Control Control Category Objective Name Objective Name Control Objective: Control Reference

Category # # #

0.00 Information Security 0.01 Information System To implement and manage an 00.a
Management Program Management Program Information Security Management
Program

01.0 Access Control 01.01 Business Requirement To control access to information, 01.a
for Access Control information assets, and business
processes based on business and
security requirements

01.0 Access Control 01.02 Authorized Access to To ensure authorized user 01.b
Information Systems accounts are registered, tracked
and periodically validated to
prevent unauthorized access to
information systems

01.0 Access Control 01.02 Authorized Access to To ensure authorized user 01.c
Information Systems accounts are registered, tracked
and periodically validated to
prevent unauthorized access to
information systems

01.0 Access Control 01.02 Authorized Access to To ensure authorized user 0.1d
Information Systems accounts are registered, tracked
and periodically validated to
prevent unauthorized access to
information systems

01.0 Access Control 01.02 Authorized Access to To ensure authorized user 01.e
Information Systems accounts are registered, tracked
and periodically validated to
prevent unauthorized access to
information systems

01.0 Access Control 01.03 User Responsibilities To prevent unauthorized user 01.f
access, and compromise or theft
of information and information
assets

01.0 Access Control 01.03 User Responsibilities To prevent unauthorized user 01.g
access, and compromise or theft
of information and information
assets

01.0 Access Control 01.03 User Responsibilities To prevent unauthorized user 01.h
access, and compromise or theft
of information and information
assets

01.0 Access Control 01.04 Network Access Control To prevent unauthorized user 01.i
access, and compromise or theft
of information and information
assets
01.0 Access Control 01.04 Network Access Control To prevent unauthorized access to 01.j
networked services

01.0 Access Control 01.04 Network Access Control To prevent unauthorized access to 01.k
networked services

01.0 Access Control 01.04 Network Access Control To prevent unauthorized access to 01.l
networked services

01.0 Access Control 01.04 Network Access Control To prevent unauthorized access to 01.m
networked services

01.0 Access Control 01.04 Network Access Control To prevent unauthorized access to 01.n
networked services

01.0 Access Control 01.04 Network Access Control To prevent unauthorized access to 01.o
networked services

01.0 Access Control 01.05 Operating System To prevent unauthorized access to 01.p
Access Control operating systems
01.0 Access Control 01.05 Operating System To prevent unauthorized access to 01.q
Access Control operating systems

01.0 Access Control 01.05 Operating System To prevent unauthorized access to 01.r
Access Control operating systems

01.0 Access Control 01.05 Operating System To prevent unauthorized access to 01.s
Access Control operating systems

01.0 Access Control 01.05 Operating System Systems for managing passwords 01.t
Access Control shall be interactive and shall
ensure quality passwords
01.0 Access Control 01.05 Operating System To prevent unauthorized access to 01.u
Access Control operating systems

01.0 Access Control 01.06 Application and To prevent unauthorized access to 01.v
Information Access information held in application
Control systems

01.0 Access Control 01.06 Application and To prevent unauthorized access to 01.w
Information Access information held in application
Control systems

01.0 Access Control 01.07 Mobile Computing and To ensure the security of 01.x
Teleworking information when using mobile
computing devices and
teleworking facilities

01.0 Access Control 01.07 Mobile Computing and To ensure the security of 01.y
Teleworking information when using mobile
computing devices and
teleworking facilities
02.0 Human Resources 02.01 Prior to Employment To ensure that employees, 02.a
Security contractors and third-party users
are suitable for the roles for which
they are being considered, to
reduce the risk of fraud, theft, or
misuse of facilities

02.0 Human Resources 02.01 Prior to Employment To ensure that employees, 02.b
Security contractors and third-party users
are suitable for the roles for which
they are being considered, to
reduce the risk of fraud, theft, or
misuse of facilities

02.0 Human Resources 02.02 During On-Boarding To ensure agreements are signed 02.c
Security by employees, contractors and
third-party users of information
assets on their security roles and
responsibilities at the time of their
employment or engagement, prior
to access being granted

02.0 Human Resources 02.03 During Employment To ensure that employees, 02.d
Security contractors and third-party users
are aware of information security
threats and concerns, their
responsibilities and liabilities, and
are equipped to support
organizational security policy in
the course of their normal work,
and to reduce the risk of human
error

02.0 Human Resources 02.03 During Employment To ensure that employees, 02.e
Security contractors and third-party users
are aware of information security
threats and concerns, their
responsibilities and liabilities, and
are equipped to support
organizational security policy in
the course of their normal work,
and to reduce the risk of human
error
02.0 Human Resources 02.03 During Employment To ensure that employees, 02.f
Security contractors and third-party users
are aware of information security
threats and concerns, their
responsibilities and liabilities, and
are equipped to support
organizational security policy in
the course of their normal work,
and to reduce the risk of human
error

02.0 Human Resources 02.04 Termination or Change To ensure that the access rights 02.g
Security of Employment are properly removed, and assets
recovered for terminated
employees and contractors, and
for employees who have changed
employment

02.0 Human Resources 02.04 Termination or Change To ensure that the access rights 02.h
Security of Employment are properly removed, and assets
recovered for terminated
employees and contractors, and
for employees who have changed
employment

02.0 Human Resources 02.04 Termination or Change To ensure that the access rights 02.i
Security of Employment are properly removed, and assets
recovered for terminated
employees and contractors, and
for employees who have changed
employment

03.0 Risk Management 03.01 Risk Management To develop and implement a Risk 03.a
Program Management Program that
addresses Risk Assessments,
Risk Mitigation, and Risk
Evaluations

03.0 Risk Management 03.01 Risk Management To develop and implement a Risk 03.b
Program Management Program that
addresses Risk Assessments,
Risk Mitigation, and Risk
Evaluations

03.0 Risk Management 03.01 Risk Management To develop and implement a Risk 03.c
Program Management Program that
addresses Risk Assessments,
Risk Mitigation, and Risk
Evaluations

03.0 Risk Management 03.01 Risk Management To develop and implement a Risk 03.d
Program Management Program that
addresses Risk Assessments,
Risk Mitigation, and Risk
Evaluations
04.0 Security Policy 04.01 Information Security To provide management direction 04.a
Policy in line with business objectives
and relevant laws and regulations,
demonstrate support for, and
commitment to information
security through the issue and
maintenance of information
security policies across the
organization

04.0 Security Policy 04.01 Information Security To provide management direction 04.b
Policy in line with business objectives
and relevant laws and regulations,
demonstrate support for, and
commitment to information
security through the issue and
maintenance of information
security policies across the
organization

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.a
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.b
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.c
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.d
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.e
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.f
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.g
Information Security organization's information and
information assets (data centers
or offices that process covered
information)
05.0 Organization of 05.01 Internal Organization To maintain the security of the 05.h
Information Security organization's information and
information assets (data centers
or offices that process covered
information)

05.0 Organization of 05.02 External Parties To ensure that the security of the 05.i
Information Security organization's information and
information assets, are not
reduced by the introduction of
external party products or services

05.0 Organization of 05.02 External Parties To ensure that the security of the 05.j
Information Security organization's information and
information assets, are not
reduced by the introduction of
external party products or services

05.0 Organization of 05.02 External Parties To ensure that the security of the 05.k
Information Security organization's information and
information assets, are not
reduced by the introduction of
external party products or services

06.0 Compliance 06.01 Compliance with Legal To ensure that the design, 06.a
Requirements operation, use, and management
of information systems adheres to
applicable laws, statutory,
regulatory or contractual
obligations, and any security
requirements

06.0 Compliance 06.01 Compliance with Legal To ensure that the design, 06.b
Requirements operation, use, and management
of information systems adheres to
applicable laws, statutory,
regulatory or contractual
obligations, and any security
requirements

06.0 Compliance 06.01 Compliance with Legal To ensure that the design, 06.c
Requirements operation, use, and management
of information systems adheres to
applicable laws, statutory,
regulatory or contractual
obligations, and any security
requirements

