OM 9.1.2 - Information Security Standards
Effective Date: January 2023 |
Policy Contact: Office of Information Technology |
1 Purpose
The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which define the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:
● Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;
● Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and
● Give a general assurance level that the confidentiality, integrity, and availability of the University's assets will be upheld.
These Standards are based upon NIST 800-53 rev4 and they represent the What elements of information security that are specific to the University. Clarkson University will update these standards as need arises and will continue to review them annually. As these standards are not policy, updates shall not require Board approval, but will be reviewed and formally approved by the Information Security Steering Committee at least annually.
In addition to the Standards defined here, Clarkson University also maintains a set of procedures, plans and processes that define the How, When, and Who elements of information security and the expected behavior of personnel as they work to carry out the Standards in an approved manner that upholds these Standards.
2 Scope
These standards are applicable to all information in the possession of the University, including its affiliates and its agents, which may be stored, processed, or transmitted by any means. This includes electronic information, information on paper, and information shared orally or visually (e.g., telephone and video conferencing). Also included is any information in storage or in electronic or physical transmission outside of the University's facilities (e.g., service providers).
3 Roles & Responsibilities
Ultimate accountability for the Information Security controls rests with the Director of Network Services and Information Security. The control owners are accountable to ensure that the controls assigned to them are in-place and effective throughout the scope of the organization for which the controls apply.
● For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.
● For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.
● For physical controls, there will be a division of labor between the control owner and the facilities team.
4 Information Security Standards
4.1 Access Control Policy and Procedures
4.1.1 Standard Owner: Board, Senior Management, Information Technology
4.1.2 Standard References
NIST: AC-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
PCI-DSS: 12.1, 12.1.1
4.1.3 Standard
The organization will:
- Develop, document, and disseminate standards that address purpose, scope, roles and responsibilities for managing access management activities;
- Develop and document the roles and responsibilities for individuals who have access to information systems;
- Document supporting procedures;
- Disseminate the information to ensure coordination among the organization’s entities; and
- Policy and procedure are approved and reviewed every
- Review the standards
4.2 Access Control Policy and Procedures
4.2.1 Standard Owner: Information Technology
4.2.2 Standard References
NIST: AC-1
GLBA:
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)
PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.2
4.2.3 Standard
A formal, documented emergency access procedure (for system and facilities) for enabling authorized workforce members during an emergency.
4.3 Account Management
4.3.1 Standard Owner: Information Technology
4.3.2 Standard References
NIST: AC-2
GLBA:
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.2
4.3.3 Standard
All user access to systems must be granted based on (1) valid access authorization, including business justification, by [Whom], (2) intended system usage, and (3) other attributes as required by the organization or associated mission’s/business functions.
4.4 Account Management
4.4.1 Standard Owner: Information Technology
4.4.2 Standard References
NIST: AC-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS: 7.1, 7.1.2, 7.2
4.4.3 Standard
Accounts with special privileges will only be used for those tasks requiring it, not for day-to-day usage.
4.5 Account Management | Access Enforcement | Least Privilege
4.5.1 Standard Owner: Information Technology
4.5.2 Standard References
NIST: AC-2 AC-3 AC-6
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C),
164.308(a)(5)(ii)(C), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2, 7.2.1, 7.2.3, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 10.1
4.5.3 Standard
A formal, documented process for granting appropriate access to organization information systems will be documented. Only the most minimal access will be provisioned based on a need-to-know basis. All revisions to organization workforce member and software program access rights will be tracked and logged. Security groups and ACLs will be used to provide limited, role-based access to shared resources. For systems not relying on domain accounts, the account creation/removal process will also be documented. At a minimum, tracking and logging of all access requests will require the following information:
- Data and time of revision
- Identification of workforce member or software program whose access is being revised
- Brief description of revised access right(s)
- Approval by system owner/stewards or their chosen delegate
- Reason for revision
This information will be securely maintained.
4.6 Access Enforcement
4.6.1 Standard Owner: Information Technology
4.6.2 Standard References
NIST: AC-3
GLBA: Effective
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 1.2.1 7.2.3
4.6.3 Standard
Access to internal, nonpublic-facing systems from untrusted sites, by default, will be blocked at the organization perimeter firewall.
4.7 Access Enforcement | Least Privilege
4.7.1 Standard Owner: Information Technology
4.7.2 Standard References
NIST: AC-3 AC-6
GLBA: Draft
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1.1, 7.1.3, 8.1.4
4.7.3 Standard
All organization workforce members will have their information system privileges automatically disabled after their user ID or access method has had 90 days of inactivity. All such privileges that are disabled in this manner will be reviewed to ensure that the inactivity is not due to termination of employment. If termination is the reason for inactivity, there will be review of situation to ensure that all access to CONFIDENTIAL INFORMATION (or ability to physical access information) has been eliminated.
4.8 Access Enforcement | Least Privilege
4.8.1 Standard Owner: Information Technology
4.8.2 Standard References
NIST: AC-3 AC-6
GLBA: Draft
GDPR:
ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)
PCI-DSS: 7.1.2, 7.1.3
4.8.3 Standard
Access reviews for privileged and non-privileged accounts on systems storing restricted information will be conducted annually.
4.9 Information Flow Enforcement
4.9.1 Standard Owner: Information Technology
4.9.2 Standard References
NIST: AC-4
GLBA: On Hold
GDPR:
ISO27001: A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.310(b)
PCI-DSS:
4.9.3 Standard
The organization will define a Security Architecture Plan that addresses:
- The flow of information between inter-connected systems; and
- Defined security rules by network
4.10 Separation of Duties
4.10.1 Standard Owner: Information Technology
4.10.2 Standard References
NIST: AC-5
GLBA: Effective
GDPR:
ISO27001: A.6.1.2
HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)
PCI-DSS:
4.10.3 Standard
Where possible, software developers will not utilize elevated access to production systems.
4.11 Least Privilege
4.11.1 Standard Owner: Information Technology
4.11.2 Standard References
NIST: AC-6
GLBA: Effective
GDPR:
ISO27001: A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5
HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)
PCI-DSS: 7.1.2, 7.1.3
4.11.3 Standard
Only the most minimal access will be provisioned based on a need-to-know basis.
4.12 Unsuccessful Logon Attempts
4.12.1 Standard Owner: Information Technology
4.12.2 Standard References
NIST: AC-7
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS:
4.12.3 Standard
Organization workforce members shall not attempt to gain access to organization information systems containing restricted information for which they have not been given proper authorization.
4.13 Unsuccessful Logon Attempts
4.13.1 Standard Owner: Information Technology
4.13.2 Standard References
NIST: AC-7
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2,2.2.4, 8.1.6, 8.1.7
4.13.3 Standard
Systems will lock accounts after no more than 5 failed login attempts.
4.14 System Use Notification
4.14.1 Standard Owner: Information Technology
4.14.2 Standard References
NIST: AC-8
GLBA: On Hold
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2.4
4.14.3 Standard
The organization displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance and states that:
- users are accessing organizational information systems;
- system usage may be monitored, recorded, and subject to audit;
4.15 Previous Logon (Access) Notification
4.15.1 Standard Owner: Information Technology
4.15.2 Standard References
NIST: AC-9
GLBA: On Hold
GDPR:
ISO27001: A.9.4.2
HIPAA:
PCI-DSS: 2.2.4
4.15.3 Standard
Workstation, laptop, and server logon systems will suppress and/or not display the username of the previously logged on user.
4.16 Concurrent Session Control
4.16.1 Standard Owner: Information Technology
4.16.2 Standard References
NIST: AC-10
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.16.3 Standard
Critical applications will be configured to limit the number of concurrent sessions for each account and/or account type.
4.17 Session Lock
4.17.1 Standard Owner: Information Technology
4.17.2 Standard References
NIST: AC-11
GLBA: Effective
GDPR:
ISO27001: A.11.2.8, A.11.2.9
HIPAA: 164.310(b), 164.312(a)(2)(iii)
PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8
4.17.3 Standard
Endpoints must prevent further access to the information assets by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user. In addition, systems must retain the session lock until the user reestablishes access using established identification and authentication procedures.
