ISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)

Transcription

1 1 Information Security Program Policy 1.2 Management Direction for Information Security Publishing An Information Security Policy Information Security Program Plan 12.1 & (a)(1)(i) & 17.03(1), & 6801(b)(1) (a)-(b) 17.03(2)(b)(2) ID.GV-1 & ID.GV Assigned Information Security Responsibilities (a)(2) Safeguards Rule 17.03(2)(a) 622(2)(d)(A)(i) ID.AM-6 & ID.GV Information Security Resources Risk Management Review of Information Security Policies Information Security Documentation Review Information Security Organization Policy 2.1 Internal Organization Information Security Roles & Responsibilities Roles & Responsibilities Position Categorization (a)(3)(i) & (ii) & (A) PR.IP Segregation of Duties Incompatible Roles Two-Person Rule External Authorities Contacts With Authorities Special Interest Groups Contacts With Security Groups & Associations & (A)(5)(ii) & (ii)(a) ID.RA-2 & RS.CO Security Industry Alerts & Notification Process 6.2 & (A)(5)(ii) & (ii)(a) Information Security in Project Management Security Assessments 17.03(2)(h) 622(2)(B)(i)-(iv) ID.RA-1, PR.IP-7, DE.DP- 1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5 & RS.CO System Security Plan (SSP) PR.IP-7 & DE.DP Mobile Devices and Teleworking Mobile Device Management Access Control For Mobile Devices PR.AC Central Management Of Mobile Devices Remote Purging Personally Owned Devices Tamper Protection & Detection Teleworking Telecommuting Remote Access & PR.AC-3 & PR.PT Privileged Commands & Access Non-Local Maintenance PR.MA Non-Local Maintenance Approvals & Notifications Non-Local Maintenance Cryptographic Protection Remote Disconnect Verification Auditing 3 Human Resource Security Policy 3.1 Prior to Employment Screening Personnel Screening (a)(3)(ii) & (B) PR.DS-5 & PR.IP Terrms and Conditions of Employment Access Agreements (a)(4)(i) PR.DS-5 & PR.IP During Employment Management Responsibilities Rules of Behavior Social Media & Social Networking Restrictions Position Categorization Third-Party Personnel Security Information Security Awareness, Education and Training Information Security Workforce 4.2, 12.3, , , , & (b) (a)(3)(i) & (ii) & (A) Security Training & (8) 622(2)(d)(A)(iv) 17.03(2)(b)(2) PR.IP-11 ID.AM-6, ID.GV-2, PR.AT- 3 & PR.IP-11 PR.AT-1, PR.AT-2, PR.AT- 4 & PR.AT-5 PR.AT-2, PR.AT-4 & PR.AT-5

2 Awareness Training for Sensitive Information 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10, 10.9, 11.6, 12.6, , , & , Vendor Security Training Security Training Records Security Awareness (a)(5)(i) & (a)(5)(ii)(A) Testing, Training & Monitoring PR.IP-10, DE.DP-1, DE.DP-2, DE.DP-3 & DE.DP Practical Exercises Insider Threat Awareness Security Industry Alerts & Notification Process 6.2 & (A)(5)(ii) & (ii)(a) Disciplinary Process Personnel Sanctions (a)(1)(ii)(C) 17.03(2)(d) PR.IP Workplace Investigations 3.3 Termination and Change of Employment Termination or Change of Employment Responsibilities Personnel Termination (a)(3)(ii) & (C) MA201CMR (2)(e) PR.IP High-Risk Terminations Personnel Transfer PR.IP-11 4 Asset Management Policy 4.1 Responsibility for Assets Inventory of Assets Information System Inventory Information System Component Inventory Approved Deviations (d)(2)(iii) ID.AM-1, ID.AM-2, PR.DS-3, PR.PT-3 & DE.CM Network Diagrams & Ownership of Assets Default Settings Share Hosting Providers 2.6 & Intranets ID.AM-4 & PR.AC Acceptable Use of Assets Rules of Behavior 4.2, 12.3, , , , & Social Media & Social Networking Restrictions Acceptable Use for Critical Technologies Return of Assets Asset Collection 4.2 Information Classification Classification of Information Security Categorization ID.AM-5, ID.RA-4 & ID.RA Labeling of Information Media Marking Handling of Assets Media Transportation 9.6, 9.6.2, & (d)(1) 17.03(2)(c) 620 PR.PT Media Custodians Cryptographic Protection (Encrypting Data In Storage Media) Media Handling Management of Removable Media Media Use PR.PT Media Access (a)(4)(ii)(C) PR.PT Disposal of Media Data Retention & Disposal Chapter29-Schedule1- Part1-Principle Media Sanitization 9.8, & (d)(2)(i) 622(2)(d)(C)(i) & 622(2)(d)(C)(iv) PR.DS-3 & PR.IP Media Sanitization Documentation (d)(2)(ii) Physical Media Transfer Strict Control of Media Accesss Control Policy 5.1 Business Requirements of Access Control Access Control , Identification & Authentication Access To Sensitive Data Access Control Procedures 8.1 & (a)(1) Access to Networks and Network Services Least Functionality 1.1.5, 1.2.1, 2.2.2, & (2)(a) 2-1 PR.IP Prevent Program Execution 5.2 User Access Management User Registration and De-Registration (b) 17.04(8) & 17.03(2)(b)(1) 17.03(2)(b)(2) PR.AT-1