06.0 Compliance 06.01 Compliance with Legal To ensure that the design, 06.d
Requirements operation, use, and management
of information systems adheres to
applicable laws, statutory,
regulatory or contractual
obligations, and any security
requirements
06.0 Compliance 06.01 Compliance with Legal To ensure that the design, 06.e
Requirements operation, use, and management
of information systems adheres to
applicable laws, statutory,
regulatory or contractual
obligations, and any security
requirements

06.0 Compliance 06.01 Compliance with Legal To ensure that the design, 06.f
Requirements operation, use, and management
of information systems adheres to
applicable laws, statutory,
regulatory or contractual
obligations, and any security
requirements

06.0 Compliance 06.02 Compliance with To ensure that the design, 06.g
Security Poilcies and operation, use and management
Standards, and of information systems adheres to
Technical Compliance organizational security policies
and standards

06.0 Compliance 06.02 Compliance with To ensure that the design, 06.h
Security Poilcies and operation, use and management
Standards, and of information systems adheres to
Technical Compliance organizational security policies
and standards

06.0 Compliance 06.03 Information System Ensure the integrity and 06.i
Audit Considerations effectiveness of the information
systems audit process

06.0 Compliance 06.03 Information System Ensure the integrity and 06.j
Audit Considerations effectiveness of the information
systems audit process

07.0 Assest Management 07.01 Responsibility for To ensure that management 07.a
Assets requires ownership and defined
responsibilities for the protection
of information assets

07.0 Assest Management 07.01 Responsibility for To ensure that management 07.b
Assets requires ownership and defined
responsibilities for the protection
of information assets

07.0 Assest Management 07.01 Responsibility for To ensure that management 07.c
Assets requires ownership and defined
responsibilities for the protection
of information assets

07.0 Assest Management 07.02 Information To ensure that information 07.d

Classification receives an appropriate and
consistent level of protection
07.0 Assest Management 07.02 Information To ensure that information 07.e
Classification receives an appropriate and
consistent level of protection
08.0 Physical and 08.01 Secure Areas To prevent unauthorized physical 08.a
Environmental Security access, damage, and interference
to the organization's premises and
information

08.0 Physical and 08.01 Secure Areas To prevent unauthorized physical 08.b
Environmental Security access, damage, and interference
to the organization's premises and
information

08.0 Physical and 08.01 Secure Areas To prevent unauthorized physical 08.c
Environmental Security access, damage, and interference
to the organization's premises and
information

08.0 Physical and 08.01 Secure Areas To prevent unauthorized physical 08.d
Environmental Security access, damage, and interference
to the organization's premises and
information

08.0 Physical and 08.01 Secure Areas To prevent unauthorized physical 08.e
Environmental Security access, damage, and interference
to the organization's premises and
information

08.0 Physical and 08.01 Secure Areas To prevent unauthorized physical 08.f
Environmental Security access, damage, and interference
to the organization's premises and
information

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.g
Environmental Security compromise of assets and
interruption to the
organization's activities

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.h
Environmental Security compromise of assets and
interruption to the organization's
activities

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.i
Environmental Security compromise of assets and
interruption to the organization's
activities

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.j
Environmental Security compromise of assets and
interruption to the organization's
activities

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.k
Environmental Security compromise of assets and
interruption to the organization's
activities

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.l
Environmental Security compromise of assets and
interruption to the organization's
activities

08.0 Physical and 08.02 Equipment Security To prevent loss, damage, theft or 08.m
Environmental Security compromise of assets and
interruption to the organization's
activities
09.0 Communications and 09.01 Documented Operating To ensure that operating 09.a
Operations Procedures procedures are documented,
Management maintained and made available to
all users who need them

09.0 Communications and 09.01 Documented Operating To ensure that operating 09.b
Operations Procedures procedures are documented,
Management maintained and made available to
all users who need them

09.0 Communications and 09.01 Documented Operating To ensure that operating 09.c
Operations Procedures procedures are documented,
Management maintained and made available to
all users who need them

09.0 Communications and 09.01 Documented Operating To ensure that operating 09.d
Operations Procedures procedures are documented,
Management maintained and made available to
all users who need them

09.0 Communications and 09.02 Control Third Party To ensure that third party service 09.e
Operations Service Delivery providers maintain security
Management requirements and levels of service
as part of their service delivery
agreements

09.0 Communications and 09.02 Control Third Party To ensure that third party service 09.f
Operations Service Delivery providers maintain security
Management requirements and levels of service
as part of their service delivery
agreements

09.0 Communications and 09.02 Control Third Party To ensure that third party service 09.g
Operations Service Delivery providers maintain security
Management requirements and levels of service
as part of their service delivery
agreements

09.0 Communications and 09.03 System Planning and To ensure that systems meet the 09.h
Operations Acceptance businesses current and projected
Management needs to minimize failures

09.0 Communications and 09.03 System Planning and To ensure that systems meet the 09.i
Operations Acceptance businesses current and projected
Management needs to minimize failures

09.0 Communications and 09.04 Protection Against Ensure that integrity of information 09.j
Operations Malicious and Mobile and software is protected from
Management Code malicious or unauthorized code

09.0 Communications and 09.04 Protection Against Ensure that integrity of information 09.k
Operations Malicious and Mobile and software is protected from
Management Code malicious or unauthorized code

09.0 Communications and 09.05 Information Back-up Ensure the maintenance, integrity, 09.l
Operations and availability of organizational
Management information
09.0 Communications and 09.06 Network Security Ensure the protection of 09.m
Operations Management information in networks and
Management protection of the supporting
network infrastructure
09.0 Communications and 09.06 Network Security Ensure the protection of 09.n
Operations Management information in networks and
Management protection of the supporting
network infrastructure

09.0 Communications and 09.07 Media Handling Prevent unauthorized disclosure, 09.o
Operations modification, removal or
Management destruction of information assets,
or interruptions to business
activities

09.0 Communications and 09.07 Media Handling Prevent unauthorized disclosure, 09.p
Operations modification, removal or
Management destruction of information assets,
or interruptions to business
activities

09.0 Communications and 09.07 Media Handling Prevent unauthorized disclosure, 09.q
Operations modification, removal or
Management destruction of information assets,
or interruptions to business
activities

09.0 Communications and 09.07 Media Handling Prevent unauthorized disclosure, 09.r
Operations modification, removal or
Management destruction of information assets,
or interruptions to business
activities

09.0 Communications and 09.08 Exchange of Information Ensure the exchange of 09.s
Operations information within an organization
Management and with any external entity is
secured and protected, and
carried out in compliance with
relevant legislation and exchange
agreements

09.0 Communications and 09.08 Exchange of Information Ensure the exchange of 09.t
Operations information within an organization
Management and with any external entity is
secured and protected, and
carried out in compliance with
relevant legislation and exchange
agreements

09.0 Communications and 09.08 Exchange of Information Ensure the exchange of 09.u
Operations information within an organization
Management and with any external entity is
secured and protected, and
carried out in compliance with
relevant legislation and exchange
agreements
09.0 Communications and 09.08 Exchange of Information Ensure the exchange of 09.v
Operations information within an organization
Management and with any external entity is
secured and protected, and
carried out in compliance with
relevant legislation and exchange
agreements

09.0 Communications and 09.08 Exchange of Information Ensure the exchange of 09.w
Operations information within an organization
Management and with any external entity is
secured and protected, and
carried out in compliance with
relevant legislation and exchange
agreements

09.0 Communications and 09.09 Electronic Commerce Ensure the security of electronic 09.x
Operations Services commerce services, and their
Management secure use

09.0 Communications and 09.09 Electronic Commerce Ensure the security of electronic 09.y
Operations Services commerce services, and their
Management secure use

09.0 Communications and 09.09 Electronic Commerce Ensure the security of electronic 09.z
Operations Services commerce services, and their
Management secure use

09.0 Communications and 09.10 Monitoring Ensure information security events 09.aa
Operations are monitored and recorded to
Management detect unauthorized information
processing activities in compliance
with all relevant legal
requirements

09.0 Communications and 09.10 Monitoring Ensure information security events 09.ab
Operations are monitored and recorded to
Management detect unauthorized information
processing activities in compliance
with all relevant legal
requirements

09.0 Communications and 09.10 Monitoring Ensure information security events 09.ac
Operations are monitored and recorded to
Management detect unauthorized information
processing activities in compliance
with all relevant legal
requirements