4.18 Session Termination
4.18.1 Standard Owner: Information Technology
4.18.2 Standard References
NIST: AC-12
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA: 164.310(b), 164.312(a)(2)(iii)
PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8
4.18.3 Standard
Systems will disconnect application and remote access sessions after 240 minutes of idle time.
4.19 Remote Access
4.19.1 Standard Owner: Information Technology
4.19.2 Standard References
NIST: AC-17
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2
HIPAA: 164.310(b)
PCI-DSS: 8.1.5
4.19.3 Standard
Applications accessed through external facing webservers without appropriate SSL encryption will only be accessed via approved VPN.
4.20 Remote Access
4.20.1 Standard Owner: Information Technology
4.20.2 Standard References
NIST: AC-17
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2
HIPAA: 164.310(b)
PCI-DSS: 8.1.5,12.3.9,12.3.10
4.20.3 Standard
Remote access technologies for vendors will only be enabled when needed, with immediate deactivation after use.
4.21 Wireless Access
4.21.1 Standard Owner: Information Technology
4.21.2 Standard References
NIST: AC-18
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 4.1, 4.1.1, 11.1
4.21.3 Standard
Public wireless networks will be considered open, insecure networks.
4.22 Wireless Access
4.22.1 Standard Owner: Information Technology
4.22.2 Standard References
NIST: AC-18
GLBA: Effective
GDPR:
ISO27001: A.6.2.1, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.2.3, 2.1.1, 4.1, 9.1.3, 11.1, 11.1.1, 11.1.2, 12.3
4.22.3 Standard
4.23 Use of External Information Systems
4.23.1 Standard Owner: Information Technology
4.23.2 Standard References
NIST: AC-20
GLBA: On Hold
GDPR:
ISO27001: A.11.2.6, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.3.5
4.23.3 Standard
All connections between organization Information Systems and external systems will be approved and documented.
4.24 Use of External Information Systems
4.24.1 Standard Owner: Information Technology
4.24.2 Standard References
NIST: AC-20
GLBA: Effective
GDPR:
ISO27001: A.11.2.6, A.13.1.1, A.13.2.1
HIPAA:
PCI-DSS: 1.3.5
4.24.3 Standard
The Director of Network Services & Information Security will approve any system which interfaces with systems that store or process information classified as 'Clarkson-Restricted'.
4.25 Publicly Accessible Content
4.25.1 Standard Owner: Information Technology, | Compliance
4.25.2 Standard References
NIST: AC-22
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.25.3 Standard
Information classified as Clarkson-Restricted will not be posted on the organization's publicly available website.
4.26 Access Control Decisions
4.26.1 Standard Owner: Information Technology
4.26.2 Standard References
NIST: AC-24
GLBA: Effective
GDPR:
ISO27001: A.9.4.1*
HIPAA:
PCI-DSS:
4.26.3 Standard
All access requests will go through a managerial approval process prior to access enforcement.
4.27 Audit and Accountability Policy and Procedures
4.27.1 Standard Owner: IT
4.27.2 Standard References
NIST: AU-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.312(b)
PCI-DSS: 12.1, 12.1.1
4.27.3 Standard
The organization will:
- Develop, document, and disseminate audit and accountability standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.28 Audit Events | Non-repudiation
4.28.1 Standard Owner: IT
4.28.2 Standard References
NIST: AU-2 AU-10
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(5)(ii)(C), 164.312(b)
PCI-DSS: 8.1.5, 10.1, 10.2, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4,
10.6.1
4.28.3 Standard
Security events for Active Directory, firewalls, servers, applications, and databases will be defined. This includes:
- Permission Altered Alerts (accounts/groups created, group membership modified, VPN groups modified)
- Inappropriate Use & Login for Administrators (successful/failed logon attempts, application/operating system/network devices administrator accounts, service accounts, accounts used to provision access, local administrator accounts)
- Inappropriate Use for Workforce (successful/failed logon attempts, multiple account locks/disabled/deleted)
- System Events (logs cleared, virus/malware detected, NTP time change, rogue wireless devices)
- System Health (active directory groups created/removed, application restarts/shutdowns, taxing active directory queries)
- File Integrity (critical/sensitive file changes)
- Network Intrusion Attempts
- Application & Database (failed logon attempts, accounts created/modified)
- Event types, date and time, origination of event, identity or name of affected data, system component, or resource
4.29 Content of Audit Records
4.29.1 Standard Owner: IT
4.29.2 Standard References
NIST: AU-3
GLBA: Effective
GDPR:
ISO27001: A.12.4.1* HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7
4.29.3 Standard
Logs from Active Directory, firewalls (both internal and external), servers, and DNS will be sent to the central logging server.
4.30 Audit Storage Capacity
4.30.1 Standard Owner: IT
4.30.2 Standard References
NIST: AU-4
GLBA: Effective
GDPR:
ISO27001: A.12.1.3 HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7
4.30.3 Standard
Logs will be moved to a centralized logging system within 24 hours of being recorded.
4.31 Response to Audit Processing Failures
4.31.1 Standard Owner: IT
4.31.2 Standard References
NIST: AU-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.31.3 Standard
The central logging server will be monitored for system disk capacity, availability, and running of the syslog process
4.32 Audit Review, Analysis, and Reporting
4.32.1 Standard Owner: IT
4.32.2 Standard References
NIST: AU-6
GLBA: On Hold
GDPR:
ISO27001: A.12.4.1, A.16.1.2, A.16.1.4
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.312(b)
PCI-DSS:
4.32.3 Standard
Metrics reports for security events will be created and monitored on a periodic basis, based on the criticality of the logs. As well, an alerting process will be used.
4.33 Time Stamps
4.33.1 Standard Owner: IT
4.33.2 Standard References
NIST: AU-8
GLBA: Effective
GDPR:
ISO27001: A.12.4.4
HIPAA:
PCI-DSS: 2.2,2.2.4, 10.3.3, 10.4, 10.4.1, 10.4.2, 10.4.3
4.33.3 Standard
All workstations and servers will receive their time via NTP from industry accepted time sources.
4.34 Protection of Audit Information
4.34.1 Standard Owner: IT
4.34.2 Standard References
NIST: AU-9
GLBA: Effective
GDPR:
ISO27001: A.12.4.2, A.12.4.3, A.18.1.3
HIPAA:
PCI-DSS: 10.5, 10.5.1, 10.5.2
4.34.3 Standard
Audit logs will be secured so that cannot be altered:
- Access limited to those with job-related needs
- Protected via access control mechanisms, physical segregations
4.35 Audit Record Retention
4.35.1 Standard Owner: IT
4.35.2 Standard References
NIST: AU-11
GLBA: Draft
GDPR:
ISO27001: A.12.4.1, A.16.1.7
HIPAA:
PCI-DSS: 10.5.3, 10.5.4, 10.5.5
4.35.3 Standard
Logs will be sent to a central log server and retained for a minimum of 3 months online, 9 months offline (total of 1 year available). Log files will be monitored for change.
4.36 Monitoring for Information Disclosure
4.36.1 Standard Owner: IT
4.36.2 Standard References
NIST: AU-13
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 10.6, 10.6.1, 10.6.2, 10.6.3
4.36.3 Standard
Logs will be monitored and security events investigated, at a minimum, daily. If a security incident has occurred, the incident response procedures will be executed and followed.
