, apply, evaluate, and maintain identity and access management policies and procedures.

Establish and maintain strong password procedures.

Manage and maintain an inventory of all identities.

Employ separation of duties for access authorization.

Employ the least privilege principle for access.

Define a user access provisioning process with clear approvals.

Define, implement, and evaluate processes and procedures for the segregation of privileged access roles.

Protect the integrity of access logs through appropriate access controls.

Require multi-factor authentication for all access to sensitive data or systems.

Establish, document, approve, communicate, apply, evaluate, and maintain infrastructure and virtualization security policies.

Monitor, encrypt, and restrict communications between environments to only authenticated and authorized connections.

Harden host and guest OS, hypervisors, or infrastructure control plane.

Implement defense in depth at the network level, using techniques such as segmentation and micro-segmentation.

Establish, document, approve, communicate, apply, and maintain a network architecture documentation.

Establish, document, approve, communicate, apply, evaluate, and maintain interoperability and portability policies.

Provide application programming interfaces (APIs) to ensure the availability of application interfaces.

Implement cryptographically secure and standardized network protocols.

Establish, document, approve, communicate, apply, evaluate, and maintain policies for logging and monitoring.

Identify and monitor security-related events and incidents.

Monitor security audit logs to detect activity outside of typical or expected patterns.

Ensure reliable time synchronization between all relevant systems.

Define and implement requirements for audit log events.

Secure audit logs and event data.

Establish, document, approve, communicate, apply, evaluate, and maintain policies for security incident management.

Establish policies for incident response.

Establish and maintain an Incident Response Plan.

Test and update Incident Response Plans at planned intervals.

Establish and monitor information security event metrics.

Establish incident response communication capabilities.

Establish, document, approve, communicate, apply, evaluate, and maintain supply chain security management policies.

Develop supply-chain security and risk management guidance.

Establish supply chain agreements with third parties.

Review supply chain agreements at least annually.

Define and implement a process for conducting security assessments periodically for all organizations within the supply chain.

Supply chain agreements should address cybersecurity and include relevant security and data protection requirements.

Establish, document, approve, communicate, apply, evaluate, and maintain threat and vulnerability management policies.

Establish anti-malware policy and measures.

Define and implement a vulnerability remediation schedule based on risk.

Identify and track security vulnerabilities in applicable systems.

Prioritize remediation based on risk and asset criticality.

Establish, monitor, and report on vulnerability management metrics.

Establish, document, approve, communicate, apply, evaluate, and maintain policies for managing endpoints.

Define and implement a process to maintain compatibility with regulatory or legal requirements.

Configure endpoints to enforce automatic lock-screen policies.

Manage changes to endpoint operating systems, patch levels, and applications through a centralized change management system.

Protect information from unauthorized disclosure on managed endpoint devices with storage encryption.

Enable the ability to remotely locate lost or stolen endpoint devices.