09.0 Communications and 09.10 Monitoring Ensure information security events 09.ad
Operations are monitored and recorded to
Management detect unauthorized information
processing activities in compliance
with all relevant legal
requirements
09.0 Communications and 09.10 Monitoring Ensure information security events 09.ae
Operations are monitored and recorded to
Management detect unauthorized information
processing activities in compliance
with all relevant legal
requirements

09.0 Communications and 09.10 Monitoring Ensure information security events 09.af
Operations are monitored and recorded to
Management detect unauthorized information
processing activities in compliance
with all relevant legal
requirements

10.0 Information Systems 10.01 Security Requirements To ensure that security is an 10.a
Acquisition, of Information Systems integral part of information
Development, and systems
Maintenance

10.0 Information Systems 10.02 Correct Processing in To ensure the prevention of errors, 10.b
Acquisition, Applications loss, unauthorized modification or
Development, and misuse of information in
Maintenance applications, controls shall be
designed into applications,
including user developed
applications to ensure correct
processing. These controls shall
include the validation of input data,
internal processing and output
data

10.0 Information Systems 10.02 Correct Processing in To ensure the prevention of errors, 10.c
Acquisition, Applications loss, unauthorized modification or
Development, and misuse of information in
Maintenance applications, controls shall be
designed into applications,
including user developed
applications to ensure correct
processing. These controls shall
include the validation of input data,
internal processing and output
data

10.0 Information Systems 10.02 Correct Processing in To ensure the prevention of errors, 10.d
Acquisition, Applications loss, unauthorized modification or
Development, and misuse of information in
Maintenance applications, controls shall be
designed into applications,
including user developed
applications to ensure correct
processing. These controls shall
include the validation of input data,
internal processing and output
data
10.0 Information Systems 10.02 Correct Processing in To ensure the prevention of errors, 10.e
Acquisition, Applications loss, unauthorized modification or
Development, and misuse of information in
Maintenance applications, controls shall be
designed into applications,
including user developed
applications to ensure correct
processing. These controls shall
include the validation of input data,
internal processing and output
data

10.0 Information Systems 10.03 Cryptographic Controls To protect the confidentiality, 10.f
Acquisition, authenticity and integrity of
Development, and information by cryptographic
Maintenance means. A policy shall be
developed on the use of
cryptographic controls. Key
management should be in place to
support the use of cryptographic
techniques

10.0 Information Systems 10.03 Cryptographic Controls To protect the confidentiality, 10.g
Acquisition, authenticity and integrity of
Development, and information by cryptographic
Maintenance means. A policy shall be
developed on the use of
cryptographic controls. Key
management should be in place to
support the use of cryptographic
techniques

10.0 Information Systems 10.04 Security of System Files To ensure the security of system 10.h
Acquisition, files, access to system files and
Development, and program source code shall be
Maintenance controlled, and IT projects and
support activities conducted in a
secure manner

10.0 Information Systems 10.04 Security of System Files To ensure the security of system 10.i
Acquisition, files, access to system files and
Development, and program source code shall be
Maintenance controlled, and IT projects and
support activities conducted in a
secure manner

10.0 Information Systems 10.04 Security of System Files To ensure the security of system 10.j
Acquisition, files, access to system files and
Development, and program source code shall be
Maintenance controlled, and IT projects and
support activities conducted in a
secure manner

10.0 Information Systems 10.05 Security in Development To ensure the security of 10.k
Acquisition, and Support Processes application system software and
Development, and information through the
Maintenance development process, project and
support environments shall be
strictly controlled
10.0 Information Systems 10.05 Security in Development To ensure the security of 10.l
Acquisition, and Support Processes application system software and
Development, and information through the
Maintenance development process, project and
support environments shall be
strictly controlled

10.0 Information Systems 10.06 Technical Vulnerability To reduce the risks resulting from 10.m
Acquisition, Management exploitation of published technical
Development, and vulnerabilities, technical
Maintenance vulnerability management shall be
implemented in an effective,
systematic, and repeatable way
with measurements taken to
confirm its effectiveness

11.0 Information Security 11.01 Reporting Information To ensure information security 11.a
Incident Management Security Incidents and events and weaknesses
Weaknesses associated with information
systems are handled in a manner
allowing timely corrective action to
be taken

11.0 Information Security 11.01 Reporting Information To ensure information security 11.b
Incident Management Security Incidents and events and weaknesses
Weaknesses associated with information
systems are handled in a manner
allowing timely corrective action to
be taken

11.0 Information Security 11.02 Management of To ensure a consistent and 11.c

Incident Management Information Security effective approach to the
Incidents and management of information
Improvements security incidents

11.0 Information Security 11.02 Management of To ensure a consistent and 11.d

Incident Management Information Security effective approach to the
Incidents and management of information
Improvements security incidents

11.0 Information Security 11.02 Management of To ensure a consistent and 11.e

Incident Management Information Security effective approach to the
Incidents and management of information
Improvements security incidents

12.0 Business Continuity 12.01 Information Security To ensure that strategies and 12.a
Management Aspects of Business plans are in place to counteract
Continuity Management interruptions to business activities
and to protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption

12.0 Business Continuity 12.01 Information Security To ensure that strategies and 12.b
Management Aspects of Business plans are in place to counteract
Continuity Management interruptions to business activities
and to protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption
12.0 Business Continuity 12.01 Information Security To ensure that strategies and 12.c
Management Aspects of Business plans are in place to counteract
Continuity Management interruptions to business activities
and to protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption

12.0 Business Continuity 12.01 Information Security To ensure that strategies and 12.d
Management Aspects of Business plans are in place to counteract
Continuity Management interruptions to business activities
and to protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption

12.0 Business Continuity 12.01 Information Security To ensure that strategies and 12.e
Management Aspects of Business plans are in place to counteract
Continuity Management interruptions to business activities
and to protect critical business
processes from the effects of
major failures of information
systems or disasters and to
ensure their timely resumption

13.0 Privacy Practices 13.01 Transparency Policies, procedures, and 13.a

technologies that directly affect
data subjects and/or their PII are
open and transparent

13.0 Privacy Practices 13.01 Transparency Policies, procedures, and 13.b

technologies that directly affect
data subjects and/or their PII are
open and transparent

13.0 Privacy Practices 13.01 Transparency Policies, procedures, and 13.c

technologies that directly affect
data subjects and/or their PII are
open and transparent

13.0 Privacy Practices 13.02 Individual Participation Data subjects are provided a 13.d
reasonable opportunity and
capability to access and review
their PII and to challenge its
accuracy and completeness

13.0 Privacy Practices 13.02 Individual Participation Data subjects are provided a 13.e
reasonable opportunity and
capability to access and review
their PII and to challenge its
accuracy and completeness
13.0 Privacy Practices 13.02 Individual Participation Data subjects are provided a 13.f
reasonable opportunity and
capability to access and review
their PII and to challenge its
accuracy and completeness

13.0 Privacy Practices 13.03 Purpose Specification The authorities which permit the 13.g
collection of PII and specifically
the purpose(s) for which the PII is
intended to be used are articulated

13.0 Privacy Practices 13.03 Purpose Specification The authorities which permit the 13.h
collection of PII and specifically
the purpose(s) for which the PII is
intended to be used are articulated

13.0 Privacy Practices 13.04 Data Minimization Only PII that is directly relevant 13.i
and necessary to accomplish the
specified purpose(s) is collected

13.0 Privacy Practices 13.04 Data Minimization Only PII that is directly relevant 13.j
and necessary to accomplish the
specified purpose(s) is collected

13.0 Privacy Practices 13.05 Use Limitation PII is used solely for the 13.k
purpose(s) specified in the privacy
notice and only for a purpose that
is compatible with the purpose for
which the PII was collected

13.0 Privacy Practices 13.05 Use Limitation PII is used solely for the 13.l
purpose(s) specified in the privacy
notice and only for a purpose that
is compatible with the purpose for
which the PII was collected

13.0 Privacy Practices 13.06 Data Quality and PII is relevant to the purposes for 13.m
Integrity which they are to be used, and, to
the extent necessary for those
purposes, is accurate, complete
and kept up-to-date

