Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
|
|
- Charles Hart
- 5 years ago
- Views:
Transcription
1 Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: ITSecPlan_PRAC2017.pdf
2 Information Security Policy and Procedures Protect: Identity Management and Access Control PR.AC Table of Contents Protect: Identity Management and Access Control PR.AC Overview.. 3 Manage Identities and Credentials for Authorized Devices PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Manage and Protect Physical Access to Assets PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Manage Remote Access PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: PR.AC Page: 1
3 Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC Risk Management: Compliance Management: Resources Required Links to Supporting Policies, Documentation, and Resources Deliverables Status: PR.AC Page: 2
4 Protect: Identity Management and Access Control PR.AC Protect: Identity Management and Access Control PR.AC Overview Disciplined systems and personnel identity and authentication management is perhaps the most crucial aspect of systems management to limit the ability of threat perpetrators. Threat actors seek access privileges to penetrate and travel through systems. The Identity Management and Access Control functions intends to ensure access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. Protect Identity Management and Access Control functions are: Manage Identities and Credentials for Authorized Devices PR.AC-1 Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes Manage and Protect Physical Access to Assets PR.AC-2 Physical access to assets is managed and protected Manage Remote Access PR.AC-3 Remote access is managed Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5 Network integrity is protected, incorporating network segregation where appropriate PR.AC Page: 3
5 Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6 Identities are proofed and bound to credentials, and asserted in interactions when appropriate PR.AC Page: 4
6 Manage Identities and Credentials for Authorized Devices PR.AC-1 Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes Primary Control Reference - NIST SP Rev. 4 (HD added AC-1), AC-2, IA Family AC-1 ACCESS CONTROL POLICY AND PROCEDURES - Control: The organization: o Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and o b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organizationdefined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. PR.AC Page: 5
7 o Related control: PM-9. o Control Enhancements: None. o References: NIST Special Publications , o Priority and Baseline Allocation: AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organizationdefined procedures or conditions]; o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-toknow changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; PR.AC Page: 6
8 o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and o b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency]. IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION - Control: The information system uniquely identifies and authenticates [Assignment: organization defined specific and/or PR.AC Page: 7
9 types of devices] before establishing a [Selection (one or more): local; remote; network] connection. IA-4 IDENTIFIER MANAGEMENT - Control: The organization manages information system identifiers by: o a. Receiving authorization from [Assignment: organizationdefined personnel or roles] to assign an individual, group, role, or device identifier; o b. Selecting an identifier that identifies an individual, group, role, or device; o c. Assigning the identifier to the intended individual, group, role, or device; o d. Preventing reuse of identifiers for [Assignment: organizationdefined time period]; and o e. Disabling the identifier after [Assignment: organizationdefined time period of inactivity]. IA-5 AUTHENTICATOR MANAGEMENT - Control: The organization manages information system authenticators by: o a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; o b. Establishing initial authenticator content for authenticators defined by the organization; o c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; o d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; o e. Changing default content of authenticators prior to information system installation; o f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; PR.AC Page: 8
10 o g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; o h. Protecting authenticator content from unauthorized disclosure and modification; o i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and o j. Changing authenticators for group/role accounts when membership to those accounts changes. IA-6 AUTHENTICATOR FEEDBACK - Control: The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION - Control: The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION - Control: The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards]. IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION - Control: The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or PR.AC Page: 9
11 mechanisms] under specific [Assignment: organization-defined circumstances or situations]. IA-11 RE-AUTHENTICATION - Control: The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring reauthentication]. RISK MANAGEMENT: erisk Self-Assessment - 7) Access Control o 7.1) Is there a documented access control policy in place for all mission-critical systems? (Best practice: Access to mission-critical systems must be limited to the minimal number of employees or users actually requiring access. Additionally, access should be controlled using appropriate authentication mechanisms.) Answer Work in progress o 7.2) Are documented standards and procedures in place for user account registration, assignment of access rights, password management, and routine reviews by business/it managers to ensure up-to-date status and accuracy? (Best practice: Documented procedures that address the access rights of individual account owners must be enforced on a continuing basis to ensure that the organization retains effective control over its computing resources.) Answer: Work in progress o 7.3) Please describe how access management procedures are carried out within your organization. In particular, please describe your use of exit check lists and IT management notification procedures that are utilized when an employee leaves the company under both friendly and adverse circumstances. PR.AC Page: 10
