A.5 Security Policy
|
|
A.5.1 Information security policy
|
|
A.5.1.1 Information security policy document
|
XX�1 controls, PM-1
|
A.5.1.2 Review of the information security policy
|
XX�1 controls, PM-1
|
A.6 Organization of information security
|
|
A.6.1 Internal
|
|
A.6.1.1 Management commitment to information security
|
XX-1 controls, PM-1, PM-2, PM-3
|
A.6.1.2 Information security coordination
|
XX-1 controls, PM-1, PM-2, CP-2, CP-4, IR-4, PL-1, PL-2, SA-2
|
A.6.1.3 Allocation of information security responsibilities
|
XX-1 controls, PM-1, PM-2, PM-10, CM-9, CP-2, PS-7, SA-3, SA-9,
|
A.6.1.4 Authorization process for information processing facilities
|
PM-10, CA-1, CA-6
|
A.6.1.5 Confidentiality agreements
|
PL�4, PS�6, SA-9
|
A.6.1.6 Contact with authorities
|
IR-4, IR-6, IR-7, PE-13, SA-19, SI-5
|
A.6.1.7 Contact with special interest groups
|
PM-15, SI-5
|
A.6.1.8 Independent review of information security
|
PM-9, CA-1, CA�2, CA�7, SA-11
|
A.6.2 External Parties
|
|
A.6.2.1 Identification of risks related to external parties
|
PM-9, AC-20, CA-3, RA-3, SA�9
|
A.6.2.2 Addressing security when dealing with customers
|
AC�8 , AT�2, AT-3, CA-2, CA-3, PL�4, SA-9
|
A.6.2.3 Addressing security in third party agreements
|
CA�3, PL-4, PS-6, PS-7, SA�9
|
A.7 Asset Management
|
|
A.7.1 Responsibility for assets
|
|
A.7.1.1 Inventory of assets
|
PM-5, CM-8, CM-9
|
A.7.1.2 Ownership of assets
|
PM-5, CM-8, CM-9
|
A.7.1.3 Acceptable use of assets
|
AC-20, PL�4, PS-6
|
A.7.2 Information Classification
|
|
A.7.2.1 Classification Guidelines
|
RA-2
|
A.7.2.2 Information labeling and handling
|
AC-3, AC-4, AC-16, MP�2, MP�3, SC-16
|
A.8 Human Resources Security
|
|
A.8.1 Prior to Employment
|
|
A.8.1.1 Roles and Responsibilities
|
XX-1 controls, PL�4, PS-2, PS�6, PS-7
|
A.8.1.2 Screening
|
PS�3, SA-21
|
A.8.1.3 Terms and conditions of employment
|
PL-4, PS�6
|
A.8.2 During employment
|
|
A.8.2.1 Management responsibilities
|
PL-4, PS�6, PS-7, SA�9
|
A.8.2.2 Awareness, education, and training
|
PM-13, PM-14, AT�2, AT�3, CP-3, IR-2, SA-16
|
A.8.2.3 Disciplinary process
|
PS�8
|
A.8.3 Termination or change of employment
|
|
A.8.3.1 Termination responsibilities
|
PS�4, PS�5
|
A.8.3.2 Return of assets
|
PS�4, PS�5
|
A.8.3.3 Removal of access rights
|
AC-2, PE-2, PS�4, PS�5
|
A.9 Physical and environmental security
|
|
A.9.1 Secure areas
|
|
A.9.1.1 Physical security perimeter
|
PE�3, PE-4, PE-5
|
A.9.1.2 Physical entry controls
|
MA-5, PE-2, PE�3, PE-4, PE-5, PE-6, PE-8
|
A.9.1.3 Securing offices, rooms, facilities
|
PE�3, PE-4, PE-5
|
A.9.1.4 Protecting against external and environmental threats
|
CP-2, CP-6, CP-7, PE-1, PE�9, PE-13, PE-15, PE-18, PE-19
|
A.9.1.5 Working in secure areas
|
PE-1
|
A.9.1.6 Public access, delivery and loading areas
|
PE�3 , PE�16
|
A.9.2 Equipment security
|
|
A.9.2.1 Equipment siting and protection