4.37 Security Awareness and Training Policy and Procedures
4.37.1 Standard Owner: Information Security
4.37.2 Standard References
NIST: AT-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 12.6, 12.6.1
4.37.3 Standard
The organization will:
- Develop, document, and disseminate security awareness and training standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of the
- Review and update Policies every year
- Review and update the standards and associated procedures, as
4.38 Security Awareness Program
4.38.1 Standard Owner: Information Security
4.38.2 Standard References
NIST: AT-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 12.6, 12.6.1
4.38.3 Standard
The organization will develop, implement, and regularly review a formal, documented program for providing, at a minimum on-hire and thereafter annually, appropriate security training and awareness to workforce members
4.39 Security Awareness Training
4.39.1 Standard Owner: Information Security
4.39.2 Standard References
NIST: AT-2
GLBA: Effective
GDPR:
ISO27001: A.7.2.2, A.12.2.1
HIPAA: 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B)
PCI-DSS: 3.7, 4.3, 8.4, 12.6, 12.6.1
4.39.3 Standard
Employees training and security reminder communications, at a minimum, will address:
- The importance of keeping creating, using, and safeguarding authentication credentials
- Ensuring that organization workforce members understand that all activities involving their user identification and password will be attributed to
- Security policies, procedures, and standards for protecting the confidentiality, integrity, and availability of information and systems
- Significant risks to organization information systems and data
- Information security legal and business responsibilities
- How, and to whom an incident shall be reported
- How to identify, report, and avoid malicious software, other forms of suspicious electronic communication and social engineering attempts
4.40 Role-Based Security Training
4.40.1 Standard Owner: Information Security
4.40.2 Standard References
NIST: AT-3
GLBA: Effective
GDPR:
ISO27001: A.7.2.2* HIPAA: 164.308(a)(5)(i) PCI-DSS:
4.40.3 Standard
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
4.41 Role-Based Security Training
4.41.1 Standard Owner: Information Security | Finance* | Compliance*
4.41.2 Standard References
NIST: AT-3
GLBA: Effective
GDPR:
ISO27001: A.7.2.2*
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 3.7, 4.3, 8.4, 9.9, 9.9.3, 12.6, 12.6.1
4.41.3 Standard
Employees who access, store, process, or protect credit cardholder data will receive, at a minimum on-hire and thereafter annually, training on appropriate procedures for safeguarding credit cardholder data
4.42 Security Training Records
4.42.1 Standard Owner: Information Security
4.42.2 Standard References
NIST: AT-4
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(5)(i)
PCI-DSS: 12.6.1 12.6.2
4.42.3 Standard
After training has been conducted, each organization workforce member will verify that he or she has received the training, understood the material presented, and agrees to comply with it
4.43 Configuration Management Policy and Procedures
4.43.1 Standard Owner: IT
4.43.2 Standard References
NIST: CM-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 12.1, 12.1.1
4.43.3 Standard
The organization will:
- Develop, document, and disseminate configuration management standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.44 Baseline Configuration
4.44.1 Standard Owner: IT
4.44.2 Standard References
NIST: CM-2
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 1.1.1, 1.1.5, 1.1.6, 1.2.2, 1.5, 2.2, 2.2.2, 2.2.4, 2.2.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8,
10.4.3,12.1,12.1.1, 12.3
4.44.3 Standard
Management procedures will be created that address:
- The documentation of Hardening Configuration Standards, by operating system. These configuration controls will be based industry accepted standards (e.g., Center for Internet Security or CIS).
- System account configurations
- Groups, roles, and responsibilities for management of network components
- Documented business justification for all ports, protocols, ports allowed/disallowed, and any security features implemented for those protocols considered insecure
- For routers, securing and synchronization of configuration files
- Documentation of security parameters that prevent misuse
- Secure coding techniques in the software development lifecycle
- Synchronizations with industry accepted time sources
4.45 Baseline Configuration
4.45.1 Standard Owner: IT
4.45.2 Standard References
NIST: CM-2 CM-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 1.4, 2.2
4.45.3 Standard
Organization owned laptops and employee owned user devices are prohibited from storing, processing, or transmitti ng credit cardholder data. Desktops and mobile devices (e.g., tablets, smartphones) may be used to process cardholder transactions only if equipped with P2PE-compliant devices and are authorized by IT.
4.46 Baseline Configuration
4.46.1 Standard Owner: IT
4.46.2 Standard References
NIST: CM-2 CM-6
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 2.2,2.2.4
4.46.3 Standard
All systems that access, store, process, or transmit non-Public Information will be configured to:
- Not display information system or application identifying information until the log-in process has been successfully completed
- Where supported, display a logon banner
- Not provide help messages during the log-in procedure that would assist an unauthorized user If an error arises during authentication, the system will not indicate which part of the data is correct or incorrect
4.47 Configuration Change Control | Security Impact Analysis
4.47.1 Standard Owner: IT
4.47.2 Standard References
NIST: CM-3 CM-4
GLBA: Effective
GDPR:
ISO27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 A.14.2.3
HIPAA:
PCI-DSS: 1.5,2.2.4, 2.5, 3.7, 4.3, 5.4, 6.3.1, 6.3.2, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.7,
7.3, 8.8, 9.10, 10.8, 11.6
4.47.3 Standard
The organization will develop, document, implement, and maintain a change management process for managing changes to production systems containing Clarkson-Restricted data.
This process will address:
- Documentation of security impact analysis, functionality testing, back out procedures
- The documentation and retention of change records
- Review and authorization of changes with explicit consideration for security impact analyses
- Coordination and communication of changes
- Oversight for proposed configuration-controlled changes
- If a new application or changed application that stores non-Public Information, the system will store evidence of a vulnerability scan
- The removal of development, test and/or custom application accounts, user IDs, and passwords before the application become active or are released into production
- The removal of custom code prior to production release
- Where possible, separate development, test, and production systems
- Separation of duties between development/test and production systems
- Credit cardholder data is not being stored
- Removal of test data
4.48 Access Restrictions for Change
4.48.1 Standard Owner: IT
4.48.2 Standard References
NIST: CM-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1
HIPAA:
PCI-DSS: 2.2.4
4.48.3 Standard
IT administrators or authorized vendors will be the only groups who have administrator access to servers
4.49 Configuration Setti ngs
4.49.1 Standard Owner: IT
4.49.2 Standard References
NIST: CM-6
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 2.2,2.2.4, 8.1.8
4.49.3 Standard
Where technically feasible, computing devices will be electronically locked when they are no longer in use:
- Servers: 10 minutes
- Laptops and Desktops: 15 minutes
- Mobile Devices (smart phones, tablets): 3 minutes
- Network Devices: 10 minutes
Exceptions to this standard will be granted and must be approved by the Director of Network Svcs and Information Security.
4.50 Configuration Setti ngs
4.50.1 Standard Owner: IT
4.50.2 Standard References
NIST: CM-6
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.50.3 Standard
Configuration-controlled computing devices will be sampled and scanned every 6 months to identify, document, implement, and approve any deviations to the configuration setti ngs in accordance with the Hardening Configuration Standards.
4.51 Least Functionality
4.51.1 Standard Owner: IT
4.51.2 Standard References
NIST: CM-7
GLBA: Effective
GDPR:
ISO27001: A.12.5.1*
HIPAA:
PCI-DSS: 2.2.1
4.51.3 Standard
Where economically feasible, only one primary function can be assigned to a production server to prevent functions that require different security levels from co-existing on the same server (For example, web servers, database servers, and DNS will be implemented on separate servers). This includes one primary function per virtualized system instance.
4.52 Information System Component Inventory
4.52.1 Standard Owner: IT
4.52.2 Standard References
NIST: CM-8
GLBA: On Hold
GDPR:
ISO27001: A.8.1.1, A.8.1.2
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii)
PCI-DSS: 2.2.4,2.4, 7.2.1, 9.7.1, 9.9.1, 11.1.1, 12.2
4.52.3 Standard
In order to maintain an inventory of all information systems, approved technologies, and electronic media, and to ensure computing assets comply with configuration standards, the Change Management process will identify and update asset inventories.
4.53 Software Usage Restrictions
4.53.1 Standard Owner: IT
4.53.2 Standard References
NIST: CM-10
GLBA: Effective
GDPR:
ISO27001: A.18.1.2
HIPAA:
PCI-DSS:
4.53.3 Standard
All software usage will be tracked, and controlled in accordance with contract requirements and copyright laws.
4.54 Software Usage Restrictions
4.54.1 Standard Owner: IT
4.54.2 Standard References
NIST: CM-10
GLBA: Effective
GDPR:
ISO27001: A.18.1.2
HIPAA:
PCI-DSS:
4.54.3 Standard
Peer to Peer software is prohibited.
4.55 User-Installed Software
4.55.1 Standard Owner: IT
4.55.2 Standard References
NIST: CM-11
GLBA: Effective
GDPR:
ISO27001: A.12.5.1, A.12.6.2
HIPAA:
PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
4.55.3 Standard
Software programs will not be installed on workstations or servers without prior authorizations. Only approved software will be installed on organizational assets.