13.0 Privacy Practices 13.06 Data Quality and PII is relevant to the purposes for 13.n
Integrity which they are to be used, and, to
the extent necessary for those
purposes, is accurate, complete
and kept up-to-date

13.0 Privacy Practices 13.06 Data Quality and PII is relevant to the purposes for 13.o
Integrity which they are to be used, and, to
the extent necessary for those
purposes, is accurate, complete
and kept up-to-date

13.0 Privacy Practices 13.07 Accountability and The organization is accountable 13.p
Auditing for complying with applicable
privacy protection requirements
13.0 Privacy Practices 13.07 Accountability and The organization is accountable 13.q
Auditing for complying with applicable
privacy protection requirements

13.0 Privacy Practices 13.07 Accountability and The organization is accountable 13.r
Auditing for complying with applicable
privacy protection requirements

13.0 Privacy Practices 13.07 Accountability and The organization is accountable 13.s
Auditing for complying with applicable
privacy protection requirements

13.0 Privacy Practices 13.07 Accountability and The organization is accountable 13.t
Auditing for complying with applicable
privacy protection requirements

13.0 Privacy Practices 13.07 Accountability and The organization is accountable 13.u
Auditing for complying with applicable
privacy protection requirements
Control Reference: Control Specification Factor Type

Information Security An Information Security Management Program (ISMP) shall Organizational

Management Program be defined in terms of the
characteristics of the business, and established and
managed including monitoring, maintenance and
improvement.

Access Control Policy An access control policy shall be established, documented, Organizational
and reviewed based on business and security requirements
for access

User Registration There shall be a formal documented and implemented user System
registration and deregistration procedure for granting and
revoking access.

Privilege Management The allocation and use of privileges to information systems System
and services shall be restricted and controlled. Special
attention shall be given to the allocation of privileged access
rights, which allow users to override system controls

User Password Passwords shall be controlled through a formal System

Management management process

Review of User Access All access rights shall be regularly reviewed by management System
Rights via a formal documented process

Password Use Users shall be made aware of their responsibilities for Organizational
maintaining effective access
controls and shall be required to follow good security
practices in the selection and use
of passwords and security of equipment.

Unattended User Users shall ensure that unattended equipment has Organizational
Equipment appropriate protection

Clear Desk and Clear A clear desk policy for papers and removable storage media Organizational
Screen Policy and a clear screen policy for information assets shall be
adopted

Policy on the Use of Users shall only be provided with access to internal and Organizational
Network Services external network services that they have been specifically
authorized to use. Authentication and authorization
mechanisms shall be applied for users and equipment
User Authentication for Appropriate authentication methods shall be used to control Organizational
External Connections access by remote users

Equipment Identification in Automatic equipment identification shall be used as a means System

Networks to authenticate connections from specific locations and
equipment
Remote Diagnostic and Physical and logical access to diagnostic and configuration Organizational
Configuration Port ports shall be controlled
Protection
Segregation in Networks Groups of information services, users, and information Organizational
systems should be segregated on networks

Network Connection Control For shared networks, especially those extending across the Organizational
organization's boundaries, the capability of users to connect
to the network shall be restricted, in line with the access
control policy and requirements of the business applications

Network Routing Control Routing controls shall be implemented for networks to Organizational
ensure that computer connections and information flows do
not breach the access control policy of the business
applications

Secure Log-on Procedures Access to operating systems shall be controlled by a secure System
log-on procedure
User Identification and All users shall have a unique identifier (user ID) for their System
Authentication personal use only, and an authentication technique shall be
implemented to substantiate the claimed identity of a user

Password Management Systems for managing passwords shall be interactive and System
System shall ensure quality passwords

Use of System Utilities The use of utility programs that might be capable of System
overriding system and application controls shall be restricted
and tightly controlled

Session Time-out Inactive sessions shall shut down after a defined period of System
inactivity
Limitation of Connection Restrictions on connection times shall be used to provide System
Time additional security for high-risk applications

Information Access Logical and physical access to information and application System
Restriction systems and functions by users and support personnel shall
be restricted in accordance with the defined access control
policy

Sensitive System Isolation Sensitive systems shall have a dedicated and isolated System
computing environment

Mobile Computing and A formal policy shall be in place, and appropriate security Organizational
Communications measures shall be adopted to protect against the risks of
using mobile computing and communication devices

Teleworking A policy, operational plans and procedures shall be Organizational

developed and implemented for teleworking activities
Roles and Responsibilities Security roles and responsibilities of employees, contractors Organizational
and third-party users shall be defined and documented in
accordance with the organization's information security
policy

Screening Background verification checks on all candidates for Organizational

employment, contractors, and third-party users shall be
carried out in accordance with relevant laws, regulations and
ethics, and proportional to the business requirements, the
classification of the information to be accessed, and the
perceived risks

Terms and Conditions of As part of their contractual obligation, employees, Organizational

Employment contractors and third-party users shall agree and sign the
terms and conditions of their employment contract, which
shall include their responsibilities for information security

Management Management shall require employees, and where applicable Organizational

Responsibilities contractors and third-party users, to apply security in
accordance with established policies and procedures of the
organization

Information Security All employees of the organization and contractors and third- Organizational
Awareness, Education, and party users shall receive appropriate awareness training and
Training regular updates in organizational policies and procedures,
as relevant for their job function
Disciplinary Process There shall be a formal disciplinary process for employees Organizational
who have violated security policies and procedures.

Termination or Change Responsibilities for performing employment termination or Organizational

Responsibilities change of employment shall be clearly defined and assigned

Return of Assets All employees, contractors and third-party users shall return Organizational
all of the organization's assets in their possession upon
termination of their employment, contract or agreement.

Removal of Access Rights The access rights of all employees, contractors and third- Organizational
party users to information and information assets shall be
removed upon termination of their employment, contract or
agreement, or adjusted upon a change of employment (i.e.
upon transfer within the organization)

Risk Management Program Organizations shall develop and maintain a risk Organizational
Development management program to manage risk to an acceptable level

Performing Risk Risk Assessments shall be performed to identify and Organizational

Assessments quantify risks

Risk Mitigation Risks shall be mitigated to an acceptable level Organizational

Risk Evaluation Risks shall be continually evaluated and assessed Organizational

Information Security Policy Information Security Policy documents shall be approved by Organizational
Document management, and published and communicated to all
employees and relevant external parties. Information
Security Policy documents shall establish the direction of the
organization and align to best practices, regulatory,
federal/state and international laws where applicable. The
Information Security policy documents shall be supported by
a strategic plan and a security program with well-defined
roles and responsibilities for leadership and officer roles

Review of the Information The information security policy documents shall be reviewed Organizational
Security Policy at planned intervals or if significant changes occur to ensure
its continuing adequacy and effectiveness

Management Commitment Management shall actively support security within the Organizational
to Information Security organization through clear direction, demonstrated
commitment, explicit assignment, and acknowledgment of
information security responsibilities

Information Security Information security activities shall be coordinated by Organizational

Coordination representatives from different parts of the organization with
relevant roles and job functions

Allocation of Information All information security responsibilities shall be clearly Organizational

Security Responsibilities defined

Authorization Process for A management authorization process for new information Organizational
Information Assets and assets (e.g. systems and applications) (see Other
Facilities Information), and facilities (e.g. data centers or offices where
covered information is to be processed) shall be defined and
implemented

Confidentiality Agreements Requirements for confidentiality or non-disclosure Organizational

agreements reflecting the organization's needs for the
protection of information shall be identified and regularly
reviewed

Contact with Authorities Appropriate contacts with relevant authorities shall be Organizational
maintained

Contact with Special Appropriate contacts with special interest groups or other Organizational
Interest Groups specialist security forums and professional associations
shall be maintained
Independent Review of The organization's approach to managing information Organizational
Information Security security and its implementation (control objectives, controls,
policies, processes, and procedures for information security)
shall be reviewed independently at planned intervals, at a
minimum annually, or when significant changes to the
security implementation occur

Identification of Risks The risks to the organization's information and information Organizational
Related to External Parties assets from business processes involving external parties
shall be identified, and appropriate controls implemented
before granting access

Addressing Security When All identified security requirements shall be addressed Organizational
Dealing with Customers before giving customers access to the organization's
information or assets

Addressing Security in Third Agreements with third parties involving accessing, Organizational
Party Agreements processing, communicating or managing the organization's
information or information assets, or adding products or
services to information assets shall cover all relevant
security requirements.