12 Answer example: Active Directory groups are maintained in most cases; Standard form-based submission to IT to authorize new/change/depart employee access. o 7.4) Do you enforce a defined password composition and change standard that requires passwords to be at least 6-8 characters in length, using mixed-case alphanumeric and special characters, along with additional minimum requirements for non-reuse and change frequency? (Best practice: Poorly chosen (dictionary-based) passwords are one of the leading causes of a security breach and are a major vulnerability. 'Password cracking' software is prevalent and is highly efficient and effective. Ideally, password authentication should be augmented by physical 'token' devices that require a user to type in a random number generated from a keychain-sized device that remains with the individual.) Answer Work in progress o 7.5) Please describe the current password composition and change standards for all user accounts within your organization, and identify differences in these requirements that apply for normal versus administrator level user accounts. Answer Example: Strong Active Directory 8-character, 3-of- 4 from among upper/lower case, numeric, special characters. 90-day requirement. Admin passwords are subject to higher complexity and stored in a password vault solution. o 7.6) Are narrowly tailored, role-based, and managementapproved access rights assigned to systems administration personnel who require privileged access to systems or network components in order to carry out their assigned job tasks? PR.AC Page: 11
13 (Best practice: Privileges should be granted to only those administrators requiring them. They should be reviewed periodically to ensure they are withdrawn when they are no longer necessary. Moreover, proper separation of duties helps avoid giving a single administrator too much hands-on control over mission-critical business tools.) Answer Work in progress o 7.7) Are access controls monitored through event logging with manual reviews for audit compliance? (Best practice: Controls over network access should be a work-in-process employing hardware, access applications, and activity audits.) Answer: Work in progress COMPLIANCE MANAGEMENT: PCI Compliance Requirements o 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access o Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities o Assign access based on individual personnel's job classification and function HIPAA AND TEXAS HOUSE BILL 300 Requirements o Information Access Management ( (a)(4)) 27 - HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Implement Policies and Procedures for Authorizing Access PR.AC Page: 12
14 Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism. Decide how access will be granted to workforce members within the organization. Select the basis for restricting access. Select an access control method (e.g., identity-based, rolebased, or other reasonable and appropriate means of access.) Determine if direct access to EPHI will ever be appropriate for individuals external to the organization (e.g., business partners or patients seeking access to their own EPHI). Implement Policies and Procedures for Access Establishment and Modification Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Establish standards for granting access. Provide formal authorization from the appropriate authority before granting access to sensitive information. Evaluate Existing Security Measures Related to Access Controls 31 Evaluate the security features of access controls already in place, or those of any planned for implementation, as appropriate. Determine if these security features involve alignment with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails, PR.AC Page: 13
15 identification and authentication of users, and physical access controls. o Access Control ( (a)(1)) - HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). 76 Analyze Workloads and Operations To Identify the Access Needs of All Users 77 Identify an approach for access control. Consider all applications and systems containing EPHI that should be available only to authorized users. Integrate these activities into the access granting and management process. 78 Identify Technical Access Control Capabilities Determine the access control capability of all information systems with EPHI. Ensure that All System Users Have Been Assigned a Unique Identifier Assign a unique name and/or number for identifying and tracking user identity. Ensure that system activity can be traced to a specific user. Ensure that the necessary data is available in the system logs to support audit and other related business functions. 79 Develop Access Control Policy 80 Establish a formal policy for access control that will guide the development of procedures. 81 PR.AC Page: 14
16 Specify requirements for access control that are both feasible and cost-effective for implementation. 82 Implement Access Control Procedures Using Selected Hardware and Software Implement the policy and procedures using existing or additional hardware/software solution(s). Review and Update User Access Enforce policy and procedures as a matter of ongoing operations. 84 Determine if any changes are needed for access control mechanisms. Establish procedures for updating access when users require the following: 85 Initial access Increased access Access to different systems or applications than those they currently have Establish an Emergency Access Procedure Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Identify a method of supporting continuity of operations should the normal access procedures be disabled or unavailable due to system problems. Automatic Logoff and Encryption and Decryption Consider whether the addressable implementation specifications of this standard are reasonable and appropriate: PR.AC Page: 15