|
PE-13, PE-14, PE-15, PE�18, PE-19
|
A.9.2.2 Supporting utilities
|
CP-8, PE-9, PE-10, PE-11, PE-12, PE-14
|
A.9.2.3 Cabling security
|
PE�4, PE�9
|
A.9.2.4 Equipment maintenance
|
MA-2, MA-3, MA-4, MA-5, MA-6
|
A.9.2.5 Security of equipment off-premises
|
AC-19, AC-20, MP�5, PE�17
|
A.9.2.6 Secure disposal or reuse of equipment
|
MP�6
|
A.9.2.7 Removal of property
|
MA-2, MP-5, PE�16
|
A.10 Communications and operations management
|
|
A.10.1 Operational procedures and responsibilities
|
|
A.10.1.1 Documented operating procedures
|
XX�1 controls, SA-5
|
A.10.1.2 Change management
|
CM-2, CM-3, CM-4, CM-5, CM-9, SA-10
|
A.10.1.3 Segregation of duties
|
AC�5
|
A.10.1.4 Separation of development, test and operational facilities
|
CM-2, CM-4, CM-9, SA-10
|
A.10.2 Third-party service delivery management
|
|
A.10.2.1 Service delivery
|
SA�9
|
A.10.2.2 Monitoring and review of third-party services
|
SA�9
|
A.10.2.3 Managing changes to third-party services
|
SA-9, SA-10
|
A.10.3 System planning and acceptance
|
|
A.10.3.1 Capacity management
|
AU�4, AU�5, CP�2, SA�2, SC�5
|
A.10.3.2 System acceptance
|
CA�2, CA�6, CM�3, CM�4, CM-9, SA-4, SA-10, SA�11
|
A.10.4 Protection against malicious and mobile code
|
|
A.10.4.1 Controls against malicious code
|
AC-19, AT�2, AT-3, CM-11, IR-2, IR-8, MA-3, MP-7, SC�7, SC-42, SI-1, SI�3, SI-5, SI�7
|
A.10.4.2 Controls against mobile code
|
SA�8, SC�2, SC�3, SC�7, SC-18
|
A.10.5 Backup
|
|
A.10.5.1 Information backup
|
CP�9
|
A.10.6 Network security management
|
|
A.10.6.1 Network controls
|
AC-3, AC-17, AC-18, AC�20, CA�3, SC-5, SC-7, SC�8, SC�10
|
A.10.6.2 Security of network services
|
CA-3, SA�9
|
A.10.7 Media handling
|
|
A.10.7.1 Management of removable media
|
MP-1, MP-4, MP-5, MP-6, MP-7
|
A.10.7.2 Disposal of media
|
MP�6
|
A.10.7.3 Information handling procedures
|
AC-3, AC-4, AC-16, AC-19, MP-2, MP-3, SI-10, SI-12
|
A.10.7.4 Security of system documentation
|
AC-3, MP-3, MP-4, SA�5
|
A.10.8 Exchange of information
|
|
A.10.8.1 Information exchange policies and procedures
|
AC�1, AC�3, AC�4, AC�17, AC-18, AC�20, CA�3, PL�4, PS�6, SC-1, SC�7, SC-8, SC-15
|
A.10.8.2 Exchange agreements
|
CA�3, SA-9
|
A.10.8.3 Physical media in transit
|
MP�5
|
A.10.8.4 Electronic messaging
|
AU-10, SC-7, SC-8, SC-44
|
A.10.8.5 Business information systems
|
AC-17, CA-3
|
A.10.9 Electronic commerce services
|
|
A.10.9.1 Electronic commerce
|
AC-3, AU-10, IA-2, IA-8, SC-7, SC�8, SC-13
|
A.10.9.2 Online transactions
|
AC-3, AU-10, IA-2, IA-8, SC-2, SC-3, SC-7, SC�8, SC-13
|
A.10.9.3 Publicly available information
|
AC-3, AC-22, SI-3, SI-4, SI-5, SI-7, SI-10
|
A.10.10 Monitoring
|
|
A.10.10.1 Audit logging
|
AU-2, AU-3, AU-8, AU-11, AU-12, AU-14
|
A.10.10.2 Monitoring system use
|
AU-2, AU-3, AU-6, AU-7, AU-12, CM-6, CM-11, PE�6, PE�8, SC-7, SI-4, SI-6, SI-7
|
