Audit - Compliance Cross Reference /Check list - Excel file


  1. Standard
  2. "ISO 17799:2005 / ISO 27002:2005"
  3. FIPS 200/FISMA 800-53
  4. ISACA COBIT
  5. "Sarbanes-Oxley COSO"
  6. "HIPAA Requirements"
  7. "Payment Card Industry Data Security Standards"
  8. GLBA 21 CFR Part 11





Standard ISO 17799:2005 /
ISO 27002:2005
FIPS 200/FISMA 800-53
Sections SECTION: 4 - Risk Assessment and Treatment
4.1 4.1 Assessing Security Risks
Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization 
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
4.2 4.2 Treating Security Risks
Determine risk treatment options: Apply appropriate controls, accept risks, avoid risks or transfer risk to other parties 
Certification, Accreditation, and Security Assessments (CA): Organizations must: (I) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
SECTION: 5 - Security Policy
5.1 5.1 Information Security Policy
An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy should be reviewed at planned intervals 
Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.                                       Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
SECTION: 6 - Organization of Information Security
6.1 6.1 Internal Organization
A management framework should be established to initiate and control the implementation of information security within the organization 
See PL
6.2 6.2 External Parties
To maintain the security of information and information processing facilities that are accessed, processed, communicated to, or managed by external parties 
SECTION: 7 - Asset Management
7.1 7.1 Responsibility for Assets
All assets should be accounted for and have a nominated owner 
Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
7.2 7.2 Information Classification
Information should be classified to indicate the need, priorities and expected degree of protection 
See RA
SECTION: 8 - Human Resources Security
8.1 8.1 Prior to Employment
To ensure that employees, contractors and third party users understand responsibilities, and are suitable for their roles 
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
8.2 8.2 During Employment
To ensure that employees, contractors and third party users are aware of information security threats and concerns, and are equipped to support security policy in the course of their normal work 
See PS
8.3 8.3 Termination or Change of Employment
To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner 
See PS
SECTION: 9 -Physical and Environmental Security
9.1 9.1 Secure Areas
To prevent unauthorized physical access, damage, and interference to the organization’s premises and information 
Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
9.2 9.2 Equipment Security
To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities 
See PE
SECTION: 10 - Communications and Operations Management
10.1 10.1 Operational Procedures and Responsibilities
To ensure the correct and secure operation of information processing facilities including segregation of duties and change management functions 
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.                                                                  See
10.2 10.2 Third Party Service Delivery Management
To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements 
See SA
10.3 10.3 System Planning and Acceptance
To minimize the risk of systems failures 
See MA
10.4 10.4 Protection Against Malicious and Mobile Code
Precautions are required to prevent and detect the introduction of malicious code and unauthorized mobile code 
Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
10.5 10.5 Back-up
Routine procedures for implementing the back-up policy and strategy 
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
10.6 10.6 Network Security Management
To ensure the protection of information in networks and the protection of the supporting infrastructure 
10.7 10.7 Media Handling
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities 
Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
10.8 10.8 Exchange of Information
To maintain the security of information and software exchanged within an organization and with any external entity
See MP
10.9 10.9 Electronic Commerce Services
To ensure the security of electronic commerce services, and their secure use. 
10.1 10.10 Monitoring
To detect unauthorized information processing activities including review of operator logs and fault logging 
SECTION: 11 - Access Control
11.1 11.1 Business Requirement for Access Control
Establish, document and review access control policies and rules 
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
11.2 11.2 User Access Management
Formal procedures to control the allocation of access rights to information systems and services 
Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
11.3 11.3 User Responsibilities
User awareness, particularly with the use of passwords and the security of equipment 
Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
11.4 11.4 Network Access Control
Ensure that appropriate interfaces and authentication mechanisms to networked services are in place 
11.5 11.5 Operating System Access Control
To ensure unauthorized access to operating systems. Some methods include: ensure quality passwords, user authentication, and the recording of successful and failed system accesses 
See AC
11.6 11.6 Application and Information Access Control
To prevent unauthorized access to information held in application systems. 
See AC
11.7 11.7 Mobile Computing and Teleworking
To ensure information security when using mobile computing and teleworking facilities 
SECTION: 12 - Information Systems Acquisition, Development and Maintenance
12.1 12.1 Security Requirements of Information Systems
To ensure that security is built into information systems, including infrastructure, business applications and user-developed applications 
System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
12.2 12.2 Correct Processing in Applications
To prevent errors, loss, unauthorized modification or misuse of information in applications 
12.3 12.3 Cryptographic Controls
To protect the confidentiality, authenticity or integrity of information by cryptographic means. 
12.4 12.4 Security of System Files
To ensure security of system files 
12.5 12.5 Security in Development and Support Processes
Project and support environments should be strictly controlled 
12.6 12.6 Technical Vulnerability Management
To reduce risks resulting from exploitation of published technical vulnerabilities 
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
SECTION: 13 - Information Security Incident Management
13.1 13.1 Reporting Information Security Events and Weaknesses
To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken 
Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
13.2 13.2 Management of Information Security Incidents and Improvements
To ensure a consistent and effective approach is applied to the management of information security incidents 
See IR
SECTION: 14 - Business Continuity Management
14.1 14.1 Information Security Aspects of Business Continuity Management
To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters and to ensure their timely resumption 
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
SECTION: 15 - Compliance
15.1 15.1 Compliance with Legal Requirements
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements 
15.2 15.2 Compliance with Security Policies and Standards, and Technical Compliance
To ensure compliance of systems with organizational security policies and standards 
15.3 15.3 Information Systems Audit Considerations
To maximize the effectiveness of and to minimize interference to/from the information systems audit process 
Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Standard ISACA COBIT Sarbanes-Oxley
COSO
Sections
4.1 Plan and Organize:
* PO9 Assess and Manage IT Risks
Monitor and Evaluate:
* ME3 Ensure Regulatory Compliance
* ME4 Provide IT Governance "
* Risk Assessment
* Objective Setting
* Event Identification
4.2 Plan and Organize:
* PO9 Assess and Manage IT Risks