17 Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Implement a mechanism to encrypt and decrypt EPHI. Terminate Access if it is No Longer Required 91 Ensure that access to EPHI is terminated if the access is no longer authorized. RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 16
18 Manage and Protect Physical Access to Assets PR.AC-2 Physical access to assets is managed and protected Primary Control Reference - NIST SP Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES - Control: The organization: o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and o b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. PHYSICAL ACCESS AUTHORIZATIONS - Control: The organization: o a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; o b. Issues authorization credentials for facility access; o c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and PR.AC Page: 17
19 o d. Removes individuals from the facility access list when access is no longer required. PHYSICAL ACCESS CONTROL - Control: The organization: o a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; o b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; o c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; o d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; o e. Secures keys, combinations, and other physical access devices; o f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and o g. Changes combinations and keys [Assignment: organizationdefined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM - Control: The organization controls physical access to [Assignment: organization-defined information system distribution and PR.AC Page: 18
20 transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. PE-5 ACCESS CONTROL FOR OUTPUT DEVICES - Control: The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. PE-6 MONITORING PHYSICAL ACCESS - Control: The organization: o a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; o b. Reviews physical access logs [Assignment: organizationdefined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and o c. Coordinates results of reviews and investigations with the organizational incident response capability. PE-9 POWER EQUIPMENT AND CABLING - Control: The organization protects power equipment and power cabling for the information system from damage and destruction. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED PR.AC Page: 19
21 Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 20
22 Manage Remote Access PR.AC-3 Remote access is managed Primary Control Reference - NIST SP Rev. 4 AC-17, AC-19, AC-20 AC-17 REMOTE ACCESS - Control: The organization: o a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and o b. Authorizes remote access to the information system prior to allowing such connections. AC-19 ACCESS CONTROL FOR MOBILE DEVICES - Control: The organization: o a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and o b. Authorizes the connection of mobile devices to organizational information systems. AC-20 USE OF EXTERNAL INFORMATION SYSTEMS - Control: The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: o a. Access the information system from external information systems; and o b. Process, store, or transmit organization-controlled information using external information systems. RISK MANAGEMENT: erisk Self-Assessment PR.AC Page: 21
23 Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 22
24 Manage Access Permissions and Authorizations, Incorporating Principles of Least Privilege and Separation of Duties PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties Primary Control Reference - NIST SP Rev. 4 AC-2, AC-3, AC- 5, AC-6, AC-16 AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organizationdefined procedures or conditions]; o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-toknow changes; PR.AC Page: 23
25 o i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. AC-3 ACCESS ENFORCEMENT - Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. AC-5 SEPARATION OF DUTIES - Control: The organization: o a. Separates [Assignment: organization-defined duties of individuals]; o b. Documents separation of duties of individuals; and o c. Defines information system access authorizations to support separation of duties AC-6 LEAST PRIVILEGE - Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. AC-16 SECURITY ATTRIBUTES - Control: The organization: o a. Provides the means to associate [Assignment: organizationdefined types of security attributes] having [Assignment: PR.AC Page: 24
26 organization-defined security attribute values] with information in storage, in process, and/or in transmission; o b. Ensures that the security attribute associations are made and retained with the information; o c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and o d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES PR.AC Page: 25
27 DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 26
28 Protect Network Integrity Incorporating Network Segregation Where Appropriate PR.AC-5 Network integrity is protected, incorporating network segregation where appropriate Primary Control Reference - NIST SP Rev. 4 AC-4, SC-7 AC-4 INFORMATION FLOW ENFORCEMENT - Control: The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organizationdefined information flow control policies]. SC-7 BOUNDARY PROTECTION - Control: The information system: o a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; o b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and o c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply PR.AC Page: 27
29 HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 28
30 Identities Proofed, Bound to Credentials and Asserted in Interaction When Appropriate PR.AC-6 Identities are proofed and bound to credentials, and asserted in interactions when appropriate Primary Control Reference - NIST SP Rev. 4 AC-2, AC-3, AC- 5, AC-6, AC-16, AC-19, AC-24, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3 AC-2 ACCOUNT MANAGEMENT - Control: The organization: o a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; o b. Assigns account managers for information system accounts; o c. Establishes conditions for group and role membership; o d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; o e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; o f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organizationdefined procedures or conditions]; o g. Monitors the use of information system accounts; o h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-toknow changes; o i. Authorizes access to the information system based on: PR.AC Page: 29