Identification of Applicable All relevant statutory, regulatory, and contractual Organizational

Legislation requirements and the
organization's approach to meet these requirements shall be
explicitly defined, documented, and kept up to date for each
information system and the organization

Intellectual Property Rights Detailed procedures shall be implemented to ensure Organizational

compliance with legislative, regulatory, and contractual
requirements on the use of material in respect of which there
may be intellectual property rights, and on the use of
proprietary software products

Protection of Organizational Important records shall be protected from loss, destruction, Organizational
Records and falsification, in accordance with statutory, regulatory,
contractual, and business requirements

Data Protection and Privacy Data protection and privacy shall be ensured as required in Organizational
of Covered Information relevant legislation, regulations, and contractual clauses
Prevention of Misuse of Users shall be deterred from using information assets for Organizational
Information Assets unauthorized purposes

Regulation of Cryptographic Cryptographic controls shall be used in compliance with all Organizational
Controls relevant agreements, laws, and regulations

Compliance with Security Managers shall ensure that all security procedures within Organizational
Policies and Standards their area of
responsibility are carried out correctly to achieve compliance
with security policies and standards

Technical Compliance Information systems shall be regularly checked for Organizational

Checking compliance with security implementation standards

Information Systems Audit Audit requirements and activities involving checks on

Controls operational systems shall be carefully planned and agreed
to, to minimize the risk of disruptions to business processes

Protection of Information Access to information systems audit tools shall be protected

Systems Audit Tools to prevent any possible misuse or compromise

Inventory of Assets All assets including information shall be clearly identified and
an inventory of all assets drawn up and maintained

Ownership of Assets All information and assets associated with information

processing systems shall be owned by a designated part of
the organization

Acceptable Use of Assets Rules for the acceptable use of information and assets
associated with information processing systems shall be
identified, documented, and implemented

Classification Guidelines Information shall be classified in terms of its value, legal

requirements, sensitivity, and criticality to the organization

Information Labeling and An appropriate set of procedures for information labeling

Handling and handling shall be developed and implemented in
accordance with the classification scheme adopted by the
organization
Physical Security Perimeter Security perimeters (barriers such as walls, card-controlled
entry gates or manned reception desks) shall be used to
protect areas that contain information and information assets

Physical Entry Controls Secure areas shall be protected by appropriate entry

controls to ensure that only authorized personnel are
allowed access

Securing Offices, Rooms, Physical security for offices, rooms, and facilities shall be
and Facilities designed and applied

Protecting Against External Physical protection against damage from fire, flood,
and Environmental Threats earthquake, explosion, civil unrest, and other forms of
natural or man-made disaster shall be designed and applied

Working in Secure Areas Physical protection and guidelines for working in secure
areas shall be designed and applied

Public Access, Delivery, Access points such as delivery and loading areas and other
and Loading Access points where unauthorized persons may enter the premises
shall be controlled and, if possible, isolated from information
processing facilities to avoid unauthorized access.

Equipment Siting and Equipment shall be sited or protected to reduce the risks
Protection from environmental threats and hazards, and opportunities
for unauthorized access

Supporting Utilities Equipment shall be protected from power failures and other
disruptions caused by failures in supporting utilities

Cabling Security Power and telecommunications cabling carrying data or

supporting information services shall be protected from
interception or damage

Equipment of Maintenance Equipment shall be correctly maintained to ensure its

continued availability and integrity

Security of Equipment Off- Security shall be applied to off-site equipment taking into
Premises account the different risks of working outside the
organization's premises

Secure Disposal or Re-Use All items of equipment containing storage media shall be
of Equipment checked to ensure that any covered information and
licensed software has been removed or securely overwritten
prior to disposal

Removal of Property Equipment, information or software shall not be taken off site
without prior authorization
Documented Operations Operating procedures shall be documented, maintained, and
Procedures made available to all users who need them

Change Management Changes to information assets and systems shall be

controlled and archived

Segregation of Duties Separation of duties shall be enforced to reduce

opportunities for unauthorized or unintentional modification
or misuse of the organization's assets

Separation of Development, Development, test, and operational environments shall be

Test, and Operational separated and controlled to reduce the risks of unauthorized
Environments access or changes to the operational system

Service Delivery It shall be ensured that the security controls, service

definitions and delivery levels included in the third-party
service delivery agreement are implemented, operated and
maintained by the third party

Monitoring and Review of The services, reports and records provided by the third party
Third Party Services shall be regularly monitored and reviewed, and audits shall
be carried out regularly to govern and maintain compliance
with the service delivery agreements

Managing Changes to Third Changes to the provision of services, including maintaining

Party Services and improving existing information security policies,
procedures and controls, shall be managed, taking account
of the criticality of business systems and processes involved
and re-assessment of risks

Capacity Management The availability of adequate capacity and resources shall be

planned, prepared, and managed to deliver the required
system performance. Projections of future capacity
requirements shall be made to mitigate the risk of system
overload

System Acceptance Acceptance criteria for new information systems, upgrades,

and new versions shall be established and suitable tests of
the system(s) carried out during development and prior to
acceptance to maintain security.

Controls Against Malicious Detection, prevention, and recovery controls shall be

Code implemented to protect against malicious code, and
appropriate user awareness procedures on malicious code
shall be provided

Controls Against Mobile Mobile code shall be authorized before its installation and
Code use, and the configuration shall ensure that the authorized
mobile code operates according to a clearly defined security
policy. All unauthorized mobile code shall be prevented from
executing

Back-up Back-up copies of information and software shall be taken

and tested regularly

Network Controls Networks shall be managed and controlled in order to

protect the organization from threats and to maintain
security for the systems and applications using the network,
including information in transit
Security of Network Security features, service levels, and management
Services requirements of all network services shall be identified and
included in any network services agreement, whether these
services are provided in-house or outsourced

Management of Removable Formal procedures shall be documented and implemented

Media for the management of removable media

Disposal of Media Media shall be disposed of securely and safely when no

longer required, using formal procedures that are
documented

Information Handling Procedures for the handling and storage of information shall
Procedures be established to protect this information from unauthorized
disclosure or misuse

Security of System System documentation shall be protected against

Documentation unauthorized access

Information Exchange Formal exchange policies, procedures, and controls shall be

Policies and Procedures in place to protect the exchange of information through the
use of all types of communication mediums

Exchange Agreements Agreements shall be established and implemented for the

exchange of information and software between the
organization and external parties

Physical Media in Transit Media containing information shall be protected against

unauthorized access, misuse or corruption during
transportation beyond the organization's physical boundaries
Electronic Messaging Information involved in electronic messaging shall be
appropriately protected

Interconnected Business Policies and procedures shall be developed and

Information Systems implemented to protect information associated with the
interconnection of business information systems

Electronic Commerce Information involved in electronic commerce passing over

Services public networks shall be protected from fraudulent activity,
contract dispute, and unauthorized disclosure or
modification

On-line Transactions Information involved in online transactions shall be protected

to prevent incomplete transmission, misrouting,
unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay

Publicly Available The integrity of information being made available on a

Information publicly available system shall be protected to prevent
unauthorized modification

Audit Logging Audit logs recording user activities, exceptions, and

information security events shall be produced and kept for
an agreed period to assist in future investigations and
access control monitoring

Monitoring System Use Procedures for monitoring use of information processing

systems and facilities shall be established to check for use
and effectiveness of implemented controls. The results of
the monitoring activities shall be reviewed regularly

Protection of Log Logging systems and log information shall be protected

Information against tampering and unauthorized access

Administrator and Operator System administrator and system operator activities shall be
Logs logged and regularly reviewed
Fault Logging Faults shall be logged, analyzed, and appropriate
remediation action taken