Monitor and Evaluate:
* ME1 Monitor and Evaluate IT Performance
* ME2 Monitor and Evaluate Internal Controls
* Risk Response
* Event Identification
5.1 Plan and Organize:
* PO1 Define a Strategic IT Plan
* PO4 Define the IT Processes, Organization and Relationships
* PO6 Communication Management Aims and Direction
* PO7 Manage IT Human Resources
* Internal Environment
* Objective Setting
* Risk Assessment
6.1 Deliver and Support:
* DS5 Ensure System Security
* Internal Environment
* Control Activities
* Information and Communication
6.2 Plan and Organize:
* PO8 Manage Quality

Deliver and Support:
* DS1 Define and Manage Service Levels
* DS2 Manage Third-Party Services
* DS5 Ensure Systems Security
* Internal Environment
* Risk Assessment
* Control Activities
* Information and Communication
* Monitoring
7.1 Plan and Organize:
* PO4 Define the IT Processes
* Control Activities
7.2 Plan and Organize:
* PO2 Define the Information Architecture
* PO9 Assess and Manage IT Risks

Deliver and Support:

* DS5 Ensure Systems Security
* Risk Assessment
* Event Identification
8.1 Plan and Organize:
* PO7 Manage IT Human Resources

Deliver and Support:

* DS12 Manage the Physical Environment 
* Internal Environment
* Control Activities
* Information and Communication 
8.2 Plan and Organize:
* PO7 Manage IT Human Resources

Deliver and Support:
* DS7 Educate and Train Users
* Internal Environment
* Control Activities
* Information and Communication 
8.3 Plan and Organize:
* PO4 Define the IT Processes, Organization and Relationships
* PO7 Manage IT Human Resources
N/A 
9.1 Deliver and Support:
* DS5 Ensure Systems Security
* DS11 Manage Data
* DS12 Manage the Physical Environment
* Control Activities
* Information and Communication
* Monitoring
9.2 Deliver and Support:
* DS12 Manage the Physical Environment 
* Control Activities
* Information and Communication
10.1 Plan and Organize:
* PO4 Define the IT Processes, Organization and Relationships

Acquire and Implement:
* AI6 Manage Changes

Deliver and Support:
* DS4 Ensure Continuous Service
* DS13 Manage Operations
* Internal Environment
* Risk Response
* Control Activities
* Monitoring
10.2 Plan and Organize:
* PO4 Define the IT Processes, Organization and Relationships
* PO8 Manage Quality
* PO10 Manage Projects