3 User ID Management 8.1, Account Management , 8.2.2, 8.5, 8.5.1, 8.6 & (d) 17.04(1(a) User Access Provisioning Account Provisioning Role-Based Access Control (RBAC) 7.1, , 7.2, (a)(4(ii)(A) & (B) & & (C) Management of Privileged Access Rights Privileged Commands & Access Management of Secret Authentication Information of Users User Identification & Authentication for Organizational Users & (1)(c) & 17.04(2)(b) Multifactor Authentication Identifier Management (User Names) (a)(2)(i) 17.04(1)(d) Privileged Account Management Identification & Authentication (Non-Organizational Users) Service Provider Identification & Authentication (Vendors) Review of User Access Rights Periodic Review Removal or Adjustment of Access Rights Access Enforcement 7.1, , 7.2, 17.04(1)(b) & (a)(4(i) & (ii) & (2)(a) 622(2)(d)(C)(iii) 5.3 Responsibilities Use of Secret Authentication Information Individual Credentials Credential Sharing System and Application Access Control Information Access Restriction Access Control Lists (ACLs) Database Access Secure Log-On Procedures Trusted Communications Path Device-To-Device Identification & Authentication System Use Notification (Logon Banners) System Use Notification Standardized Microsoft Windows Logon Banner System Use Notification Truncated Logon Banner Previous Logon Notification Password Management System Authenticator Management (Passwords) 8.1.2, 8.2.3, & (a)(5)(ii)(D) 17.04(1)(b)-(e) & 17.04(2)(b) Framework PR.AC-1, PR.AC-4, DE.CM-1 & DE.CM Vendor-Supplied Defaults 2.1, & Authenticator Feedback Cryptographic Module Authentication Re-Authentication Use of Privileged Utility Programs Access Enforcement 7.1, , 7.2, 17.04(1)(b) & PR.AM-3, PR.AC-4 & (a)(4(i) & (ii) 622(2)(d)(C)(iii) & (2)(a) PR.PT Least Privilege 622(2)(d)(C)(iii) PR.AC-4 & PR.DS Access Control to Program Source Code Source Code Library Privileges 6 Cryptography Policy 6.1 Cyrptographic Controls Use of Cryptographic Controls Use of Cryptography & (e)(2)(ii) PR.DS Transmission Confidentiality (e)(1) & (e)(2)(i) 17.04(3) 622(2)(d)(C)(iii) Non-Local Maintenance Cryptographic Protection Wireless Access Authentication & Encryption Encrypting Data At Rest 3.4 & (a)(2)(iv) 17.04(5) 622(2)(d)(C)(iii) PR.DS Non-Console Administrative Access Key management Key Management Program Key Management Processes Physical and Environmental Security Policy 7.1 Secure Areas Physical Security Perimeter Physical Access Authorizations (a)(2)(ii) PR.AC Role-Based Physical Access (a)(2)(iii) Identification Requirement 9.4 & Restrict Unescorted Access Physical Access Control 9.1, 9.1.1, & (a)(2)(iv) 17.03(2)(g) 622(2)(d)(C)(ii) PR.AC-2, DE.CM-2, DE.CM-7 & DE.DP Physical Access Logs Lockable Physical Casings Access Control For Transmission Medium & (2)(d)(C)(ii) PR.AC-2 PR.AM-3, PR.AC-4 & PR.PT-3