31 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; o j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and o k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. AC-3 ACCESS ENFORCEMENT - Control: The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. AC-5 SEPARATION OF DUTIES - Control: The organization: o a. Separates [Assignment: organization-defined duties of individuals]; o b. Documents separation of duties of individuals; and o c. Defines information system access authorizations to support separation of duties AC-6 LEAST PRIVILEGE - Control: The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. AC-16 SECURITY ATTRIBUTES - Control: The organization: o a. Provides the means to associate [Assignment: organizationdefined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; PR.AC Page: 30
32 o b. Ensures that the security attribute associations are made and retained with the information; o c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and o d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes. AC-19 ACCESS CONTROL FOR MOBILE DEVICES - Control: The organization: o a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and o b. Authorizes the connection of mobile devices to organizational information systems. IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). IA-4 IDENTIFIER MANAGEMENT - Control: The organization manages information system identifiers by: o a. Receiving authorization from [Assignment: organizationdefined personnel or roles] to assign an individual, group, role, or device identifier; o b. Selecting an identifier that identifies an individual, group, role, or device; o c. Assigning the identifier to the intended individual, group, role, or device; o d. Preventing reuse of identifiers for [Assignment: organizationdefined time period]; and o e. Disabling the identifier after [Assignment: organizationdefined time period of inactivity]. PR.AC Page: 31
33 IA-5 AUTHENTICATOR MANAGEMENT - Control: The organization manages information system authenticators by: o a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; o b. Establishing initial authenticator content for authenticators defined by the organization; o c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; o d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; o e. Changing default content of authenticators prior to information system installation; o f. Establishing minimum and maximum lifetime restrictions and reuse conditions for o authenticators; o g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; o h. Protecting authenticator content from unauthorized disclosure and modification; o i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and o j. Changing authenticators for group/role accounts when membership to those accounts changes. IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) - Control: The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES - Control: The organization: PR.AC Page: 32
34 o a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and o b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. PS-3 PERSONNEL SCREENING - Control: The organization: o a. Screens individuals prior to authorizing access to the information system; and o b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. RISK MANAGEMENT: erisk Self-Assessment Questions that apply COMPLIANCE MANAGEMENT: PCI Compliance Requirements Requirements that apply HIPAA AND TEXAS HOUSE BILL 300 Requirements Requirements and questions that apply PR.AC Page: 33
35 RESOURCES REQUIRED Support agreements and other resources required to execute LINKS TO SUPPORTING POLICIES, DOCUMENTATION, AND RESOURCES DELIVERABLES STATUS: Supplier Deliverable Consumer Status PR.AC Page: 34
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationInteragency Advisory Board Meeting Agenda, December 7, 2009
Interagency Advisory Board Meeting Agenda, December 7, 2009 1. Opening Remarks 2. FICAM Segment Architecture & PIV Issuance (Carol Bales, OMB) 3. ABA Working Group on Identity (Tom Smedinghoff) 4. F/ERO
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationAnnex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 1 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls Low Baseline AC-1 ACCESS CONTROL POLICY AND PROCEDURES The organization
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationNIST SP Controls
NIST SP 800-53 Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About FISMA / NIST The Federal Information Security Management Act of 2002 (commonly abbreviated to FISMA) is
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes the HIPAA Security Rule requirements that should be implemented by both covered entities and business associates. The citations are to 45 CFR
More informationAnnex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems
Annex 3 to NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems Minimum Security Controls High Baseline Includes updates through 04-22-2005 AC-1 ACCESS CONTROL
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationPT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017
PT-BSC Primechain Technologies Blockchain Security Controls Version 0.4 dated 21 st October, 2017 PT-BSC version 0.3 PT-BSC (version 0.4 dated 21 st October, 2017) 1 Blockchain technology has earned the
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationDoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to
DoD Guidance for Reviewing System Security Plans and the s Not Yet Implemented This guidance was developed to facilitate the consistent review and understanding of System Security Plans and Plans of Action,
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationThese rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.