A.10.10.3 Protection of log information
|
AU-4, AU-5, AU�9, SI-4
|
A.10.10.4 Administrator and operator logs
|
AU-2, AU-3, AU-12
|
A.10.10.5 Fault logging
|
AU-2, AU-6, AU-12, SI-6
|
A.10.10.6 Clock synchronization
|
AU�8
|
A.11 Access Control
|
|
A.11.1 Business requirement for access control
|
|
A.11.1.1 Access control policy
|
AC�1, MP-1
|
A.11.2 User access management
|
|
A.11.2.1 User registration
|
AC�2, IA-4, IA-5
|
A.11.2.2 Privilege management
|
AC�2, AC-3, AC�6
|
A.11.2.3 User password management
|
IA�5
|
A.11.2.4 Review of user access rights
|
AC-2
|
A.11.3 User responsibilities
|
|
A.11.3.1 Password use
|
IA�5
|
A.11.3.2 Unattended user equipment
|
AC�11, SC�10
|
A.11.3.3 Clear desk and clear screen policy
|
AC-1, AC-11, MP-1, MP-2, MP-4
|
A.11.4 Network access control
|
|
A.11.4.1 Policy on use of network services
|
AC�1, AC�6, AC�17, AC-18, AC�20, CM-7, SC-1, SC-7
|
A.11.4.2 User authentication for external connections
|
AC�17, AC-18, AC�20, CA-3, IA-2, IA-3, IA-8
|
A.11.4.3 Equipment identification in networks
|
AC-19, IA�3
|
A.11.4.4 Remote diagnostic and configuration port protection
|
AC�6, CM-7, MA-2, MA�4, PE-3
|
A.11.4.5 Segregation in networks
|
AC-4, SC-2, SC�7
|
A.11.4.6 Network connection control
|
AC-17, AC-18, AC-19, AC-20, CM-7, SC-7
|
A.11.4.7 Network routing control
|
AC�4, SC-7
|
A.11.5 Operating system access control
|
|
A.11.5.1 Secure log-on procedures
|
AC�7, AC-8, AC-9, IA�2, IA-5, IA�6, IA-8
|
A.11.5.2 User identification and authentication
|
AC-2, IA�2, IA�4, IA�5, IA-8
|
A.11.5.3 Password management system
|
IA�5, IA-6
|
A.11.5.4 Use of system utilities
|
AC�3, AC�6, AU-2, SC-2
|
A.11.5.5 Session time-out
|
AC-2, AC�11, AC-12, SC�10
|
A.11.5.6 Limitation of connection time
|
AC-2, IA-11, SC-43
|
A.11.6 Application and information access control
|
|
A.11.6.1 Information access restriction
|
AC-1, AC�3, AC�6, AC-22, AC-24
|
A.11.6.2 Sensitive system isolation
|
SC-7, SC-32
|
A.11.7 Mobile computing and teleworking
|
|
A.11.7.1 Mobile computing and communications
|
AC-1, AC�17, AC-18, AC�19, PL�4, PS�6
|
A.11.7.2 Teleworking
|
AC-1, AC�17, PE�17, PL�4, PS�6
|
A.12 Information systems acquisition, development and maintenance
|
|
A.12.1 Security requirements of information systems
|
|
A.12.1.1 Security requirements analysis and specification
|
PL-7, PL-8, RA-2, SA-3, SA�4, SA-8
|
A.12.2 Correct processing in applications
|
|
A.12.2.1 Input data validation
|
SI�10
|
A.12.2.2 Control of internal processing
|
SI-6, SI�7, SI�10
|
A.12.2.3 Message integrity
|
AU�10, SC�8, SC-23, SI�7
|
A.12.2.4 Output data validation
|
SI-15
|
A.12.3 Cryptographic controls
|
|
A.12.3.1 Policy on the use of cryptographic controls
|
AC-1, MP-1, SC-1
|
A.12.3.2 Key management
|
SC�12, SC-17
|
A.12.4 Security of system files
|
|
A.12.4.1 Control of operational software
|
CM-1, CM-2, CM-3, CM-4, CM-5, CM-7, CM-9, CM-10, CM-11, SC-18, SI-7