4 Access Control For Output Devices 622(2)(d)(C)(ii) PR.AC Monitoring Physical Access 9.1 & (c) 622(2)(d)(C)(ii) PR.AC-2, DE.CM-2, DE.CM-7, RS.AN-1 & RS.CO Visitor Control & (2)(d)(C)(ii) Access Records (2)(d)(C)(ii) Physical Entry Controls Facility Entry Controls Authorizing & Monitoring Visitors Distinguish Visitors from On-Site Personnel Securing Offices, Rooms and Facilities Physical Access Controls to Sensitive Areas Physically Secure All Media Protecting Against External and Environmental Threats Risk Assessment 12.2 ID.RA-1, ID.RA-3, ID.RA (a)(1)(ii)(A) & Safeguards Rule 17.03(2)(b) 622(2)(A)(ii) 4, ID.RA-5, PR.IP-12, (B) DE.AE-4 & RS.MI Risk Ranking Security Industry Alerts & Notification Process 6.2 & (A)(5)(ii) & (ii)(a) Threat Analysis & Flaw Remediation Working in Secure Areas Workstation Security Delivery and Loading Areas Delivery & Removal 622(2)(d)(C)(ii) PR.DS Equipment Equipment Siting and Protection Location of Information System Components PR.IP Media Storage 9.5, 9.5.1, 9.6, 9.6.1, 9.6.2, 9.7 & (d)(2)(iv) 17.03(2)(c) 620 & 622(2)(d)(C)(i) PR.PT Supporting utilities Automatic Voltage Controls Emergency Shutoff PR.IP Emergency Power ID.BE Emergency Lighting Fire Protection PR.IP Fire Detection Devices PR.IP Fire Suppression Devices Temperature & Humidity Controls PR.IP Water Damage Protection PR.IP Cabling Security Power Equipment & Power Cabling ID.BE-4 & PR.AC Equipment Maintenance Controlled Maintenance PR.MA Maintenance Activities Maintenance Tools PR.MA Maintenance Personnel PR.MA Timely Maintenance Removal of Assets Delivery & Removal 622(2)(d)(C)(ii) PR.DS Security of Equipment and Assets Off-Premises Media Distribution Secure Disposal or Re-Use of Equipment Media Destruction Unattended User Equipment Device Storage in Automobiles Kiosks & Point of Sale Devices Clear Desks and Clear Screens Workplace Security 8 Operations Security Policy 8.1 Operational Procedures and Responsibilities Doccumented Operating Procedures Security Concept of Operations (CONOPS) Operational Security (OPSEC) System Security Plans PR.IP-7 & DE.DP Change Management Configuration Change Control PR.IP-1, PR.IP-3, DE.CM- 1 & DE.CM Prohibition of Changes Security Representative for Changes Security Impact Analysis for Changes 6.4, 6.4.5, PR.IP-1 & PR.IP Configuration Management Baseline Configurations PR.DS-7, PR.IP-1 & DE.AE Baseline Configuration Reviews & Updates Retention of Previous Configurations Network Device Configuration File Synchronization 1.2.2

