- Standard
- "ISO 17799:2005 / ISO 27002:2005"
- FIPS 200/FISMA 800-53
- ISACA COBIT
- "Sarbanes-Oxley COSO"
- "HIPAA Requirements"
- "Payment Card Industry Data Security Standards"
- GLBA 21 CFR Part 11
| Standard | ISO 17799:2005
/ ISO 27002:2005 |
FIPS 200/FISMA 800-53 |
| Sections | SECTION: 4 - Risk Assessment and Treatment | |
| 4.1 | 4.1 Assessing Security Risks Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization |
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information. |
| 4.2 | 4.2 Treating Security Risks Determine risk treatment options: Apply appropriate controls, accept risks, avoid risks or transfer risk to other parties |
Certification, Accreditation, and Security Assessments (CA): Organizations must: (I) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
| SECTION: 5 - Security Policy | ||
| 5.1 | 5.1 Information Security Policy An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals |
Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems. Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. |
| SECTION: 6 - Organization of Information Security | ||
| 6.1 | 6.1 Internal Organization A management framework should be established to initiate and control the implementation of information security within the organization |
See PL |
| 6.2 | 6.2 External Parties To maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties |
|
| SECTION: 7 - Asset Management | ||
| 7.1 | 7.1 Responsibility for Assets All assets should be accounted for and have a nominated owner |
Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems. |
| 7.2 | 7.2 Information Classification Information should be classified to indicate the need, priorities and expected degree of protection |
See RA |
| SECTION: 8 - Human Resources Security | ||
| 8.1 | 8.1 Prior to Employment To ensure that employees, contractors and third party users understand responsibilities, and are suitable for their roles |
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. |
| 8.2 | 8.2 During Employment To ensure that employees, contractors and third party users are aware of information security threats and concerns, and are equipped to support security policy in the course of their normal work |
See PS |
| 8.3 | 8.3 Termination or Change of Employment To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner |
See PS |
| SECTION: 9 -Physical and Environmental Security | ||
| 9.1 | 9.1 Secure Areas To prevent unauthorized physical access, damage, and interference to the organization’s premises and information |
Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems. |
| 9.2 | 9.2 Equipment Security To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities |
See PE |
| SECTION: 10 - Communications and Operations Management | ||
| 10.1 | 10.1 Operational Procedures and Responsibilities To ensure the correct and secure operation of information processing facilities including segregation of duties and change management functions |
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. See |
| 10.2 | 10.2 Third Party Service Delivery Management To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements |
See SA |
| 10.3 | 10.3 System Planning and Acceptance To minimize the risk of systems failures |
See MA |
| 10.4 | 10.4 Protection Against Malicious and Mobile Code Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code |
Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. |
| 10.5 | 10.5 Back-up Routine procedures for implementing the back-up policy and strategy |
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. |
| 10.6 | 10.6 Network Security Management To ensure the protection of information in networks and the protection of the supporting infrastructure |
|
| 10.7 | 10.7 Media Handling To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities |
Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. |
| 10.8 | 10.8 Exchange of Information To maintain the security of information and software exchanged within an organization and with any external entity |
See MP |
| 10.9 | 10.9 Electronic Commerce Services To ensure the security of electronic commerce services, and their secure use. |
|
| 10.1 | 10.10 Monitoring To detect unauthorized information processing activities including review of operator logs and fault logging |
|
| SECTION: 11 - Access Control | ||
| 11.1 | 11.1 Business Requirement for Access Control Establish, document and review access control policies and rules |
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. |
| 11.2 | 11.2 User Access Management Formal procedures to control the allocation of access rights to information systems and services |
Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