|
A.12.4.2 Protection of system test data
|
SA-15
|
A.12.4.3 Access control to program source code
|
AC�3, AC�6, CM�5, CM-9, MA-5, SA-10
|
A.12.5 Security in development and support processes
|
|
A.12.5.1 Change control procedures
|
CM�1, CM-3, CM-9, SA-10
|
A.12.5.2 Technical review of applications after operating system changes
|
CM-3, CM�4, CM-9
|
A.12.5.3 Restrictions on changes to software packages
|
CM�3, CM�4, CM�5, CM-9, SA-10
|
A.12.5.4 Information leakage
|
AC�4, AU-13, PE�19, SC-31, SC-38
|
A.12.5.5 Outsourced software development
|
SA-1, SA-4, SA-9, SA-10, SA-11, SA-12, SA-13, SA-15
|
A.12.6 Technical Vulnerability Management
|
|
A.12.6.1 Control of technical vulnerabilities
|
CA-7, RA�3, RA-5, SI�2, SI�5
|
A.13 Information security incident management
|
|
A.13.1 Reporting information security events and weaknesses
|
|
A.13.1.1 Reporting information security events
|
AU-6, IR-1, IR�6
|
A.13.1.2 Reporting security weaknesses
|
CA-2, CA-7, PL�4, SA-5, SA-11, SI-2, SI-5
|
A.13.2 Management of information security incidents and improvements
|
|
A.13.2.1 Responsibilities and procedures
|
IR�1, IR-4
|
A.13.2.2 Learning from information security incidents
|
IR�4, IR-10
|
A.13.2.3 Collection of evidence
|
AU-7, AU-8, AU-9, AU-11, IR�4
|
A.14 Business continuity management
|
|
A.14.1 Information security aspects of business continuity management
|
|
A.14.1.1 Including information security in the business continuity management process
|
CP-1, CP�2
|
A.14.1.2 Business continuity and risk assessment
|
PM-9, CP-2, RA-3
|
A.14.1.3 Developing and implementing continuity plans including information security
|
CP-1, CP-2, CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-13
|
A.14.1.4 Business continuity planning framework
|
CP�2, CP�4
|
A.14.1.5 Testing, maintaining and reassessing business continuity plans
|
CP-2, CP�4
|
A.15 Compliance
|
|
A.15.1 Compliance with legal requirements
|
|
A.15.1.1 Identification of applicable legislation
|
XX-1 controls
|
A.15.1.2 Intellectual property rights (IPR)
|
CM-10
|
A.15.1.3 Protection of organizational records
|
AC-3, AU-9, AU�11, CP-9, MP�4, SA-5, SI-12
|
A.15.1.4 Data protection and privacy of personal information
|
Appendix J Privacy controls, SI-12
|
A.15.1.5 Prevention of misuse of information processing facilities
|
AC-8, AU-6, CM-11, PL�4, PS-6, PS�8
|
A.15.1.6 Regulation of cryptographic controls
|
IA-7, SC�13
|
A.15.2 Compliance with security policies and standards, and technical compliance
|
|
A.15.2.1 Compliance with security policies and standards
|
XX-1 controls, CA�2, CA�7
|
A.15.2.2 Technical compliance checking
|
CA�2, CA-7, RA-5
|
A.15.3 Information systems audit considerations
|
|
A.15.3.1 Information systems audit controls
|
AU-1, AU-2, SI-4
|
A.15.3.2 Protection of information systems audit tools
|
AU�9
|