Clock Synchronization The clocks of all relevant information processing systems

within the organization or security domain shall be
synchronized with an agreed accurate time source to
support tracing and reconstitution of activity timelines

Security Requirements Statements of business requirements for new information

Analysis and Specification systems (developed or purchased), or enhancements to
existing information systems shall specify the requirements
for security controls

Input Data Validation Data input to applications and databases shall be validated
to ensure that this data is correct and appropriate

Control of Internal Validation checks shall be incorporated into applications to

Processing detect any corruption of information through processing
errors or deliberate acts

Message Integrity Requirements for ensuring authenticity and protecting

message integrity in applications shall be identified and
controls implemented
Output Data Validation Data output from an application shall be validated to ensure
that the processing of stored information is correct and
appropriate to the circumstances

Policy on the Use of A policy on the use of cryptographic controls for protection of
Cryptographic Controls information shall be developed and implemented, and
supported by formal procedures

Key Management Key management shall be in place to support the

organization's use of cryptographic techniques

Control of Operational There shall be procedures in place to control the installation

Software of software on operational systems

Protection of System Test Test data shall be selected carefully, and protected and
Data controlled in nonproduction environments

Access Control to Program Access to program source code shall be restricted

Source Code

Change Control Procedures The implementation of changes, including patches, service

packs, and other updates and modifications, shall be
controlled by the use of formal change control procedures
Outsourced Software Outsourced software development shall be supervised and
Development monitored by the organization

Control of Technical Timely information about technical vulnerabilities of

Vulnerabilities information systems being used shall be obtained; the
organization's exposure to such vulnerabilities evaluated;
and appropriate measures taken to address the associated
risk

Reporting Information Information security events shall be reported through

Security Events appropriate communications channels as quickly as
possible. All employees, contractors and third-party users
shall be made aware of their responsibility to report any
information security events as quickly as possible

Reporting Security All employees, contractors, and third-party users of

Weaknesses information systems and services shall be required to note
and report any observed or suspected security weaknesses
in systems or services

Responsibilities and Management responsibilities and procedures shall be

Procedures established to ensure a quick, effective, and orderly
response to information security incidents

Learning from Information There shall be mechanisms in place to enable the types,
Security Information volumes, and costs of information security incidents to be
quantified and monitored

Collection of Evidence Where a follow-up action against a person or organization

after an information security incident involves legal action
(either civil or criminal), evidence shall be collected,
retained, and presented in support of potential legal action in
accordance with the rules for evidence in the relevant
jurisdiction(s)

Including Information A managed program and process shall be developed and

Security in the Business maintained for business continuity throughout the
Continuity Management organization that addresses the information security
Process requirements needed for the organization's business
continuity

Business Continuity and Events that can cause interruptions to business processes
Risk Assessment shall be identified, along with the probability and impact of
such interruptions and their consequences for information
security
Developing and Plans shall be developed and implemented to maintain or
Implementing Continuity restore operations and ensure availability of information, at
Plans Including Information the required level and in the required time scales, following
Security interruption to, or failure of, critical business processes

Business Continuity A single framework of business continuity plans shall be

Planning Framework maintained to ensure all plans are consistent, to consistently
address information security requirements, and to identify
priorities for testing and maintenance

Testing, Maintaining and Business continuity plans shall be tested and updated
Re-Assessing Business regularly, at a minimum annually, to ensure that they are up
Continuity Plans to date and effective

Privacy Notice Data Subjects have a right to adequate and easily

accessible notice of the use and disclosures of their PII that
may be made by the PII controller, and of the data subject's
rights and the controller’s legal duties with respect to PII

Openness and To provide data subjects with clear and easily accessible
Transparency information about the PII controller’s policies, procedures
and practices with respect to the handling of PII

Accounting of Disclosures To ensure that disclosures of PII, especially to third parties,

are recorded. To ensure the PII processor notifies the PII
controller of any legally binding requests for disclosure of
PII. Provisions for the use of subcontractors to process PII
should be specified in the contract between the PII
processor and the PII controller

Consent To make data subjects active participants in the decision-

making process regarding the processing of their PII, except
as otherwise limited by legislation and regulations, through
the exercise of meaningful, informed and freely given
consent

Choice To present to data subjects, where appropriate and feasible,

the choice not to allow the processing of their PII, to refuse
or withdraw consent or to oppose a specific type of
processing, and to explain to data subjects the implications
of granting or refusing consent
Principle Access To give data subjects the ability to access and review their
PII and to challenge its accuracy and completeness

Purpose Legitimacy To ensure that the purpose(s) for processing PII complies
with applicable laws and relies on a permissible legal ground

Purpose Specification To specify the purposes for which PII are collected no later
than at the time of PII collection where feasible and limit the
subsequence use to the fulfillment of original purposes

Collection Limitation To limit the collection of PII to that which is within the
boundaries of applicable law and strictly necessary for the
specified purpose(s)

Data Minimization To minimize the PII which is processed to what is strictly

necessary for the legitimate interest pursued by the PII
controller and to limit the disclosure of PII to a minimum
number of internal and external parties

Use and Disclosure To limit the use and disclosure of PII for specific, explicit and
legitimate purposes and to fulfill the stated purpose(s) or to
abide by applicable laws

Retention and Disposal To retain PII no longer than necessary to fulfill the stated
purpose(s) or to abide by applicable laws

Accuracy and Quality To ensure that the PII processed is accurate, complete, up-
to-date, adequate and relevant for the purpose of use

Participation and Redress To provide any amendment, correction or removal to PII

processors and third parties to whom personal data had
been disclosed

Compliant Management To set up efficient internal complaint handling and redress

procedures for use by data subjects

Governance To establish efficient governance for PII processing

Privacy and Impact To establish a privacy impact assessment process and to
Assessment perform a privacy impact assessment as necessary

Privacy Requirements for To ensure, through contractual or other means, that third
Contractors and Processors party recipients provide at least equivalent levels of PII
protection

Privacy Monitoring and To monitor and audit PII protection controls and the
Auditing effectiveness of internal PII protection policy

Privacy Protection To provide suitable training and awareness concerning PII

Awareness and Training protection for the personnel of the PII controller who will
have access to PII

Privacy Protection To develop, disseminate and update PII protection reports

Reporting
Level 1 Implementation (example): Applicable / Not Team / Person/s Status of Implementation
Applicable Responsible

The organization has a formal information security management program (ISMP) that is
documented and addresses the overall security program of the organization.
Management support for the ISMP is demonstrated through signed acceptance or
approval by management. The ISMP is based on an accepted industry framework,
considers all the control objectives of the accepted industry framework, documents any
excluded control objectives of the accepted industry framework and the reasons for
their
Accessexclusion, and isand
control rules updated
rights at
forleast
eachannually or when
user or group of there
users are
are significant changes in the environment.
based on clearly
defined requirements for information dissemination and authorization (e.g., need-toknow, need-to-share, least privilege, security levels, and information classifica
policy further defines logical and physical access control rules and rights for each user
or group of users are considered together and clearly defined in standard user access
profiles (e.g., roles). The access control program takes into account security
requirements of individual business applications and business units and ensures
standard
Default anduser access profiles
unnecessary for common
accounts jobs roles
are removed, in the or
disabled, organization.
otherwise secured.

The allocation of privileges for all systems and system components is controlled through
a formal authorization process. The organization ensures access privileges associated
with each system product (e.g., operating system, database management system and
each application) and the users associated with each system product which need to be
allocated are identified. Privileges are allocated to users on a need-to-use basis and on
an event-by-event basis in line with the access control policy (e.g., the minimum
requirement for their functional role–user or administrator, only when needed).
The organization limits authorization to privileged accounts on information systems to a
User identities are verified prior to performing password resets.
The organization changes all default passwords for applications, operating systems,
routers, firewalls, wireless access points, and other systems to have values consistent
with administration-level accounts before deploying any new devices in a networked
environment.

The organization reviews all accounts (including user, privileged, system, shared, and
seeded accounts), and privileges (e.g., user-to-role assignments, user-to-object
assignments) periodically (annually at a minimum).