4.56 Contingency Planning Policy and Procedures
4.56.1 Standard Owner: Operations
4.56.2 Standard References
NIST: CP-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(7)(i)
PCI-DSS: 12.1, 12.1.1
4.56.3 Standard
The organization will:
- Develop, document, and disseminate standards and an emergency operations center (EOC) contingency plan that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of the
- Review and update the standards and the EOC contingency plan and associated procedures, at a minimum,
- Ensure that contingency plans have adequately addressed safeguarding critical information during a serious outage or
4.57 Contingency Plan
4.57.1 Standard Owner: Operations
4.57.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.57.3 Standard
The organization develops and maintains a Business Impact Assessment process to identify and regularly analyze the criticality of organization information systems.
4.58 Contingency Plan
4.58.1 Standard Owner: Operations
4.58.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.58.3 Standard
The organization will have a Continuity Plan both preparing for and effectively responding to emergencies and disasters that may damage the confidentiality, integrity, or availability of its information systems. At a minimum, the plan will address:
- Identification of significant processes and controls that protect the confidentiality, integrity, and availability of Non-Public Information on organization information
- Identification and prioritization of emergencies that may impact organization information systems containing Non-Public Information.
- Documenting procedures for how organization will respond to specific emergencies that impact information systems containing Non-Public
- Define procedures for how organization, during and immediately after a crisis situation, will maintain the processes and controls that ensure the availability, integrity and confidentiality of Non-Public Information on organization information systems.
- Define a procedure that ensures that authorized employees can enter organization facilities to enable continuation of processes and controls that protect Non-Public Information while organization is operating in emergency
- Return to normal procedures
4.59 Contingency Plan
4.59.1 Standard Owner: Operations
4.59.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.59.3 Standard
IT will create and document a disaster recovery plan to support the BCP. The plan will be reviewed regularly and revised as necessary. At a minimum, the recovery plan will include:
- The conditions for activating the
- Identification and definition of organization workforce member
- Resumption procedures (manual and automated) which describe the actions to be taken to return organization information systems to normal operations within required time
- Notification and reporting
- Procedure(s) for allowing appropriate employees physical access to organization facilities so that they can implement recovery procedures in the event of a
4.60 Contingency Plan
4.60.1 Standard Owner: Operations
4.60.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.60.3 Standard
4.61 Contingency Plan
4.61.1 Standard Owner: Operations
4.61.2 Standard References
NIST: CP-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.17.1.1, A.17.2.1
HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)
PCI-DSS:
4.61.3 Standard
The organization’s contingency plans will be kept current. Examples of events that will result in an update of the plan include, but are not limited to:
- Change in disaster recovery
- Change in contact information for disaster recovery
- Significant change(s) to organization’s technical or physical
- Change in key suppliers or
- Significant change in threats to organization facilities or information
4.62 Contingency Training
4.62.1 Standard Owner: Operations
4.62.2 Standard References
NIST: CP-3
GLBA: On Hold
GDPR:
ISO27001: A.7.2.2* HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.62.3 Standard
Organization workforce members will receive training and awareness on organization’s disaster preparation and disaster and emergency response processes
4.63 Contingency Plan Testing
4.63.1 Standard Owner: IT
4.63.2 Standard References
NIST: CP-4
GLBA: Effective
GDPR:
ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.63.3 Standard
The Disaster Recovery plan will be tested for select systems, at a minimum, annually.
4.64 Contingency Plan Testing
4.64.1 Standard Owner: IT
4.64.2 Standard References
NIST: CP-4
GLBA: Effective
GDPR:
ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.64.3 Standard
Backup & Recovery Procedure will be tested at least annually.
4.65 Contingency Plan Testing
4.65.1 Standard Owner: IT
4.65.2 Standard References
NIST: CP-4
GLBA: On Hold
GDPR:
ISO27001: A.17.1.4 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:
4.65.3 Standard
The results of the DRP test will be formally documented and presented to appropriate organization management. The contingency plan will be revised as necessary to address issues or gaps identified in the testing process
4.66 Alternate Storage Site
4.66.1 Standard Owner: IT
4.66.2 Standard References
NIST: CP-6
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS: 9.5.1
4.66.3 Standard
Backup copies of Clarkson-Restricted Information will be stored at a secure, remote location at a minimum of 100 miles from the system of record for which the backups were made.
4.67 Alternate Processing Site
4.67.1 Standard Owner: IT
4.67.2 Standard References
NIST: CP-7
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS:
4.67.3 Standard
The organization and/or its cloud-based vendors will provide at least one alternative processing site should the primary site become unavailable.
4.68 Information System Backup
4.68.1 Standard Owner: IT
4.68.2 Standard References
NIST: CP-9
GLBA: Effective
GDPR:
ISO27001: A.12.3.1, A.17.1.2, A.18.1.3
HIPAA: 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.310(d)(2)(iv)
PCI-DSS:
4.68.3 Standard
The organization will have a formal, documented backup plan for its information systems. At a minimum, the plan will:
- Identify information systems and electronic media to be backed
- Provide a backup
- Identify where backup media are stored and who may access
- Outline restoration
- Identify who is responsible for ensuring the backup of information systems and electronic media
4.69 Information System Backup
4.69.1 Standard Owner: IT
4.69.2 Standard References
NIST: CP-9
GLBA: Effective
GDPR:
ISO27001: A.12.3.1, A.17.1.2, A.18.1.4
HIPAA: 164.308(a)(7)(ii)(B)
PCI-DSS:
4.69.3 Standard
Backup copies of all non-Clarkson-Public Information on organization electronic media and information systems will be made regularly. This includes both Non-Public Information received by organization and created within organization
4.70 Identification and Authentication Policy and Procedures
4.70.1 Standard Owner: Tech Services
4.70.2 Standard References
NIST: IA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 12.1, 12.1.1
4.70.3 Standard
The organization will:
- Develop, document, and disseminate identification and authentication standards that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.71 Identification and Authentication (Organizational Users)
4.71.1 Standard Owner: HR
4.71.2 Standard References
NIST: IA-2
GLBA: Draft
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.8,12.6,12.6.1
4.71.3 Standard
All new organization employees will receive appropriate security training before being provided with account credentials that would allow access to organizational information systems.
4.72 Identification and Authentication (Organizational Users)
4.72.1 Standard Owner: HR
4.72.2 Standard References
NIST: IA-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.1.1, 8.2, 8.5,12.5.3
4.72.3 Standard
Each user and system account will have a unique user ID. Every account will be required to have a password. Shared accounts are prohibited. All exceptions must be approved by the Director of Network Services and Information Security.
4.73 Identification and Authentication (Organizational Users)
4.73.1 Standard Owner: Tech Services
4.73.2 Standard References
NIST: IA-2
GLBA: On Hold
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.5,12.5.3
4.73.3 Standard
Group accounts will not be used. All exceptions must be approved by the CSO.
4.74 Identification and Authentication (Organizational Users)
4.74.1 Standard Owner: Tech Services
4.74.2 Standard References
NIST: IA-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.2.6
4.74.3 Standard
To the extent practicable, all new user accounts will have a randomly generated first time password.
4.75 Identification and Authentication (Organizational Users)
4.75.1 Standard Owner: HR
4.75.2 Standard References
NIST: IA-2
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 8.5.1,12.5.3
4.75.3 Standard
Authentication credentials and methods will not be shared or revealed to others. Sharing an authentication method means the authorized user assumes responsibility for actions that another party takes with the disclosed method.
4.76 Identifier Management
4.76.1 Standard Owner: Tech Services
4.76.2 Standard References
NIST: IA-4
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)
PCI-DSS: 12.5.3
4.76.3 Standard
User IDs will be unique to individuals.