| 11.3 | 11.3 User Responsibilities User awareness, particularly with the use of passwords and the security of equipment |
Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. |
| 11.4 | 11.4 Network Access Control Ensure that appropriate interfaces and authentication mechanisms to networked services are in place |
|
| 11.5 | 11.5 Operating System Access Control To ensure unauthorized access to operating systems. Some methods include: ensure quality passwords, user authentication, and the recording of successful and failed system accesses |
See AC |
| 11.6 | 11.6 Application and Information Access Control To prevent unauthorized access to information held in application systems. |
See AC |
| 11.7 | 11.7 Mobile Computing and Teleworking
To ensure information security when using mobile computing and teleworking facilities |
|
| SECTION: 12 - Information Systems Acquisition, Development and Maintenance | ||
| 12.1 | 12.1 Security Requirements of Information Systems To ensure that security is built into information systems, including infrastructure, business applications and user-developed applications |
System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. |
| 12.2 | 12.2 Correct Processing in Applications To prevent errors, loss, unauthorized modification or misuse of information in applications |
|
| 12.3 | 12.3 Cryptographic Controls To protect the confidentiality, authenticity or integrity of information by cryptographic means. |
|
| 12.4 | 12.4 Security of System Files To ensure security of system files |
|
| 12.5 | 12.5 Security in Development and Support Processes Project and support environments should be strictly controlled |
|
| 12.6 | 12.6 Technical Vulnerability Management To reduce risks resulting from exploitation of published technical vulnerabilities |
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. |
| SECTION: 13 - Information Security Incident Management | ||
| 13.1 | 13.1 Reporting Information Security Events and Weaknesses To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken |
Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities. |
| 13.2 | 13.2 Management of Information Security Incidents and
Improvements To ensure a consistent and effective approach is applied to the management of information security incidents |
See IR |
| SECTION: 14 - Business Continuity Management | ||
| 14.1 | 14.1 Information Security Aspects of Business Continuity
Management To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters and to ensure their timely resumption |
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. |
| SECTION: 15 - Compliance | ||
| 15.1 | 15.1 Compliance with Legal Requirements To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements |
|
| 15.2 | 15.2 Compliance with Security Policies and Standards, and
Technical Compliance To ensure compliance of systems with organizational security policies and standards |
|
| 15.3 | 15.3 Information Systems Audit Considerations To maximize the effectiveness of and to minimize interference to/from the information systems audit process |
Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. |
| Standard | ISACA COBIT | Sarbanes-Oxley COSO |
| Sections | ||
| 4.1 | Plan and Organize: * PO9 Assess and Manage IT Risks Monitor and Evaluate: * ME3 Ensure Regulatory Compliance * ME4 Provide IT Governance " |
*
Risk Assessment * Objective Setting * Event Identification |
| 4.2 | Plan and Organize: * PO9 Assess and Manage IT Risks Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance * ME2 Monitor and Evaluate Internal Controls |
*
Risk Response * Event Identification |
| 5.1 | Plan and Organize: * PO1 Define a Strategic IT Plan * PO4 Define the IT Processes, Organization and Relationships * PO6 Communication Management Aims and Direction * PO7 Manage IT Human Resources |
*
Internal Environment * Objective Setting * Risk Assessment |
| 6.1 | Deliver and Support: * DS5 Ensure System Security |
*
Internal Environment * Control Activities * Information and Communication |
| 6.2 | Plan and Organize: * PO8 Manage Quality Deliver and Support: * DS1 Define and Manage Service Levels * DS2 Manage Third-Party Services * DS5 Ensure Systems Security |
*
Internal Environment * Risk Assessment * Control Activities * Information and Communication * Monitoring |
| 7.1 | Plan and Organize: * PO4 Define the IT Processes |
* Control Activities |
| 7.2 | Plan and Organize: * PO2 Define the Information Architecture * PO9 Assess and Manage IT Risks Deliver and Support: * DS5 Ensure Systems Security |
*
Risk Assessment * Event Identification |
| 8.1 | Plan and Organize: * PO7 Manage IT Human Resources Deliver and Support: * DS12 Manage the Physical Environment |