The organization ensures users are made aware of the organization’s password policies
and requirements, are made aware to keep passwords confidential, avoid keeping a
record (e.g., paper, software file, or hand-held device) of passwords, unless this can be
stored securely and the method of storing has been approved, change passwords
whenever there is any indication of possible system or password compromise, do not
share individual user accounts or passwords, do not provide their password to anyone
for any reason
All users (to avoid
are made awarecompromising their
of: the security user credentials
requirements through social
and procedures engineering
for protecting
unattended equipment; their responsibilities for terminating active sessions when
finished, unless they can be secured by an appropriate locking mechanism (e.g., a
password protected screen saver); their responsibilities for logging-off mainframe
computers, servers, and office PCs when the session is finished (e.g., not just switch off
Covered or critical business information is locked away (ideally in a safe or cabinet or
other forms of security furniture) when not required, especially when the office is
vacated. Workstations are left logged off or protected with a screen and keyboard
locking mechanism controlled by a password, token, or similar user authentication
mechanism that conceals information previously visible on the display when
The organization: determines who is allowed to access which network and networked
services; specifies the means that can be used to access networks and network
services (e.g., the conditions for allowing access to a remote system); at a minimum,
manages all enterprise devices remotely logging into the internal network, with remote
control of their configuration; at a minimum, manages all enterprise devices remotely
logging into the internal network, with installed software; at a minimum, manages all
enterprise devices remotely logging into the internal network, with patch levels;
Remote access by vendors and business partners (e.g., for remote maintenance) is disabled unless specifically authorized by m

The organization uniquely identifies and authenticates network devices that require authentication mechanisms before establ
Ports, services, and applications installed on a computer or network systems, which are
not specifically required for business functionality, are disabled or removed.

Security gateways (e.g., a firewall) are used between the internal network, external
networks (Internet and third-party networks), and any demilitarized zone (DMZ). An
internal network perimeter is implemented by installing a secure gateway (e.g., a
firewall) between two interconnected networks to control access and information flow
At managed interfaces, network traffic is denied by default and allowed by exception (i.e., deny all, permit by exception). The organization restricts the ability of u

The organization ensures that security gateways (e.g., a firewall) are used to validate source and destination addresses at internal and external network control p

A policy applicable to the organization’s information systems addressing account lockout after consecutive unsuccessful login attempts is documented and enfor

Each user ID in the information system (including non-

privileged, privileged, seeded,
and service accounts) is assigned to a specific, named
individual to maintain
accountability.
The organization requires multi-factor authentication for
network and local access to
privileged accounts

The password management system stores passwords in

protected (e.g., encrypted or
hashed) form, transmits passwords in protected (e.g.,
encrypted or hashed) form, stores
password files separately from application system data,
enforces a choice of quality
passwords, enforces password changes, and maintains a
record of previous user
passwords and prevents re-use

The use of system utilities is controlled by implementing the

following: implementing
identification, authentication, and authorization procedures;
segregating of system
utilities from applications software; and limiting the of the
use of system utilities to the
minimum practical number of trusted, authorized users

Both bring your own device (BYOD) and company-owned

devices are configured to
require an automatic session time-out screen as enforced
through technical means.
Connection time controls are implemented for sensitive
computer applications,
especially from high-risk locations (e.g., public, or external
areas that are outside the
organization’s security management). Connection time
controls include using
predetermined time slots (e.g., for batch file transmissions
or regular interactive
sessions of short duration), restricting connection times to
normal office hours if there is
no requirement for overtime or extended-hours operation,
and re-authentication at timed
intervals.

The requirements for controlling access to applications and

application functions are
addressed, such as, but not exclusive to: providing menus
to control access to
application system functions; controlling which data can be
accessed by a particular
user; controlling the access rights of users, e.g., read, write,
delete and execute;
controlling the access rights of other applications; limiting
the information contained in
outputs; and providing physical or logical access controls
for the isolation of sensitive
applications, application data, or systems.

The sensitive application system runs on a dedicated

computer, or only shares
resources with trusted applications systems. Isolation is
achieved using physical or
logical methods. When a sensitive application is to run in a
shared environment, the
application systems with which it will share resources and
the corresponding risks are
identified, and accepted by the owner of the sensitive
application.

The organization monitors for unauthorized connections of

mobile devices.
Individuals are issued specifically configured mobile
devices for travel to locations the
organization deems to be of significant risk in accordance
with organizational policies
and procedures. Upon return from these locations the
devices are checked for malware
and physical tampering.

Suitable protection of the teleworking site is in place to

protect against the theft of
equipment and information, the unauthorized disclosure of
information, unauthorized
remote access to the organization’s internal systems, or
misuse of facilities.
Prior to authorizing teleworking: the physical security of the
teleworking site is evaluated
(e.g., of the building and local environment), and
threats/issues associated with the
physical security of the teleworking site are addressed
Policies and/or standards related to user roles and
responsibilities include:
implementing and acting in accordance with the
organization’s information security
policies; protecting assets from unauthorized access,
disclosure, modification,
destruction, or interference; executing particular security
processes or activities;
ensuring responsibility is assigned to the individual for
actions taken; reporting security
events or potential events or other security risks to the
organization; and security roles
and responsibilities are defined and clearly communicated
to users and job-candidates
during the pre-employment process.

Background verification checks on all candidates for

employment, contractors, and
third-party users shall be carried out in accordance with
relevant laws, regulations and
ethics, and proportional to the business requirements, the
classification of the
information to be accessed, and the perceived risks

The organization ensures that employees, contractors, and

third-party users agree to
terms and conditions concerning information security
appropriate to the nature and
extent of access they will have to the organization’s assets
associated with information
systems and services. The organization develops and
documents access agreements
for organizational systems. Privileges are not granted until
the terms and conditions
have been satisfied and agreements have been signed

Employees, contractors, and third-party users are: properly briefed on their information security roles and responsibilities prior to being granted access to covere

The organization provides role-based security-related

training, especially for personnel
with significant security responsibilities (e.g., system
administrators), prior to accessing
the organization’s information resources, when required by
system or environment
changes, when entering into a new position that requires
additional role-specific
training, and no less than annually thereafter.
The organization provides basic security awareness
training to information system
users (including managers, senior executives, and
contractors) as part of initial training
for new users, prior to accessing any system’s information
The organization’s formal sanctions process: includes
specific procedures for license,
registration, and certification denial or revocation and other
disciplinary action; identifies
the individual sanctioned; and identifies the reason for the
sanction. The organization
employs a formal sanctions process for personnel failing to
comply with established
information security policies and procedures. The
organization notifies defined
personnel (e.g., supervisors) within a defined time frame
(e.g., 24 hours) when a formal
sanction process is initiated

The organization has a documented termination checklist

that identifies all the steps to
be taken and assets to be collected.

The termination process includes the return of all previously

issued software in the
termination process, all corporate documents in the
termination process, all equipment
in the termination process, and all other organizational
assets such as mobile
computing devices, credit cards, access cards, manuals,
and information stored on
electronic media in the termination process.

The organization ensures logical and physical access

authorizations to systems and
equipment are reviewed, updated, or revoked when there is
any change in
responsibility, or employment

The organization’s risk management program includes: objectives of the risk management process; management’s clearly stated level of acceptable risk, inform

The organization performs risk assessments that address

all the major objectives of the
HITRUST CSF. Risk assessments are consistent and
identify information security risks
to the organization. Risk assessments are to be performed
at planned intervals and
when major changes occur in the environment, and the
results reviewed annually.

The organization implements an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and comp

The risk management process is integrated with the change management process.
The organization’s information security policy is developed, published, disseminated, and implemented. The information security policy documents: state the pur

The information security policy documents are reviewed at planned intervals or if significant changes occur to ensure the policies’ continuing adequacy and effec

A senior-level information security official is appointed. The

senior-level information
security official is responsible for ensuring the
organization’s information security
processes are in place, communicated to all stakeholders,
and consider and address
organizational requirements

Security activities (e.g., implementing controls, correcting

nonconformities) are
coordinated in advance and communicated across the
entire organization where
necessary.