4.77 Authenticator Management
4.77.1 Standard Owner: Tech Services
4.77.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.6
4.77.3 Standard
Where practicable, initial use of an account, a password reset will be required. For this password reset, the user will be authenticated by a combination of unique information provided by the individual and information provided by Clarkson University
4.78 Authenticator Management
4.78.1 Standard Owner: Tech Services
4.78.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS:
Standard
User IDs and passwords will never be distributed in the same communication
4.79 Authenticator Management
4.79.1 Standard Owner: Tech Services
4.79.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.2
4.79.3 Standard
A formal, documented process for authenticating identities will exist for users needing a password reset
4.80 Authenticator Management
4.80.1 Standard Owner: Tech Services
4.80.2 Standard References
NIST: IA-5
GLBA: On Hold
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.4
4.80.3 Standard
Passwords will be changed every 180 days. Accounts used to process, transmit, or store credit cardholder data will be changed every 60 days.
4.81 Authenticator Management
4.81.1 Standard Owner: Tech Services
4.81.2 Standard References
NIST: IA-5
GLBA: Draft
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.5
4.81.3 Standard
Passwords will not be allowed to be re-used based on the previous 20 passwords which were used prior to the password reset.
4.82 Authenticator Management
4.82.1 Standard Owner: Tech Services
4.82.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.3
4.82.3 Standard
Passwords will conform to a minimal complexity standard. That standard mandates a mix of numeric, alphabetical, and special characters. Passwords will be a minimum length of 10 characters
4.83 Authenticator Management
4.83.1 Standard Owner: Tech Services
4.83.2 Standard References
NIST: IA-5
GLBA: Effective
GDPR:
ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS: 8.2.3
4.83.3 Standard
Passwords will not be based on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports team, etc.)
4.84 Authenticator Feedback
4.84.1 Standard Owner: Tech Services
4.84.2 Standard References
NIST: IA-6
GLBA: Effective
GDPR:
ISO27001: A.9.4.2
HIPAA: 164.308(a)(5)(ii)(D)
PCI-DSS:
4.84.3 Standard
All password and PIN based authentication systems will be masked, suppressed, or otherwise obscured so that unauthorized persons are not able to observe them
4.85 Cryptographic Module Authentication
4.85.1 Standard Owner: Tech Services
4.85.2 Standard References
NIST: IA-7
GLBA: Effective
GDPR:
ISO27001: A.18.1.5 HIPAA: 164.308(a)(5)(ii)(D) PCI-DSS: 8.2.1
4.85.3 Standard
Passwords will be encrypted, in storage, using a one-way encryption algorithm.
4.86 Identification and Authentication (Non- Organizational Users)
4.86.1 Standard Owner: Tech Services
4.86.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 8.2.1
4.86.3 Standard
Methods (e.g., password or PIN) for authentication to organization information systems will not be built into logon scripts.
4.87 Identification and Authentication (Non- Organizational Users)
4.87.1 Standard Owner: Tech Services
4.87.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 2.1, 2.5
4.87.3 Standard
Vendor provided default accounts will be changed.
4.88 Identification and Authentication (Non- Organizational Users)
4.88.1 Standard Owner: Tech Services
4.88.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 8.1.5
4.88.3 Standard
Guest access will be limited to minimal functions to bridge the need for a secure environment with the need to provide courtesy services to visitors.
4.89 Identification and Authentication (Non- Organizational Users)
4.89.1 Standard Owner: Tech Services
4.89.2 Standard References
NIST: IA-8
GLBA: Effective
GDPR:
ISO27001: A.9.2.1
HIPAA:
PCI-DSS: 8.1.5.12.5.3
4.89.3 Standard
Where possible, guest accounts will not be created.
4.90 Service Identification and Authentication
4.90.1 Standard Owner: Tech Services
4.90.2 Standard References
NIST: IA-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.90.3 Standard
Service accounts will be requested and provisioned via the Access Control Procedure.
4.91 Adaptive Identification and Authentication
4.91.1 Standard Owner: Tech Services
4.91.2 Standard References
NIST: IA-10
GLBA: Validate GDPR: ISO27001: -- HIPAA:
PCI-DSS: 8.1.5, 8.3
4.91.3 Standard
Two-Multi-factor authentication is required for:
- Where supported by the system, all Privileged User access
- Where supported by the system, all non-Privileged User access which does not include use of the VPN, remote access to systems processing credit card information or access to customer information
- All use of the VPN
- All remote access to systems processing credit card information (PCI-DSS Requirement)
- All access of customer information (GLBA)
4.92 Policy & Procedures
4.92.1 Standard Owner: Information Security
4.92.2 Standard References
NIST: IR-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(6)(i)
PCI-DSS: 11.1.2,12.1,12.1.1,12.5.3 12.10.1
4.92.3 Standard
The organization will:
- Develop, document, and disseminate incident response standards and an incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
- Develop and document a process for escalating reported incidents (e.g., automated, non-automated, service providers) in accordance with the Incident Response Plan
- Develop procedures to facilitate the implementation of these
- Review and update this policy and associated procedures, at a minimum,
4.93 Information Security
4.93.1 Standard Owner: Information Security
4.93.2 Standard References
NIST: IR-2
GLBA: On Hold
GDPR:
ISO27001: A.7.2.2* HIPAA: 164.308(a)(6)(i) PCI-DSS: 12.10.4
4.93.3 Standard
Regular training and awareness will be provided for organization workforce members who have been assigned a role in the Incident Response Plan or Incident Response Procedures
4.94 Incident Response Plan Testing
4.94.1 Standard Owner: Information Security
4.94.2 Standard References
NIST: IR-3
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(6)(i)
PCI-DSS: 12.10.2
4.94.3 Standard
The Incident Response Plan and Incident Response Procedures will be tested annually.
4.95 SIRT: authority to operate
4.95.1 Standard Owner: Information Security
4.95.2 Standard References
NIST: IR-4
GLBA: Effective
GDPR:
ISO27001: A.16.1.4, A.16.1.5, A.16.1.6
HIPAA: 164.308(a)(6)(ii)
PCI-DSS: 11.1.2
4.95.3 Standard
When responding to an incident, the Security Incident Response Team (SIRT) will take all appropriate actions to ensure that the confidentiality, integrity, and availability of organization information systems has not been compromised. Such actions can include, but are not limited to, temporarily removing an information system from the organization network, or blocking the building in which the incident occurred, requesting access to an information system or viewing data.
4.96 Monitoring & tracking incidents
4.96.1 Standard Owner: Information Security
4.96.2 Standard References
NIST: IR-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)
PCI-DSS: 12.10.6
4.96.3 Standard
The organization will have mechanisms for quantifying and monitoring the types, volumes and costs of security incidents. This information should be used to identify the need for improved or additional security controls
4.97 Security event escalation
4.97.1 Standard Owner: Information Security
4.97.2 Standard References
NIST: IR-6
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)
PCI-DSS: 11.1.2
4.97.3 Standard
Security events identified through logging and monitoring services will be escalated in accordance with Incident Response Procedures
4.98 Response to alarms
4.98.1 Standard Owner: Information Security
4.98.2 Standard References
NIST: IR-6
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii), 164.314(a)(2)(i)
PCI-DSS: 12.10.5
4.98.3 Standard
Incident Response Procedures will address the occurrence of alarms and appropriate escalation.
4.99 Compromised credentials
4.99.1 Standard Owner: Information Security
4.99.2 Standard References
NIST: IR-6
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)
PCI-DSS: 12.10, 12.10.1
4.99.3 Standard
The loss, theft, or inappropriate use of organization access credentials (e.g., passwords, FOBs or security tokens), assets (e.g., laptop, cell phones), or information will be reported to the IT Help Desk
4.100 Security Incident Response Plan (SIRP)
4.100.1 Standard Owner: Information Security
4.100.2 Standard References
NIST: IR-8
GLBA: Effective
GDPR:
ISO27001: A.16.1.1
HIPAA:
PCI-DSS: 11.1.2, 12.10, 12.10.1, 12.10.3
4.100.3 Standard
The organization will have a formal, documented process for quickly and effectively detecting and responding to security incidents that may impact the confidentiality, integrity, or availability of organization information systems. At a minimum, the process will include the following:
- A security incident response team (SIRT), whose membership may vary depending on the security
- Formal procedure enabling organization workforce members to report a security incident to appropriate persons including potential reporting to the organization Security Officer.