*
Internal Environment * Control Activities * Information and Communication |
| 8.2 | Plan and Organize: * PO7 Manage IT Human Resources Deliver and Support: * DS7 Educate and Train Users |
*
Internal Environment * Control Activities * Information and Communication |
| 8.3 | Plan and Organize: * PO4 Define the IT Processes, Organization and Relationships * PO7 Manage IT Human Resources |
N/A |
| 9.1 | Deliver and Support: * DS5 Ensure Systems Security * DS11 Manage Data * DS12 Manage the Physical Environment |
*
Control Activities * Information and Communication * Monitoring |
| 9.2 | Deliver and Support: * DS12 Manage the Physical Environment |
*
Control Activities * Information and Communication |
| 10.1 | Plan and Organize: * PO4 Define the IT Processes, Organization and Relationships Acquire and Implement: * AI6 Manage Changes Deliver and Support: * DS4 Ensure Continuous Service * DS13 Manage Operations |
*
Internal Environment * Risk Response * Control Activities * Monitoring |
| 10.2 | Plan and Organize: * PO4 Define the IT Processes, Organization and Relationships * PO8 Manage Quality * PO10 Manage Projects Deliver and Support: * DS1 Define and Manage Service Levels * DS4 Manage Third-Party Services |
*
Internal Environment * Control Activities |
| 10.3 | Deliver and Support: * DS3 Mange Performance and Capacity * DS4 Ensure Continuous Service |
*
Control Activities * Monitoring |
| 10.4 | Deliver and Support: * DS5 Ensure Systems Security * DS8 Manage Service Desk and Incidents * DS9 Manage the Configuration * DS10 Manage Problems |
*
Control Activities * Event Identification * Information and Communication |
| 10.5 | Deliver and Support: * DS4 Ensure Continuous Service * DS11 Manage Data |
*
Event Identification * Control Activities * Monitoring |
| 10.6 | Deliver and Support: * DS5 Ensure Systems Security |
*
Risk Assessment * Control Activities * Monitoring |
| 10.7 | Deliver and Support: * DS11 Manage Data |
*
Control Activities * Information and Communication |
| 10.8 | Deliver and Support: * DS5 Ensure Systems Security |
*
Risk Assessment * Risk Response * Control Activities * Information and Communication * Monitoring |
| 10.9 | Deliver and Support: * DS5 Ensure Systems Security |
*
Event Identification * Control Activities |
| 10.1 | Deliver and Support: * DS5 Ensure Systems Security Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance * ME2 Monitor and Evaluate Internal Control |
*
Control Activities * Monitoring |
| 11.1 | Deliver and Support: * DS5 Ensure Systems Security |
*
Internal Environment * Control Activities |
| 11.2 | Deliver and Support: * DS5 Ensure Systems Security |
*
Control Activities * Monitoring |
| 11.3 | Deliver and Support: * DS5 Ensure Systems Security |
*
Internal Environment * Control Activities |
| 11.4 | Deliver and Support: * DS5 Ensure Systems Security |
*
Internal Environment * Control Activities * Monitoring |
| 11.5 | Deliver and Support: * DS5 Ensure Systems Security |
*
Internal Environment * Control Activities * Monitoring |
| 11.6 | Deliver and Support: * DS5 Ensure Systems Security |
*
Control Activities * Monitoring |
| 11.7 | Deliver and Support: * DS5 Ensure Systems Security |
*
Internal Environment * Control Activities * Monitoring |
| 12.1 | Acquire and Implement: * A12 Acquire and Maintain Application Software * A13 Acquire and Maintain Technology Infrastructure |
*
Control Activities * Monitoring |
| 12.2 | Acquire and Implement: * A12 Acquire and Maintain Application Software |
* Control Activities |
| 12.3 | Deliver and Support: * DS5 Ensure Systems Security |
*
Control Activities * Monitoring |
| 12.4 | Acquire and Implement: * A16 Manage Changes Deliver and Support: * DS5 Ensure Systems Security |
*
Control Activities * Information and Communication * Monitoring |
| 12.5 | Acquire and Implement: * A16 Manage Changes Deliver and Support: * DS5 Ensure Systems Security |
*
Control Activities * Monitoring |
| 12.6 | Plan and Organize: * PO9 Assess and Manage IT Risks Deliver and Support: * DS2 Manage Third-Party Services * DS4 Ensure Continuous Service * DS5 Ensure Systems Security * DS9 Manage the Configuration Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance |
N/A |
| 13.1 | Deliver and Support: * DS5 Ensure Systems Security * DS8 Manage Service Desk and Incidents * DS10 Manage Problems Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance * ME2 Monitor and Evaluate Internal Control |
N/A |
| 13.2 | Deliver and Support: * DS5 Ensure Systems Security * DS8 Manage Service Desk and Incidents * DS10 Manage Problems Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance * ME2 Monitor and Evaluate Internal Control |
N/A |