Deliver and Support:
* DS1 Define and Manage Service Levels
* DS4 Manage Third-Party Services
* Internal Environment
* Control Activities
10.3 Deliver and Support:
* DS3 Mange Performance and Capacity
* DS4 Ensure Continuous Service
* Control Activities
* Monitoring
10.4 Deliver and Support:
* DS5 Ensure Systems Security
* DS8 Manage Service Desk and Incidents
* DS9 Manage the Configuration
* DS10 Manage Problems
* Control Activities
* Event Identification
* Information and Communication
10.5 Deliver and Support:
* DS4 Ensure Continuous Service
* DS11 Manage Data
* Event Identification
* Control Activities
* Monitoring 
10.6 Deliver and Support:
* DS5 Ensure Systems Security
* Risk Assessment
* Control Activities
* Monitoring
10.7 Deliver and Support:
* DS11 Manage Data
* Control Activities
* Information and Communication
10.8 Deliver and Support:
* DS5 Ensure Systems Security
* Risk Assessment
* Risk Response
* Control Activities
* Information and Communication
* Monitoring
10.9 Deliver and Support:
* DS5 Ensure Systems Security
* Event Identification
* Control Activities
10.1 Deliver and Support:
* DS5 Ensure Systems Security

Monitor and Evaluate:
* ME1 Monitor and Evaluate IT Performance
* ME2 Monitor and Evaluate Internal Control 
* Control Activities
* Monitoring 
11.1 Deliver and Support:
* DS5 Ensure Systems Security 
* Internal Environment
* Control Activities
11.2 Deliver and Support:
* DS5 Ensure Systems Security 
* Control Activities
* Monitoring
11.3 Deliver and Support:
* DS5 Ensure Systems Security 
* Internal Environment
* Control Activities
11.4 Deliver and Support:
* DS5 Ensure Systems Security 
* Internal Environment
* Control Activities
* Monitoring
11.5 Deliver and Support:
* DS5 Ensure Systems Security 
* Internal Environment
* Control Activities
* Monitoring
11.6 Deliver and Support:
* DS5 Ensure Systems Security 
* Control Activities
* Monitoring
11.7 Deliver and Support:
* DS5 Ensure Systems Security 
* Internal Environment
* Control Activities
* Monitoring
12.1 Acquire and Implement:
* A12 Acquire and Maintain Application Software
* A13 Acquire and Maintain Technology Infrastructure 
* Control Activities
* Monitoring
12.2 Acquire and Implement:
* A12 Acquire and Maintain Application Software
* Control Activities
12.3 Deliver and Support:
* DS5 Ensure Systems Security 
* Control Activities
* Monitoring
12.4 Acquire and Implement:
* A16 Manage Changes

Deliver and Support:
* DS5 Ensure Systems Security
* Control Activities
* Information and Communication
* Monitoring
12.5 Acquire and Implement:
* A16 Manage Changes

Deliver and Support:
* DS5 Ensure Systems Security
* Control Activities
* Monitoring
12.6 Plan and Organize:
* PO9 Assess and Manage IT Risks

Deliver and Support:
* DS2 Manage Third-Party Services
* DS4 Ensure Continuous Service
* DS5 Ensure Systems Security
* DS9 Manage the Configuration

Monitor and Evaluate:
* ME1 Monitor and Evaluate IT Performance
N/A 
13.1 Deliver and Support:
* DS5 Ensure Systems Security
* DS8 Manage Service Desk and Incidents
* DS10 Manage Problems

Monitor and Evaluate:

* ME1 Monitor and Evaluate IT Performance
* ME2 Monitor and Evaluate Internal Control 
N/A 
13.2 Deliver and Support:
* DS5 Ensure Systems Security
* DS8 Manage Service Desk and Incidents
* DS10 Manage Problems

Monitor and Evaluate:

* ME1 Monitor and Evaluate IT Performance
* ME2 Monitor and Evaluate Internal Control 
N/A 
14.1 Deliver and Support:
* DS4 Ensure Continuous Service 
* DS10 Manage Problems
* DS11 Manage Data 
* Event Identification
* Risk Response
* Control Activities
* Information and Communication
* Monitoring 
15.1 Monitor and Evaluate:
* ME3 Ensure Regulatory Compliance
* ME4 Provide IT Governance 
* Internal Environment
* Event Identification
* Risk Assessment
* Control Activities
* Information and Communication
* Monitoring 
15.2 Acquire and Implement:
* AI7 Install and Accredit Solutions and Changes