5 8.1.3 Capacity Management Capacity Management PR.DS-4 & PR.PT Separation of Development, Testing and Operational Environments Separate Development & Test Environments Protection from Malware Controls Against Malware , Antimalware Mechanisms Antimalware Installation Antimalware Signature Updates Malware Protection Procedures Backup Information Backup Information System Backup (a)(7)(ii)(A) PR.IP Information System Recovery & Reconstitution (a)(7)(ii)(B) RS.RP-1 & RC.RP Transaction Recovery Failover Capability Electronic Discovery (ediscovery) Information System Imaging Backup & Restoration Hardware Protection 8.4 Logging and Monitoring Event Logging Automated Audit Trails Audit Trail Content Log Review & Linking Access to Individual Users File Integrity Monitoring (FIM) Protection of Log Information Securing Audit Trails Retention of Audit Trail History Administrator and Operator Logs Privileged Functions Logging 10.2 & Clock Synchronization Network Time Protocol (NTP) Control of Operational Software Installation of Software on Operational Systems Access Restriction for Change PR.IP Technical Vulnerability Management Management of Technical Vulnerabilities Software Patching Vulnerability Scanning Penetration Testing Vulnerability Ranking Vulnerability Remediation Restrictions on Software Installation User-Installed Software DE.CM Unauthorized Installation Alerts Prohibit Installation Without Privileged Status 8.7 Information Systems Audit Considerations Information Systems Audit Controls Security-Related Activity Planning 17.03(2)(b)(i) 9 Communications Security Policy 9.1 Network Security Management Network Controls Firewall & Router Configurations Safeguarding Data over Open Networks Transmitting Sensitive Data Rogue Wireless Detection Intrusion Detection & Prevention Systems Security of Network Services Restricting Connections Segregation in Networks , Security Function Isolation 1.2, 1.3.1, & Layered Defenses Application Partitioning Information Transfer Information Transfer Policies and Procedures Direct Internet Access Agreements on Information Transfer Access Agreements for Information Transfer (a)(4)(i)

6 9.2.3 Electronic Messaging Transmission Confidentiality (e)(1) & (e)(2)(i) 17.04(3) 622(2)(d)(C)(iii) Ad-Hoc Transfers Communications Technologies Intranets ID.AM-4 & PR.AC Confidentiality or Non-Disclosure Agreements (NDAs) Business Partner Contracts (b)(1), (a)(1)(i)-(ii), (a)(1)(ii)(A)-(B), (a)(2)(i)(A)-(D), (a)(2)(i)(A)-(D), (a)(2)(ii)(1)-( Third-Party Personnel Security ID.AM-6, ID.GV-2, PR.AT- 3 & PR.IP Monitoring for Information Disclosure 17.04(3) PR.PT-1 & DE.CM-3 10 Sytem Acquisition, Development and Maintenance Policy 10.1 Security Requirements of Information Systems Information Security Requirements Analysis and Specification Secure Configurations Securing Application Services on Public Networks Software Firewall Protecting Application Services Transactions Transmission Integrity (e)(2)(i) PR.DS-2 & PR.DS Security in Development and Support Processes Secure Development Application Development System Change Control Procedures Change Control Secure Coding Principles Technical Review of Applications After Operating Platform Changes Test, Validate & Document Changes Security Functionality Verification Restrictions on Changes to Software Packages Library Privileges Secure System Engineering Principles Secure System Engineering Principles 2.2 PR.IP Ports, Protocols & Services Documentation Secure Development Environment Development Environments Outsourced Development External Service Providers & (2)(f)(1) 622(2)(d)(A)(v) ID.AM-4, PR.AT-3 & DE.CM Developer Configuration Management 17.03(2)(d)(B)(i) PR.IP-1, PR.IP-2 & PR.IP System Security Testing Security Assessments 17.03(2)(h) 622(2)(B)(i)-(iv) ID.RA-1, PR.IP-7, DE.DP- 1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5 & RS.CO Plan of Action & Milestones (POA&M) System Acceptance Testing Security Authorization 10.3 Test Data Protection of Test Data Use of Live Data 6.4 & (2)(d)(B)(i) Test Data Integrity Information Output Handling & Retention 3.1 & (2)(C)(i) & (iv) 11 Supplier Relationships Policy 11.1 Information Security in Supplier Relationships nformation Security Policy for Supplier Relationships Service Provider Management System Development Life Cycle (SDLC) PR.IP Acquisition Process PR.IP-2 & DE.CM Commercial Off-The-Shelf (COTS) Security Solutions Functional Properties of Security Controls Design & Implementation of Security Controls Development Methods Developer Documentation ID.RA Developer Documentation Ports, Protocols & Services In Use Developer Documentation Functional Properties of Security Controls Developer Documentation External System Interfaces Developer Documentation High-Level Design Developer Documentation Low-Level Design Developer Documentation Source Code Addressing Security Within Supplier Agreements Service Provider Accountability 12.9