| 14.1 | Deliver and Support: * DS4 Ensure Continuous Service * DS10 Manage Problems * DS11 Manage Data |
*
Event Identification * Risk Response * Control Activities * Information and Communication * Monitoring |
| 15.1 | Monitor and Evaluate: * ME3 Ensure Regulatory Compliance * ME4 Provide IT Governance |
*
Internal Environment * Event Identification * Risk Assessment * Control Activities * Information and Communication * Monitoring |
| 15.2 | Acquire and Implement: * AI7 Install and Accredit Solutions and Changes Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance * ME2 Monitor and Evaluate Internal Control * ME4 Provide IT Governance |
*
Internal Environment * Control Activities * Monitoring |
| 15.3 | Monitor and Evaluate: * ME1 Monitor and Evaluate IT Performance * ME2 Monitor and Evaluate Internal Control * ME4 Provide IT Governance |
* Monitoring |
| Standard | HIPAA Requirements |
Payment
Card Industry Data Security Standards |
| Sections | ||
| 4.1 | Security Standard: a) 1. Risk Analysis (R) |
N/A |
| 4.2 | Security Standard: a) 1. Risk Management (R) |
N/A |
| 5.1 | Security Standard: a) 1. Sanction Policy (R) a) 2. Assigned Security Responsibility (R) |
Maintain and Information Security Policy: 12. Maintain a policy that addresses information security |
| 6.1 | Security Standard: a) 1. Information System Activity Review (R) a) 2. Assigned Security Responsibility (R) |
Maintain and Information Security Policy: 12. Maintain a policy that addresses information security |
| 6.2 | Security Standard: b) 1. Written Contract or Other Arrangement (R) |
Maintain and Information Security Policy: 12. Maintain a policy that addresses information security |
| 7.1 | Physical Standard: d) 2. Device and Media Controls – Accountability (A) |
N/A |
| 7.2 | Security Standard: a) 1. Risk Analysis (R) a) 1. Risk Management (R) |
N/A |
| 8.1 | Security Standard: a) 1. Sanction Policy (R) a) 3. Authorization and/or Supervision (A) a) 3. Workforce Clearance Procedure (A) a) 5. Security Reminders (A) |
Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 8.2 | Security Standard: a) 5. Security Reminders (A) |
Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 8.3 | Security Standard: a) 3. Termination Procedures (A) |
Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access |
| 9.1 | Security Standard: a) 3. Authorization and/or Supervision (A) a) 3. Workforce Clearance Procedure (A) Physical Standard: a) 1. Facility Access Control a) 2. Facility Security Plan a) 2. Access Control and Validation Procedures (A) |
Implement Strong Access Control Measures: 9. Restrict physical access to cardholder data |
| 9.2 | Physical Standard: a) 1. Facility Access Control b) Workstation Use (R) c) Workstation Security d) 1. Device and Media Controls – Disposal (R) d) 2. Media Re-use (R) d) 2. Device and Media Controls – Accountability (A) |
Implement Strong Access Control Measures: 9. Restrict physical access to cardholder data |
| 10.1 | Security Standard: a) 1. Information System Activity Review (R) a) 1. Sanction Policy (R) a) 2. Assigned Security Responsibility (R) b) 1. Written Contract or Other Arrangement (R) a) 6. Response and Reporting (R) Physical Standard: a) 2. Contingency Operations (R) |
N/A |
| 10.2 | Security Standard: b) 1. Written Contract or Other Arrangement |
Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 10.3 | N/A | N/A |
| 10.4 | Security Standard: a) 4. Access Establishment and Modification (A) a) 5. Protection from Malicious Software |
Maintain a Vulnerability Management Program: 5. Use and regularly update anti-virus software |
| 10.5 | Security Standard: a) 7. Data Backup Plan (R) a) 7. Disaster Recovery Plan (R) a) 7. Emergency Mode Operation Plan (R) a) 7. Testing And Revision Procedure (A) Physical Standard: a) 2. Contingency Operations (R) a) 2. Data Backup and Storage (A) |
N/A |
| 10.6 | Technical Standard: a) 2. Encryption and Decryption (A) (e)1. Transmission Security (e)2. Integrity Controls (A) |
Build and Maintain a Secure Network: 1. Install and maintain a firewall 2. Do not use vendor-supplied defaults for system passwords and other security parameters Maintain a Vulnerability Management Program: 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications |
| 10.7 | Physical Standard: d) 1. Device and Media Controls – Disposal (R) d) 2. Media Re-use (R) d) 2. Device and Media Controls -Accountability (A) |
Protect Cardholder Data: 3. Protect stored data Implement Strong Access Control Measures: 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
| 10.8 | Security Standard: b) 1. Written Contract or Other Arrangement (R) Technical Standard: a) 2. Encryption and Decryption (A) (d)Person or Entity Authentication (R) (e)1. Transmission Security (e)2. Integrity Controls (A) |