HIPAA Checklist There are 3 main parts to the HIPAA Security Rule. They include technical safeguards, physical safeguards, and administrative safeguards. This document strives to summarize the requirements
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationRecommended Security Controls for Federal Information Systems and Organizations
NIST Special Publication 800-53 Revision 3 Excerpt Recommended Security Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE HIGH-IMPACT BASELINE I N F
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationMapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls
Mapping of FedRAMP Tailored LI SaaS Baseline to ISO 27001 Security Controls This document provides a list of all controls that require the Cloud Service Provider, Esri, to provide detailed descriptions
More informationMapping of ITSG-33 Security Controls to SP Revision 4 Security Controls
1 April 2013 BD Pro Mapping of ITSG-33 Security Controls to SP 800-53 Revision 4 Security Controls NIST SP 800-53 Revision 4 is replacing the August 2009 Revision 3 version of the security controls catalogue.
More informationIdentifying and Implementing FAR Basic Safeguarding Requirements
Identifying and Implementing FAR Basic Safeguarding Requirements This document is designed to assist suppliers in complying with FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems)
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationApproved 10/15/2015. IDEF Baseline Functional Requirements v1.0
Approved 10/15/2015 IDEF Baseline Functional Requirements v1.0 IDESG.org IDENTITY ECOSYSTEM STEERING GROUP IDEF Baseline Functional Requirements v1.0 NOTES: (A) The Requirements language is presented in
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationGuide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com
: HIPPA Compliance GoToMyPC Corporate HIPAA Compliance Privacy, productivity and remote access 2 The healthcare industry has benefited greatly from the ability to use remote access to view patient data
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationSecurity and Privacy Controls for Federal Information Systems and Organizations Appendix F
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Appendix F NOTE: THIS DOCUMENT PROVIDES A MARKUP OF CHANGES MADE TO SP 800-53,
More informationACHIEVING COMPLIANCE WITH NIST SP REV. 4:
ACHIEVING COMPLIANCE WITH NIST SP 800-53 REV. 4: How Thycotic Helps Implement Access Controls OVERVIEW NIST Special Publication 800-53, Revision 4 (SP 800-53, Rev. 4) reflects the U.S. federal government
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationSECURITY PLAN DRAFT For Major Applications and General Support Systems
SECURITY PLAN For Major Applications and General Support Systems TABLE OF CONTENTS EXECUTIVE SUMMARY A. APPLICATION/SYSTEM IDENTIFICATION A.1 Application/System Category Indicate whether the application/system
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationCompliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations
VARONIS COMPLIANCE BRIEF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) 800-53 FOR FEDERAL INFORMATION SYSTEMS CONTENTS OVERVIEW 3 MAPPING NIST 800-53 CONTROLS TO VARONIS SOLUTIONS 4 2 OVERVIEW
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationPassword Standard Version 2.0 October 2006
Password Standard Version 2.0 October 2006 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 POLICY 4 3.2 PROTECTION 4 3.3 LENGTH 4 3.4 SELECTIONS 4 3.5 EXPIRATION 5 3.6
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationIntegrating HIPAA into Your Managed Care Compliance Program
Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationefolder White Paper: HIPAA Compliance
efolder White Paper: HIPAA Compliance November 2015 Copyright 2015, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationHIPAA Controls. Powered by Auditor Mapping.
HIPAA Controls Powered by Auditor Mapping www.tetherview.com About HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationHIPAA COMPLIANCE FOR VOYANCE
HIPAA COMPLIANCE FOR VOYANCE How healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSparta Systems TrackWise Digital Solution
Systems TrackWise Digital Solution 21 CFR Part 11 and Annex 11 Assessment February 2018 Systems TrackWise Digital Solution Introduction The purpose of this document is to outline the roles and responsibilities
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationHIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP
SUMMY OF HIP FINL SECUITY ULE 2004 WIGGIN ND DN LLP INTODUCTION On February 20, 2003, the Department of Health and Human Services ( HHS ) published the final HIP security standards, Health Insurance eform:
More informationCYBER SECURITY POLICY REVISION: 12
1. General 1.1. Purpose 1.1.1. To manage and control the risk to the reliable operation of the Bulk Electric System (BES) located within the service territory footprint of Emera Maine (hereafter referred
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationHow Managed File Transfer Addresses HIPAA Requirements for ephi
How Managed File Transfer Addresses HIPAA Requirements for ephi INTRODUCTION These new requirements have effectively made traditional File Transfer Protocol (FTP) file sharing ill-advised, if not obsolete.
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More information