- Formal process for analyzing and identifying the cause(s) of a security
- References to emergency access procedures
- Formal process for activation of the
- Formal procedure for communication with all organization workforce members affected by or responding to a security incident.
- Formal procedure for collecting evidence of a security
- Formal mechanisms for evaluating security incidents and implementing appropriate mitigations to prevent further recurrence.
- Data breach protocols
- Quantifying incident types and frequency
- Designating specific personnel who receive alerts on a 24/7 basis
4.101 Information Security
4.101.1 Standard Owner: Information Security
4.101.2 Standard References
NIST: IR-9
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.101.3 Standard
Standard templates for breach notification will be developed and maintained.
4.102 SIRT membership roster
4.102.1 Standard Owner: Information Security
4.102.2 Standard References
NIST: IR-10
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 12.1,12.1.1,12.10.1
4.102.3 Standard
The SIRT will be defined in the Incident Response Plan, and updated at a minimum, annually.
4.103 System Maintenance Policy and Procedures
4.103.1 Standard Owner: IT
4.103.2 Standard References
NIST: MA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(a)(2)(iv)
PCI-DSS: 12.1, 12.1.1
4.103.3 Standard
The organization will:
- Develop, document, and disseminate maintenance standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.104 Controlled Maintenance
4.104.1 Standard Owner: IT
4.104.2 Standard References
NIST: MA-2
GLBA: Effective
GDPR:
ISO27001: A.11.2.4*, A.11.2.5*
HIPAA: 164.310(a)(2)(iv)
PCI-DSS:
4.104.3 Standard
System Maintenance will be done in the safest method possible. If it requires bringing a system down to avoid an accidental crash, that is the method which will be used
4.105 Controlled Maintenance
4.105.1 Standard Owner: Facilities; | IT |
4.105.2 Standard References
NIST: MA-2
GLBA: Effective
GDPR:
ISO27001: A.11.2.4*, A.11.2.5*
HIPAA: 164.310(a)(2)(iv)
PCI-DSS:
4.105.3 Standard
The organization will document all repairs and modifications to the physical components of its facilities that are related to security of Non-public Information. Physical components include, but are not limited to, automated physical access systems, locks, doors and walls.
4.106 Maintenance Personnel
4.106.1 Standard Owner: IT
4.106.2 Standard References
NIST: MA-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(3)(ii)(A)
PCI-DSS: 9.4.1
4.106.3 Standard
When being performed by external vendors, maintenance personnel will be escorted into the location where the work is to be performed and monitored while the work is being performed
4.107 Timely Maintenance
4.107.1 Standard Owner: IT
4.107.2 Standard References
NIST: MA-6
GLBA: Effective
GDPR:
ISO27001: A.11.2.4 HIPAA: 164.310(a)(2)(iv) PCI-DSS:
4.107.3 Standard
Where possible and cost-effective, replacement parts will be kept on site for faster remediation (such as hard drives)
4.108 Timely Maintenance
4.108.1 Standard Owner: Facilities; | IT |
4.108.2 Standard References
NIST: MA-6
GLBA: Effective
GDPR:
ISO27001: A.11.2.4 HIPAA: 164.310(a)(2)(iv) PCI-DSS:
4.108.3 Standard
Malfunctioning alarms will be repaired within 5 business days or as soon as possible, based on the determination of their malfunction.
4.109 Media Protection Policy and Procedures
4.109.1 Standard Owner: Information Technology
4.109.2 Standard References
NIST: MP-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(d)(1)
PCI-DSS: 12.1, 12.1.1
4.109.3 Standard
The organization will
- Develop, document, and disseminate media protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.110 Media Access
4.110.1 Standard Owner: Information Technology
4.110.2 Standard References
NIST: MP-2
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.308(a)(3)(ii)(A) , 164.310(c), 164.310(d)(1), 164.312(c)(1)
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5
4.110.3 Standard
It is prohibited to store any information that is not Clarkson-Public on home computers or personal devices.
4.111 Media Marking
4.111.1 Standard Owner: Information Technology
4.111.2 Standard References
NIST: MP-3
GLBA: On Hold
GDPR:
ISO27001: A.8.2.2
HIPAA: 164.310(c), 164.310(d)(1)
PCI-DSS: 9.6.1
4.111.3 Standard
All organization information will be classified and marked in accordance with the Data Classification Policy
4.112 Media Storage
4.112.1 Standard Owner: Information Technology
4.112.2 Standard References
NIST: MP-4
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1,4.2
4.112.3 Standard
The writing or storage of information classified as 'Clarson Private' on personal-liable mobile devices (phones, tablets, USB drives) and removable media is prohibited.
4.113 Media Storage
4.113.1 Standard Owner: Information Technology
4.113.2 Standard References
NIST: MP-4
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS:
4.113.3 Standard
Workstations (laptops and desktops) that store Non-Public Information will be encrypted using a pre-boot, full disk configuration
4.114 Media Storage
4.114.1 Standard Owner: Finance | Compliance
4.114.2 Standard References
NIST: MP-4
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5
4.114.3 Standard
Storing electronic cardholder information is prohibited. This includes:
- Any information on the front of the credit card (or PAN)
- Sensitive authentication data (during credit cardholder processing)
- Any contents of any track on a credit card (the magnetic stripe)
- The card verification code (CVV/CID)
- Personal Identification Numbers (PINs)
4.115 Media Storage
4.115.1 Standard Owner: Finance
4.115.2 Standard References
NIST: MP-4
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 9.5, 9.6, 9.8, 9.8.1
4.115.3 Standard
Storing of non-electronic cardholder data is permissible, provided the following exist:
- Only the information on the front of the credit card (or PAN) is retained
- The card verification code on the back of the card is not retained (CVV/CID)
- Personal Identification Numbers (PINs) are not retained
- Retention schedules have been defined and documented
- A documented process for destroying non-electronic information is being followed and compliant with Data Destruction Procedures
- Information has appropriate physical safeguards in place
4.116 Media Storage
4.116.1 Standard Owner: Information Technology |
4.116.2 Standard References
NIST: MP-4
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 3.1
4.116.3 Standard
The retention period for backups of Non-Clarkson-Public Information will be defined and documented in accordance with state, federal, and other regulatory requirements
4.117 Media Storage
4.117.1 Standard Owner: Information Technology |
4.117.2 Standard References
NIST: MP-4
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.11.2.9
HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)
PCI-DSS: 9.5,9.5.1
4.117.3 Standard
All backups of electronic Non-Public Information, in storage, will be encrypted. All backups of non-electronic Non-Public Information, in storage, will be physically secured.
4.118 Media Transport
4.118.1 Standard Owner: Information Technology |
4.118.2 Standard References
NIST: MP-5
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 4.2
4.118.3 Standard
Transmission of Non-Clarkson-Public Information by non-corporate messaging technologies (for example, personal e-mail, instant messaging, SMS, chat, etc.) is prohibited.
4.119 Media Transport
4.119.1 Standard Owner: Information Technology |
4.119.2 Standard References
NIST: MP-5
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS:
4.119.3 Standard
Removable media used for backups will be kept secure while in transit
4.120 Media Transport
4.120.1 Standard Owner: Information Technology |
4.120.2 Standard References
NIST: MP-5
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 9.6.3
4.120.3 Standard
All movement of organization information systems and media containing Non-Public Information into and out the facilities must be authorized
4.121 Media Transport
4.121.1 Standard Owner: Information Technology |
4.121.2 Standard References
NIST: MP-5
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 9.6.2
4.121.3 Standard
All media containing Non-Clarkson-Public Information that will be mailed offsite will be transported using a secure carrier or via an encrypted device.