Build and Maintain a Secure Network: 1. Install and maintain a firewall Protect Cardholder Data: 4. Encrypt transmissions of cardholder data and sensitive information across public networks Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access |
| 10.9 | N/A | Build and Maintain a Secure Network: 1. Install and maintain a firewall 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program: 6. Develop and maintain secure systems and applications |
| 10.1 | Security Standard: a) 5. Log-In Monitoring (A) a) 1. Information System Activity Review (R) b) 8. Audit Controls (R) |
Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access Regularly Monitor and Test Networks: 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| 11.1 | Security Standard: a) 4. Access Authorization (A) |
Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 11.2 | Security Standard: a) 4. Access Authorization (A) a) 4. Access Establishment and Modification (A) a) 5. Password Management (A) Technical Standard: a) 2. Unique User Identification (R) |
Implement Strong Access Control Measures: 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access |
| 11.3 | Security Standard: a) 5. Password Management (A) Physical Standard: b) Workstation Use (R) c) Workstation Security |
Build and Maintain a Secure Network: 2. Do not use vendor-supplied defaults for system passwords Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 11.4 | Security Standard: a) 5. Password Management (A) Technical Standard: c) 2. Mechanism to Authenticate Electronic Protected Health Information (A) d) Person or Entity Authentication (R) |
Build and Maintain a Secure Network: 2. Do not use vendor-supplied defaults for system passwords Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access |
| 11.5 | Security Standard: a) 4. Access Establishment and Modification (A) a) 5. Password Management (A) Technical Standard: a) 2. Unique User Identification (R) a) 2. Automatic Logoff (A) d) Person or Entity Authentication (R) |
Build and Maintain a Secure Network:
2. Do not use vendor-supplied defaults for system passwords Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access Monitor and Test Networks: 10. Track and monitor all access to network resources and cardholder data |
| 11.6 | Security Standard: a) 4. Access Establishment and Modification (A) a) 5. Password Management (A) Technical Standard: a) 2. Unique User Identification (R) d) Person or Entity Authentication (R) |
Build and Maintain a Secure Network: 1. Do not use vendor-supplied defaults for system passwords Maintain a Vulnerability Management System: 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access |
| 11.7 | Security Standard: a) 4. Access Establishment and Modification (A) |
Build and Maintain a Secure Network: 1. Install and maintain a firewall configuration to protect data |
| 12.1 | N/A | Maintain a Vulnerability Management Program: 6. Develop and maintain secure systems and applications |
| 12.2 | Technical Standard: e) 2. Transmission Security– Integrity Controls (A) |
Maintain a Vulnerability Management Program: 6. Develop and maintain secure systems and applications |
| 12.3 | Technical Standard: a) 2. Encryption and Decryption (A) e) 2. Transmission Security– Encryption (A) |
Protect Cardholder Data: 4. Encrypt transmission of cardholder data and sensitive information across public networks |
| 12.4 | N/A | Build and Maintain a Secure Network: 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| 12.5 | N/A | Maintain a Vulnerability Management Program: 6. Develop and maintain secure systems and applications |
| 12.6 | Security Standard: a) 6. Response and Reporting (R) |
Maintain a Vulnerability Management Program: 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications |
| 13.1 | Security Standard: a) 6. Response and Reporting (R) |
Regularly Monitor and Test Networks: 11. Regularly test security systems and processes Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 13.2 | N/A | Maintain an Information Security Policy: 12. Maintain a policy that addresses information security |
| 14.1 | Security Standard: a) 7. Disaster Recovery Plan (R) a) 7. Testing and Revision Procedures (A) a) 7. Applications and Data Criticality Analysis (A) |
N/A |
| 15.1 | Security Standard: a) 1. Sanction Policy (R) a) 6. Response and Reporting (R) b) 1. Written Contract or Other Arrangement (R) |
N/A |
| 15.2 | Security Standard: a) 8. Technical evaluation that measures compliance with security requirements (R) |
Regularly Monitor and Test Networks: 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| 15.3 | Security Standard: b) 8. Audit Controls (R) |