The organization clearly allocates and assigns responsibilities to identify and protect individual IT assets in accordance with the security policies. Where necessa

Management formally authorizes (approves) new information assets and facilities for processing (use) before commencing operations and periodically reviews a

Requirements for confidentiality and non-disclosure agreements are reviewed at least annually and when changes occur that influence these requirements. Con

The organization includes key contacts including phone numbers and email addresses as part of its incident management and/or business continuity plan. The o

Membership in organization-defined special interest groups or forums/services are considered as a means to: improve knowledge of best practices and stay up t
An independent review of the information security management program and information security controls is conducted at least annually or whenever there is a m

Access granted to external parties is limited to the minimum necessary, limited in duration, and is revoked when no longer needed.

The following security term is addressed prior to giving customers access to any of the organization’s assets: description of the product or service to be provided

The organization identifies and mandates information security controls to specifically address supplier access to the organization’s information and information a

All relevant statutory, regulatory, and contractual

requirements, including the specific
controls and individual responsibilities to meet these
requirements, are explicitly defined
and formally documented (e.g., in policies and procedures,
as appropriate) for each
information system type, and communicated to the user
community as necessary
through documented security training and awareness
programs.

The organization establishes restrictions on the use of open source software. Open source software used by the organization is legally licensed, authorized, and

Guidelines are issued and implemented by the organization on the ownership, classification, retention, storage, handling, and disposal of all records and informa

Covered and/or confidential information, at minimum, is rendered unusable, unreadable, or indecipherable anywhere it is stored, including on personal computer
All employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action.

The encryption policy addresses the type and strength of the encryption algorithm and when used to protect the confidentiality of information. The organization e

Annual compliance assessments are conducted. Compliance reviews are conducted by security, privacy, and/or audit individuals, and incorporate reviews of doc

The organization performs annual checks on the technical security configuration of systems, either manually by an individual with experience with the systems a
 Alorica Contact Evidence Audit Status
Available (Open / Closed)
(Yes / No)

y levels, and information classification). The

pecifically authorized by management. Remote access to business partner accounts (e.g., remote maintenance) is immediately deactivate

mechanisms before establishing a connection. Network devices that require authentication mechanisms use shared information (e.g., MA

ganization restricts the ability of users to connect to the internal network in accordance with the access control policy and the requirements of its business applications

nal and external network control points. The organization designs and implements network perimeters so that all outgoing network traffic to the Internet must pass through at le

attempts is documented and enforced through technical controls

o being granted access to covered and/or confidential information or information systems; provided with guidelines to state security expectations of their role within the organiza
ed level of acceptable risk, informed by its role in the critical infrastructure and business-specific risk analysis; the plan for managing operational risk communicated to stakehold

e, detective, corrective, and compensating) that mitigates identified risks.

y policy documents: state the purpose and scope of the policy; communicate management’s commitment; describe management and workforce members’ roles and responsibi

es’ continuing adequacy and effectiveness. Security policies are communicated throughout the organization

security policies. Where necessary, the organization supplements policies with more detailed guidance for specific assets and facilities. When security responsibilities are dele

rations and periodically reviews and updates authorizations (approvals) at a frequency defined by the organization – but no less than three years.

fluence these requirements. Confidentiality and non-disclosure agreements comply with all applicable laws and regulations for the jurisdiction to which it applies.

or business continuity plan. The organization designates a point of contact to review the list at least annually to keep it current.

ge of best practices and stay up to date with relevant security information; ensure the understanding of the information security environment is current and complete (e.g., threa
 annually or whenever there is a material change to the business practices that may implicate the security or integrity of records containing personal information.

product or service to be provided; the right to monitor, and revoke, any activity related to the organization’s assets; the respective liabilities of the organization and the custome

on’s information and information assets.

s legally licensed, authorized, and adheres to the organizations secure configuration policy.

isposal of all records and information

d, including on personal computers (laptops, desktops) portable digital media, backup media, servers, databases, or in logs. Exceptions to encryption requirements are authoriz
of information. The organization employs cryptographic modules that are certified and that adhere to the minimum applicable standards.

ls, and incorporate reviews of documented evidence. If any non-compliance is found as a result of the review, managers will: determine the causes of the non-compliance; eva

th experience with the systems and/or with the assistance of automated software tools. If any non-compliance is found as a result of a technical security configuration complian
Remarks
ness partner accounts (e.g., remote maintenance) is immediately deactivated after use.

es that require authentication mechanisms use shared information (e.g., MAC or IP address) to control remote network access and access

ordance with the access control policy and the requirements of its business applications

nts network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The application-layer filtering pro
n systems; provided with guidelines to state security expectations of their role within the organization; motivated and comply with the security policies of the organization; achiev
business-specific risk analysis; the plan for managing operational risk communicated to stakeholders; the connection between the risk management policy and the organization’
anagement’s commitment; describe management and workforce members’ roles and responsibilities; and establish the organization’s approach to managing information secur

throughout the organization

h more detailed guidance for specific assets and facilities. When security responsibilities are delegated to others, the individual originally assigned these responsibilities remains

quency defined by the organization – but no less than three years.

mply with all applicable laws and regulations for the jurisdiction to which it applies.

view the list at least annually to keep it current.

ure the understanding of the information security environment is current and complete (e.g., threat monitoring/intelligence services); receive early warnings of alerts, advisories,
may implicate the security or integrity of records containing personal information.

related to the organization’s assets; the respective liabilities of the organization and the customer. It is ensured that the customer is aware of their obligations. It is ensured that

ackup media, servers, databases, or in logs. Exceptions to encryption requirements are authorized by management and documented. Encryption is implemented via one-way h
ed and that adhere to the minimum applicable standards.

found as a result of the review, managers will: determine the causes of the non-compliance; evaluate the need for actions to ensure that non-compliance do not recur; determin

re tools. If any non-compliance is found as a result of a technical security configuration compliance review, the organization: determines the causes of the non-compliance; eva
network access and access control lists to control remote network access.

er. The application-layer filtering proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implem
y policies of the organization; achieve a level of awareness on security relevant to their roles and responsibilities within the organization; conform to the terms and conditions of
gement policy and the organization’s strategic planning processes; documented risk assessment processes and procedures; regular performance of risk assessments; mitigatio
oach to managing information security.

igned these responsibilities remains accountable, and the organization determines that any delegated tasks have been correctly performed.

early warnings of alerts, advisories, and patches pertaining to attacks and vulnerabilities; gain access to specialist information security advice; share and exchange information
of their obligations. It is ensured that the customer accepts the responsibilities and liabilities prior to accessing, processing, communicating, or managing the organization’s infor

yption is implemented via one-way hashes, truncation, or strong cryptography and key-management procedures. For full-disk encryption, logical access is independent of O/S a
n-compliance do not recur; determine and implement appropriate corrective action; and review the corrective action taken.

causes of the non-compliance; evaluates the need for actions to ensure that noncompliance do not recur; determines and implements appropriate corrective action; and review
es, and IP addresses to implement a disallow list, or applying lists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces
to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working; and continue to have the skills an
e of risk assessments; mitigation of risks identified from risk assessments and threat monitoring procedures; risk tolerance thresholds are defined for each category of risk; reas
are and exchange information about new technologies, products, threats, or vulnerabilities; and provide suitable liaison points when dealing with information security incidents.
naging the organization’s information and information assets.

access is independent of O/S access. Decryption keys are not tied to user accounts. If encryption is not applied because it is determined to not be reasonable or appropriate, the
te corrective action; and reviews the corrective action taken.
r sites. The organization forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. Internal directory services and internal IP add
nd continue to have the skills and qualifications appropriate to their roles and responsibilities
for each category of risk; reassessment of the risk management policy to ensure management’s stated level of acceptable risk is still accurate, previously decided upon securi
information security incidents.
e reasonable or appropriate, the organization documents its rationale for its decision or uses alternative compensating controls other than encryption if the method is approved a
ry services and internal IP addresses are protected and hidden from any external access. Requirements for network routing control are based on the access control policy.
previously decided upon security controls are still applicable and effective, and to evaluate the possible risk level changes in the environment; updating the risk management pol
ion if the method is approved and reviewed annually by the CISO.
ating the risk management policy if any of these elements have changed; and repeating the risk management process prior to any significant change, after a serious incident, w
ange, after a serious incident, whenever a new significant risk factor is identified, or at a minimum annually.