Monitor and Evaluate:
* ME1 Monitor and Evaluate IT Performance
* ME2 Monitor and Evaluate Internal Control
* ME4 Provide IT Governance 
* Internal Environment
* Control Activities
* Monitoring 
15.3 Monitor and Evaluate:
* ME1 Monitor and Evaluate IT Performance
* ME2 Monitor and Evaluate Internal Control
* ME4 Provide IT Governance
* Monitoring 
Standard HIPAA
Requirements
Payment Card Industry
Data Security Standards
Sections
4.1 Security Standard:
a) 1. Risk Analysis (R) 
N/A 
4.2 Security Standard:
a) 1. Risk Management (R) 
N/A 
5.1 Security Standard:
a) 1. Sanction Policy  (R)
a) 2. Assigned Security Responsibility  (R) 
Maintain and Information Security Policy:
12. Maintain a policy that addresses information security
6.1 Security Standard:
a) 1. Information System Activity Review  (R)
a) 2. Assigned Security Responsibility  (R) 
Maintain and Information Security Policy:
12. Maintain a policy that addresses information security
6.2 Security Standard:
b) 1. Written Contract or Other Arrangement (R)
Maintain and Information Security Policy:
12. Maintain a policy that addresses information security
7.1 Physical Standard:
d) 2. Device and Media Controls – Accountability (A) 
N/A
7.2 Security Standard:
a) 1. Risk Analysis (R)
a) 1. Risk Management (R) 
N/A 
8.1 Security Standard:
a) 1. Sanction Policy (R)
a) 3. Authorization and/or Supervision (A)
a) 3. Workforce Clearance Procedure (A)
a) 5. Security Reminders (A) 
Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access

Maintain an Information Security Policy:
12. Maintain a policy that addresses information security 
8.2 Security Standard:
a) 5. Security Reminders (A) 
Maintain an Information Security Policy:
12. Maintain a policy that addresses information security 
8.3 Security Standard:
a) 3. Termination Procedures (A) 
Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access 
9.1 Security Standard:
a) 3. Authorization and/or Supervision (A)
a) 3. Workforce Clearance Procedure (A)

Physical Standard:
a) 1. Facility Access Control
a) 2. Facility Security Plan
a) 2. Access Control and Validation Procedures (A)
Implement Strong Access Control Measures:
9. Restrict physical access to cardholder data 
9.2 Physical Standard:
a) 1. Facility Access Control
b) Workstation Use (R)
c) Workstation Security
d) 1. Device and Media Controls – Disposal (R)
d) 2. Media Re-use (R)
d) 2. Device and Media Controls – Accountability (A) 
Implement Strong Access Control Measures:
9. Restrict physical access to cardholder data 
10.1 Security Standard:
a) 1. Information System Activity Review (R)
a) 1. Sanction Policy (R)
a) 2. Assigned Security Responsibility (R)
b) 1. Written Contract or Other Arrangement (R)
a) 6. Response and Reporting (R)

Physical Standard:
a) 2. Contingency Operations (R) 
N/A
10.2 Security Standard:
b) 1. Written Contract or Other Arrangement
Maintain an Information Security Policy:
12. Maintain a policy that addresses information security

10.3 N/A N/A
10.4 Security Standard:
a) 4. Access Establishment and Modification (A)
a) 5. Protection from Malicious Software 
Maintain a Vulnerability Management Program:
5. Use and regularly update anti-virus software 
10.5 Security Standard:
a) 7. Data Backup Plan (R)
a) 7. Disaster Recovery Plan (R)
a) 7. Emergency Mode Operation Plan (R)
a) 7. Testing And Revision Procedure (A)

Physical Standard:
a) 2. Contingency Operations (R)
a) 2. Data Backup and Storage (A) 
N/A 
10.6 Technical Standard:
a) 2. Encryption and Decryption (A)
(e)1. Transmission Security
(e)2. Integrity Controls (A) 
Build and Maintain a Secure Network:
1. Install and maintain a firewall
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Maintain a Vulnerability Management Program:
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
10.7 Physical Standard:
d) 1. Device and Media Controls – Disposal (R)
d) 2. Media Re-use (R)
d) 2. Device and Media Controls -Accountability (A) 
Protect Cardholder Data:
3. Protect stored data