4.122 Media Transport
4.122.1 Standard Owner: Information Technology |
4.122.2 Standard References
NIST: MP-5
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6
HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)
PCI-DSS: 9.6.3
4.122.3 Standard
- Date and time of movement of system or media
- Brief description of person using or sending Non-Public Information on system or media
- Brief description of where Non-Public Information is to be sent or how used
- Name of person authorizing such transaction
4.123 Media Sanitization
4.123.1 Standard Owner: Information Technology |
4.123.2 Standard References
NIST: MP-6
GLBA: Draft
GDPR:
ISO27001: A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
HIPAA: 164.310(d)(1), 164.310(d)(2)(i), 164.310(d)(2)(ii)
PCI-DSS: 3.1, 9.8, 9.8.1, 9.8.2
4.123.3 Standard
All Non-Public Information must be destroyed in a manner compliant with NIST 800-88 or utilizing a NAID certified supplier. Documented procedures for destroying Non-Public Information must address:
- The destruction of data when storage media is end-of-life or has failed
- When retention schedules have been met
4.124 Media Use
4.124.1 Standard Owner: Information Technology |
4.124.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5
4.124.3 Standard
Whenever practical, all workforce members and service providers will use approved workstations or devices to access organizational data, systems, or networks.
4.125 Media Use
4.125.1 Standard Owner: Information Technology |
4.125.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.125.3 Standard
All workforce members who use organization workstations will take all reasonable precautions to protect the confidentiality, integrity, and availability of Non-Public Information contained on the workstations
4.126 Media Use
4.126.1 Standard Owner: Information Technology |
4.126.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.126.3 Standard
Workforce members will not use organization workstations to engage in any activity that is either illegal under local, state, federal, or international law or is in violation of organization policy
4.127 Media Use
4.127.1 Standard Owner: Information Technology |
4.127.2 Standard References
NIST: MP-7
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.127.3 Standard
Organization employees and affiliates who authorize the movement of electronic media, non-public information, or information systems containing Non-Public Information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized access
4.128 Media Use
4.128.1 Standard Owner: Information Technology |
4.128.2 Standard References
NIST: MP-7
GLBA: On Hold
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS:
4.128.3 Standard
Organization workstations will be used only for authorized business purposes. Such use demonstrates respect for intellectual property, ownership of data, security controls, and individuals' rights to privacy.
4.129 Media Use
4.129.1 Standard Owner: Finance
4.129.2 Standard References
NIST: MP-7
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.8.3.1
HIPAA:
PCI-DSS: 3.3
4.129.3 Standard
Credit cardholder data (the PAN) must be masked when displayed (the first six and last four digits are all that can be displayed).
4.130 Personnel Security Policy and Procedures
4.130.1 Standard Owner: HR
4.130.2 Standard References
NIST: PS-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C)
PCI-DSS: 12.1, 12.1.1
4.130.3 Standard
The organization will:
- Develop, document, and disseminate personnel security standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards on a one-year
- Review and update these procedures, as-needed.
4.131 Position Risk Designation
4.131.1 Standard Owner: HR
4.131.2 Standard References
NIST: PS-2
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(3)(ii)(B)
PCI-DSS:
4.131.3 Standard
The organization will assign a Risk Designation to all departments.
4.132 Position Risk Designation
4.132.1 Standard Owner: HR
4.132.2 Standard References
NIST: PS-2
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(3)(ii)(B)
PCI-DSS: 12.6.2, 12.7
4.132.3 Standard
When defining a position, the organization human resources department and the hiring manager will assign a Risk Designation and identify the security responsibilities and supervision required for the position. Security responsibilities include general responsibilities for implementing or maintaining security, as well as any specific responsibilities for the protection of the confidentiality, integrity, or availability of organization information systems or processes
4.133 Personnel Screening
4.133.1 Standard Owner: HR
4.133.2 Standard References
NIST: PS-3
GLBA: On Hold
GDPR:
ISO27001: A.7.1.1
HIPAA:
PCI-DSS: 12.6.2
4.133.3 Standard
Based on risk designation, workforce members will be properly screened, trained, and acknowledge compliance with policies, procedures, and agreements prior to obtaining access to organization Non-Public Information or organization secure areas.
4.134 Personnel Screening
4.134.1 Standard Owner: HR
4.134.2 Standard References
NIST: PS-3
GLBA: Effective
GDPR:
ISO27001: A.7.1.1
HIPAA: 164.308(a)(3)(ii)(B)
PCI-DSS: 12.7
4.134.3 Standard
Background verification checks will be performed on employees and contractors prior to accessing protected or sensitive information. Background checks will be carried out in accordance with relevant laws, regulations, company policies, and ethics. The extent and type of screening will be based on Risk Designation. This includes:
- Verification of legal authority to work in the United States,
- Review of an individual record of criminal conviction history in all counties for all addresses provided in which the individual resided or worked for more than 30 days within the past seven years to ensure personnel have not been convicted of
- a felony offense within the past seven (7) years; or
- any misdemeanor related to violent crimes, property offense, substance abuse, or fraud. Criminal conviction history checks include a review of all federal, state and local criminal conviction records; and
- Verification that no personnel are listed on the Office of Inspector General (OIG) sanction and disqualification Background verification checks will also be performed prior to employee change in status, when necessary.
(Note: For purposes of these guidelines, the term “Criminal Conviction” includes probation, deferred adjudication and no contest pleas.
4.135 Personnel Termination
4.135.1 Standard Owner: HR
4.135.2 Standard References
NIST: PS-4
GLBA: Validate
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS: 8.1.3
4.135.3 Standard
When workforce members provide advance notice of their intention to leave organization employment, the human resources department and the immediate manager will give notice to the persons or departments responsible for organization information system privileges granted the departing workforce member. Receipt and response to such notices will be tracked and logged. At a minimum, such tracking and logging will provide the following information:
- Date and time notice of employee departure received
- Date of planned employee departure
- Brief description of access to be terminated
- Date, time, and description of actions taken
4.136 Personnel Termination
4.136.1 Standard Owner: HR
4.136.2 Standard References
NIST: PS-4
GLBA: Validate
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS: 9.2
4.136.3 Standard
When workforce members depart from organization, they will return all organization supplied equipment by the time of departure. Such equipment includes, but is not limited to:
- Assigned computing assets
- Name tags or name identification badges Building, desk or office keys
- Access cards
- Security tokens
4.137 Personnel Termination
4.137.1 Standard Owner: HR
4.137.2 Standard References
NIST: PS-4
GLBA: Validate
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS:
4.137.3 Standard
The return of all equipment will be tracked and logged. At a minimum, such tracking and logging will provide the following information:
- Date and time
- Work force member’s name
- Brief description of returned items
4.138 Personnel Termination
4.138.1 Standard Owner: HR
4.138.2 Standard References
NIST: PS-4
GLBA: Validate
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS:
4.138.3 Standard
If a departing workforce member has used cryptography on organization data, they will make the cryptographic keys available to appropriate management
4.139 Personnel Termination
4.139.1 Standard Owner: HR
4.139.2 Standard References
NIST: PS-4
GLBA: Effective
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS: 7.1,7.1.2,7.1.3,8.1.3
4.139.3 Standard
When the employment of organization workforce members or service provider ends, accounts granting access to organization information will be disabled within 24 hours of leaving employment for staff and 90 days of leaving employment for faculty.
4.140 Personnel Termination
4.140.1 Standard Owner: HR
4.140.2 Standard References
NIST: PS-4
GLBA: Validate
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS:
4.140.3 Standard
Separation agreements, acknowledging a terminated workforce members responsibilities for not retaining, distributing, or removing from organization premises any organization information will be signed by terminated employees
4.141 Personnel Termination
4.141.1 Standard Owner: HR
4.141.2 Standard References
NIST: PS-4
GLBA: Validate
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS:
4.141.3 Standard
When organization workforce members’ employment ends, their computers’ resident files will be promptly reviewed by their immediate supervisors to determine the appropriate transfer or disposal of any Non-Public Information
4.142 Personnel Transfer
4.142.1 Standard Owner: HR
4.142.2 Standard References
NIST: PS-5
GLBA: Effective
GDPR:
ISO27001: A.7.3.1, A.8.1.4
HIPAA: 164.308(a)(3)(ii)(C)
PCI-DSS: 7.1,7.1.2,7.1.3,8.1.3
4.142.3 Standard
HR will notify IT and Facilities when workforce have transferred to new job roles or function. Access reviews will be performed to confirm ongoing operational need for current logical and physical access.