7 Validate as Genuine & Not Altered Limitation From Harm Information and Communication Technology Supply Chain Supply Chain Protection ID.BE-1 & PR.IP Acquisition Strategies, Tools & Methods Criticality Analysis ID.AM-5, ID.BE-3, ID.BE- 4, ID.BE-5, ID.RA-4 & ID.RM Trustworthiness 11.2 Supplier Service Delivery Management Monitoring and Review of Supplier Services Supplier Reviews Supplier Weakness or Deficiency Remediation Development Process, Standards & Tools 6.3, 6.5, PR.IP Managing Changes to Supplier Services Developer Configuration Management 17.03(2)(d)(B)(i) PR.IP-1, PR.IP-2 & PR.IP Developer Security Testing 6.4 & (2)(d)(B)(i) ID.RA-1 & PR.IP Developer Code Analysis 6.3, & Developer Threat Analysis & Flaw Remediation Information Security Incident Management Policy 12.1 Management of Information Security Incidents and Improvements Responsibilities and Procedures Incident Response Incident Response Training Reporting Information Security Events Incident Reporting (a)(6)(ii) 17.03(2)(j) 604(1)-(5) RS.CO Reporting Information Security Weaknesses Reporting Weaknesses DE.AE-3, DE.AE-5, RS.AN- 1 & RS.AN Incident Reporting Assistance Assessment of and Decision on Information Security Events Integrated Information Security Analysis Team Response to Information Security Incidents Incident Response Plan (IRP) , 12.10, (a)(6)(ii) 622(2)(d)(B)(iii) Learning from Information Security Incidents Incident Response Lessons Learned (a)(6)(i) Collection of Evidence PR.IP-7, PR.IP-9, DE.AE- 3, DE.AE-5, RS.AN-4, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.IM- 1, RS.IM-2, RS.RP-1, RC.RP-1, RC.IM-1 & RC.IM Incident Handling Information Spillage Response 13 Business Continuity Management Policy 13.1 Information Security Continuity Planning Information Security Continuity Contingency Plan Contingency Training Implementing Information Security Continuity (a)(7)(ii)(C) & (a)(2)(ii) DE.AE-2, DE.AE-3, DE.AE- 4, DE.AE-5, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.CO-3, RS.CO-4, RS.IM-1, RS.IM- 2, RS.MI-1, RS.MI-2, RS.RP-1, RC.RP-1, RC.IM- 1, RC.IM-2 & RC.CO-3 RS.CO Contingency Planning Procedures (a)(7)(i) ID.AM-5, ID.AM-6, ID.BE- 1, ID.BE-5, PR.DS-4, PR.IP-7, PR.IP-9, DE.AE- 4, RS.AN-2, RS.AN-4, RS.CO-1, RS.CO-3, RS.CO-4, RS.IM-1, RS.IM- 2, RS.RP-1, RC.IM-1, RC.IM-2 & RC.CO Verify, Review and Evaluate Information Security Continuity Contingency Testing & Exercises (a)(7)(ii)(D) Contingency Plan Update (a)(7)(ii)(E) PR.IP-4 & PR.IP Redundancies Availability of Information Processing Facilities Alternate Storage Site (a)(2)(i) PR.IP Alternate Processing Site Telecommunications Services ID.BE-4 & PR.PT Priority of Service Provisions Storage Site 14 Compliance Policy

8 14.1 Compliance with Legal and Contractual Requirements Identification of Applicable Legislation and Contractual Requirements Regulatory & Non-Regulatory Compliance (a)(8) 6801(b)(3) ID.BE-2, ID.BE-4, ID.GV- 3 & ID.RM Intellectual Property Rights Software Usage Restrictions DE.CM Protection of Records Minimizing Sensitive Data Storage Data Masking Storing Authentication Data Making Sensitive Data Unreadable In Storage Privacy and Protection of Personally Identifiable Information Minimization Of Personally Identifiable Information (PII) Chapter29-Schedule1- Part1-Principle Data Retention & Disposal Chapter29-Schedule1- Part1-Principle Data Collection Sensitive Data Storage 3.2 & Regulation of Cryptographic Controls Export-Controlled Information 14.2 Information Security Reviews Independent Review of Information Security Independent Assessors Compliance with Security Policies and Standards Security Assessments 17.03(2)(h) 622(2)(B)(i)-(iv) ID.RA-1, PR.IP-7, DE.DP- 1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5 & RS.CO Technical Compliance Review Functional Properties Of Security Controls