Regularly Monitor and Test Networks: 10. Track and monitor all access to network resources and cardholder data |
| Standard | GLBA | 21 CFR Part 11 |
| Sections | ||
| 4.1 | III.B. Assess Risk | (c) Protection of records throughout the records retention period. |
| 4.2 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 5.1 | II.A.
Information Security Program II.B. Objectives III.A. Invoice Board of Directors |
(c) Protection of records throughout the records retention period. |
| 6.1 | II.
A. Information Security Program II.B. Objectives III.A. Involve the Board of Directors III.C. Manage and Control Risk III.F. Report to the Board |
(c) Protection of records throughout the records retention period. |
| 6.2 | III.C.
Manage and Control Risk III.D. Oversee Service Provider Arrangements |
(c) Protection of records throughout the records retention period. |
| 7.1 | N/A | (c) Protection of records throughout the records retention period. |
| 7.2 | N/A | (c) Protection of records throughout the records retention period. |
| 8.1 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 8.2 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (i) Users of electronic record/electronic signature systems have appropriate education, training and experience. |
| 8.3 | N/A | (c) Protection of records throughout the records retention period. |
| 9.1 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 9.2 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 10.1 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 10.2 | III.D. Oversee Service Provider Arrangements | (c) Protection of records throughout the records retention period. |
| 10.3 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.4 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.5 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.6 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.7 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.8 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.9 | III.C. Manage and Control Risks | (c) Protection of records throughout the records retention period. |
| 10.1 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 11.1 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system |
| 11.2 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system |
| 11.3 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system (i) Users of electronic record/electronic signature systems have appropriate education, training and experience. |
| 11.4 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system |
| 11.5 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system |
| 11.6 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system |
| 11.7 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 12.1 | N/A | (c) Protection of records throughout the records retention period. |
| 12.2 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 12.3 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 12.4 | III.C. Manage and Control Risk | (c)
Protection of records throughout the records retention period. (d) Limiting system access to authorized individuals. (g) Use of authority checks to ensure that only authorized individuals can use the system |
| 12.5 | N/A | (c)
Protection of records throughout the records retention period. (e) Use of secure, computer–generated audit trails, which are retained for certain periods of time. (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over system documentation |
| 12.6 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 13.1 | III.C. Manage and Control Risk | (a)
Validation of systems and the ability to discern invalid or altered
records. (c) Protection of records throughout the records retention period. (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over system documentation |
| 13.2 | III.C. Manage and Control Risk | (a)
Validation of systems and the ability to discern invalid or altered
records. (c) Protection of records throughout the records retention period. (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over system documentation |
| 14.1 | III.C. Manage and Control Risk | (c) Protection of records throughout the records retention period. |
| 15.1 | III.C.
Manage and Control Risk III.F. Report to the Board |
(c) Protection of records throughout the records retention period. |
| 15.2 | III.C.
Manage and Control Risk III.E. Adjust the Program III.F. Report to the Board |
(c) Protection of records throughout the records retention period. |
| 15.3 | II.C.
Manage and Control Risk III.F. Report to the Board |
(c) Protection of records throughout the records retention period. |
No comments:
Post a Comment