Implement Strong Access Control Measures:
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data 
10.8 Security Standard:
b) 1. Written Contract or Other Arrangement (R)

Technical Standard:
a) 2. Encryption and Decryption (A)
(d)Person or Entity Authentication (R)
(e)1. Transmission Security
(e)2. Integrity Controls (A) 
Build and Maintain a Secure Network:
1. Install and maintain a firewall

Protect Cardholder Data:
4. Encrypt transmissions of cardholder data and sensitive information across public networks

Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access 
10.9 N/A  Build and Maintain a Secure Network:
1. Install and maintain a firewall
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program:

6. Develop and maintain secure systems and applications
10.1 Security Standard:
a) 5. Log-In Monitoring (A)
a) 1. Information System Activity Review (R)
b) 8. Audit Controls (R) 
Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access

Regularly Monitor and Test Networks:

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
11.1 Security Standard:
a) 4. Access Authorization (A) 
Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access

Maintain an Information Security Policy:

12. Maintain a policy that addresses information security 
11.2 Security Standard:
a) 4. Access Authorization (A)
a) 4. Access Establishment and Modification (A)
a) 5. Password Management (A)

Technical Standard:
a) 2. Unique User Identification (R) 
Implement Strong Access Control Measures:
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access 
11.3 Security Standard:
a) 5. Password Management (A)

Physical Standard:
b) Workstation Use (R)
c) Workstation Security 
Build and Maintain a Secure Network:
2. Do not use vendor-supplied defaults for system passwords

Implement Strong Access Control Measures:

8. Assign a unique ID to each person with computer access

Maintain an Information Security Policy:

12. Maintain a policy that addresses information security 
11.4 Security Standard:
a) 5. Password Management (A)

Technical Standard:
c) 2. Mechanism to Authenticate Electronic Protected Health Information (A)
d) Person or Entity Authentication (R) 
Build and Maintain a Secure Network:
2. Do not use vendor-supplied defaults for system passwords

Implement Strong Access Control Measures:

8. Assign a unique ID to each person with computer access 
11.5 Security Standard:
a) 4. Access Establishment and Modification (A)
a) 5. Password Management (A)

Technical Standard:
a) 2. Unique User Identification (R)
a) 2. Automatic Logoff (A)
d) Person or Entity Authentication (R) 
Build and Maintain a Secure Network:
2. Do not use vendor-supplied defaults for system passwords

Implement Strong Access Control Measures:
8. Assign a unique ID to each person with computer access

Monitor and Test Networks:
10. Track and monitor all access to network resources and cardholder data 
11.6 Security Standard:
a) 4. Access Establishment and Modification (A)
a) 5. Password Management (A)

Technical Standard:

a) 2. Unique User Identification (R)
d) Person or Entity Authentication (R) 
Build and Maintain a Secure Network:
1. Do not use vendor-supplied defaults for system passwords

Maintain a Vulnerability Management System:

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures:

8. Assign a unique ID to each person with computer access 
11.7 Security Standard:
a) 4. Access Establishment and Modification (A) 
Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to protect data 
12.1 N/A  Maintain a Vulnerability Management Program:
6. Develop and maintain secure systems and applications 
12.2 Technical Standard:
e) 2. Transmission Security– Integrity Controls (A) 
Maintain a Vulnerability Management Program:
6. Develop and maintain secure systems and applications 
12.3 Technical Standard:
a) 2. Encryption and Decryption (A)
e) 2. Transmission Security– Encryption (A)
Protect Cardholder Data:
4. Encrypt transmission of cardholder data and sensitive information across public networks 
12.4 N/A Build and Maintain a Secure Network:
2. Do not use vendor-supplied defaults for system passwords and other security parameters 
12.5 N/A Maintain a Vulnerability Management Program:
6. Develop and maintain secure systems and applications 
12.6 Security Standard:
a) 6. Response and Reporting (R) 
Maintain a Vulnerability Management Program:
5. Use and regularly update antivirus software
6. Develop and maintain secure systems and applications 
13.1 Security Standard:
a) 6. Response and Reporting (R) 
Regularly Monitor and Test Networks:
11. Regularly test security systems and processes

Maintain an Information Security Policy:

12. Maintain a policy that addresses information security 
13.2 N/A  Maintain an Information Security Policy:
12. Maintain a policy that addresses information security 
14.1 Security Standard:
a) 7. Disaster Recovery Plan (R)
a) 7. Testing and Revision Procedures (A)
a) 7. Applications and Data Criticality Analysis (A) 
N/A 
15.1 Security Standard:
a) 1. Sanction Policy  (R)
a) 6. Response and Reporting (R)
b) 1. Written Contract or Other Arrangement (R) 
N/A 
15.2 Security Standard:
a) 8. Technical evaluation that measures compliance with security requirements (R) 
Regularly Monitor and Test Networks:
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes 
15.3 Security Standard:
b) 8. Audit Controls (R) 
Regularly Monitor and Test Networks:
10. Track and monitor all access to network resources and cardholder data 
Standard GLBA 21 CFR Part 11
Sections
4.1 III.B. Assess Risk   (c) Protection of records throughout the records retention period. 
4.2 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period. 
5.1 II.A. Information Security Program
II.B. Objectives
III.A. Invoice Board of Directors
(c) Protection of records throughout the records retention period. 
6.1 II. A. Information Security Program
II.B. Objectives
III.A. Involve the Board of Directors
III.C. Manage and Control Risk
III.F. Report to the Board  
(c) Protection of records throughout the records retention period. 
6.2 III.C. Manage and Control Risk
III.D. Oversee Service Provider Arrangements
(c) Protection of records throughout the records retention period. 
7.1 N/A  (c) Protection of records throughout the records retention period. 
7.2 N/A   (c) Protection of records throughout the records retention period. 
8.1 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period. 
8.2 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(i) Users of electronic record/electronic signature systems have appropriate education, training and experience.
8.3 N/A (c) Protection of records throughout the records retention period. 
9.1 III.C. Manage and Control Risk  (c) Protection of records throughout the records retention period. 
9.2 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period. 
10.1 III.C. Manage and Control Risk (c) Protection of records throughout the records retention period. 
10.2 III.D. Oversee Service Provider Arrangements (c) Protection of records throughout the records retention period. 
10.3 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.4 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.5 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.6 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.7 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.8 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.9 III.C. Manage and Control Risks (c) Protection of records throughout the records retention period. 
10.1 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period. 
11.1 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
11.2 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
11.3 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
(i) Users of electronic record/electronic signature systems have appropriate education, training and experience.
11.4 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
11.5 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
11.6 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
11.7 III.C. Manage and Control Risk   (c) Protection of records throughout the records retention period. 
12.1 N/A  (c) Protection of records throughout the records retention period. 
12.2 III.C. Manage and Control Risk (c) Protection of records throughout the records retention period. 
12.3 III.C. Manage and Control Risk (c) Protection of records throughout the records retention period. 
12.4 III.C. Manage and Control Risk (c) Protection of records throughout the records retention period.
(d) Limiting system access to authorized individuals.
(g) Use of authority checks  to ensure that only authorized individuals can use the system
12.5 N/A (c) Protection of records throughout the records retention period.
(e) Use of secure, computer–generated audit trails, which are retained for certain periods of time.
(f) Use of operational system checks to enforce sequencing of steps and events  as appropriate
(k) Use of appropriate controls over system  documentation
12.6 III.C. Manage and Control Risk  (c) Protection of records throughout the records retention period. 
13.1 III.C. Manage and Control Risk  (a) Validation of systems and the ability to discern invalid or altered records.
(c) Protection of records throughout the records retention period.
(f) Use of operational system checks to enforce sequencing of steps and events  as appropriate
(k) Use of appropriate controls over system  documentation
13.2 III.C. Manage and Control Risk   (a) Validation of systems and the ability to discern invalid or altered records.
(c) Protection of records throughout the records retention period.
(f) Use of operational system checks to enforce sequencing of steps and events  as appropriate
(k) Use of appropriate controls over system  documentation
14.1 III.C. Manage and Control Risk  (c) Protection of records throughout the records retention period. 
15.1 III.C. Manage and Control Risk
III.F. Report to the Board 
(c) Protection of records throughout the records retention period. 
15.2 III.C. Manage and Control Risk
III.E. Adjust the Program
III.F. Report to the Board 
(c) Protection of records throughout the records retention period. 
15.3 II.C. Manage and Control Risk
III.F. Report to the Board 
(c) Protection of records throughout the records retention period. 

No comments:

Post a Comment