4.143 Access Agreements
4.143.1 Standard Owner: HR
4.143.2 Standard References
NIST: PS-6
GLBA: Effective
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.13.2.4
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B), 164.310(d)(2)(iii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS: 4.2
4.143.3 Standard
All users will agree to the Acceptable Use Policy as a condition for access to the organization's systems.
4.144 Access Agreements
4.144.1 Standard Owner: HR
4.144.2 Standard References
NIST: PS-6
GLBA: Effective
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.13.2.4
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B), 164.310(d)(2)(iii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS: 4.2
4.144.3 Standard
Where deemed by management, all organization employees will sign a “conditions of employment” document that affirms their responsibility for the protection of the confidentiality, integrity, or availability of organization information systems and processes. The document will include the sanctions that may be applied if employees do not meet their responsibilities
4.145 Third-Party Personnel Security
4.145.1 Standard Owner: HR
4.145.2 Standard References
NIST: PS-7
GLBA: Effective
GDPR:
ISO27001: A.6.1.1*, A.7.2.1*
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS: 12.8.2,12.8.3,12.8.4,12.8.5
4.145.3 Standard
When job candidates are provided via an agency, organization contract with the agency will clearly state the agency’s responsibilities for reviewing the candidates’ backgrounds
4.146 Third-Party Personnel Security
4.146.1 Standard Owner: HR
4.146.2 Standard References
NIST: PS-7
GLBA: Effective
GDPR:
ISO27001: A.6.1.1*, A.7.2.1*
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS: 12.8.2,12.8.3,12.8.4,12.8.5
4.146.3 Standard
All contracts with staffing agencies who will access, process, or transmit Non-Public Information or have reasonable access to Non-Public Information will clearly state the service provider’s responsibilities for reviewing the candidates backgrounds
4.147 Third-Party Personnel Security
4.147.1 Standard Owner: HR
4.147.2 Standard References
NIST: PS-7
GLBA: Effective
GDPR:
ISO27001: A.6.1.1*, A.7.2.1*
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS: 4.2,12.8.2
4.147.3 Standard
All organization workforce members who access organization information systems containing Non-Public Information will sign a confidentiality agreement in which they agree not to provide Non-Public Information or to discuss Non-Public Information to which they have access to unauthorized persons. Confidentiality agreements will be reviewed and signed annually by organization workforce members who access organization information systems containing Non-Public Information.
4.148 Third-Party Personnel Security
4.148.1 Standard Owner: Compliance
4.148.2 Standard References
NIST: PS-7
GLBA: Draft
GDPR:
ISO27001: A.6.1.1*, A.7.2.1*
HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS: 12.8.2
4.148.3 Standard
If a service provider handles organization Non-Public Information and has any change to its policies and standards or cannot comply with organization policies and standards, that party will notify the organization.
4.149 Personnel Sanctions
4.149.1 Standard Owner: HR
4.149.2 Standard References
NIST: PS-8
GLBA: Effective
GDPR:
ISO27001: A.7.2.3
HIPAA: 164.308(a)(1)(ii)
PCI-DSS: 4.2,12.8.2
4.149.3 Standard
Organization workforce members will comply with all applicable security standards and procedures. Failure to comply with these policies, may result in implementation of progressive discipline process.
4.150 Personnel Sanctions
4.150.1 Standard Owner: HR
4.150.2 Standard References
NIST: PS-8
GLBA: Effective
GDPR:
ISO27001: A.7.2.3
HIPAA:
PCI-DSS: 4.2
4.150.3 Standard
The organization will have a formal, documented sanctions process for applying appropriate sanctions against workforce members who do not comply with its security policies and procedures. At a minimum, the process will include:
- Procedures for detecting and reporting workforce members’ non-compliance with organization security policies and
- Identification and definition of levels of sanctions, including their relative
- Identification of cause and rationale for issuing of
- A defined, formal method for evaluating the severity of non-compliance with the organization’s security policies and procedures
4.151 Personnel Sanctions
4.151.1 Standard Owner: HR
4.151.2 Standard References
NIST: PS-8
GLBA: Effective
GDPR:
ISO27001: A.7.2.3
HIPAA:
PCI-DSS: 4.2
4.151.3 Standard
Sanctions can include but are not limited to:
- Suspension
- Required retraining
- Letter of reprimand
- Termination
4.152 Physical and Environmental Protection Policy and Procedures
4.152.1 Standard Owner: IT; | Safety Team
4.152.2 Standard References
NIST: PE-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)
PCI-DSS: 12.1, 12.1.1
4.152.3 Standard
The organization will:
- Develop, document, and disseminate physical and environmental protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of this
- Review and update this policy and associated procedures, at a minimum,
- Implement appropriate property signage; placement will be in compliance with local
4.153 Physical and Environmental Protection Policy and Procedures
4.153.1 Standard Owner: Facilities
4.153.2 Standard References
NIST: PE-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)
PCI-DSS:
4.153.3 Standard
The level of physical protection provided for organization information systems containing Non-public Information will be commensurate with that of identified risks
4.154 Physical and Environmental Protection Policy and Procedures
4.154.1 Standard Owner: Facilities
4.154.2 Standard References
NIST: PE-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)
PCI-DSS:
4.154.3 Standard
Fire escapes and ladders will be accessible for exit during an emergency where applicable.
4.155 Physical and Environmental Protection Policy and Procedures
4.155.1 Standard Owner: Information Security
4.155.2 Standard References
NIST: PE-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)
PCI-DSS:
4.155.3 Standard
Doors connected to the access control system and all emergency exits will be equipped with automatic closers, designed so the door will secure itself after being opened. Doors will not be propped open or equipped with a device, such as a doorstop, that would enable the door to be propped open
4.156 Physical Access Authorizations
4.156.1 Standard Owner: Information Security
4.156.2 Standard References
NIST: PE-2
GLBA: Effective
GDPR:
ISO27001: A.11.1.2* HIPAA: 164.310(a)(1) PCI-DSS:
4.156.3 Standard
A list of those who have access to organization equipment (facilities that house information systems, or the systems themselves) will be developed and maintained internally and shared with FSI Committee. This list will be regularly reviewed, especially after any terminations.
4.157 Physical Access Authorizations
4.157.1 Standard Owner: Information Security
4.157.2 Standard References
NIST: PE-2
GLBA: Effective
GDPR:
ISO27001: A.11.1.2*
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii)
PCI-DSS: 9.1
4.157.3 Standard
All access to organization data centers will:
- Be tracked and reviewed Director of Network Services and Information Security
- Have access requests documented and retained for audit (1 year minimum)
- Be revoked promptly upon termination, or on notice of lengthy absence
4.158 Physical Access Control
4.158.1 Standard Owner: IT
4.158.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS: 8.6, 9.2, 9.3
4.158.3 Standard
Organization workforce members will be issued ID cards compatible with the campus access security system. These ID cards will be deactivated upon termination or as necessary.
4.159 Physical Access Control
4.159.1 Standard Owner: IT
4.159.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.159.3 Standard
Organization workforce members will activate their workstation locking software whenever they leave their workstation unattended. Organization workforce members will log off from or lock their workstation(s).
4.160 Physical Access Control
4.160.1 Standard Owner: IT
4.160.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.160.3 Standard
Mobile devices that access Non-public Information will be physically secured when not in use and located to minimize the risk of unauthorized access.
4.161 Physical Access Control
4.161.1 Standard Owner: IT
4.161.2 Standard References
NIST: PE-3
GLBA: On Hold
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.161.3 Standard
Reasonable measures to prevent viewing Non-public Information on workstations by unauthorized persons will be employed commensurate with identified risks. Such measures include but are not limited to:
- Locating workstations and peripheral devices (printer, modem, scanner, ) in secured areas not accessible to unauthorized persons.
- Positioning monitors or shielding workstations so that data shown on the screen is not visible to unauthorized
4.162 Physical Access Control
4.162.1 Standard Owner: IT
4.162.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS: 9.1
4.162.3 Standard
All information systems that store Non-public Information or information that is critical to the organization will be located in the organization’s data centers, or other approved location.
4.163 Physical Access Control
4.163.1 Standard Owner: IT
4.163.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.163.3 Standard
All organization-provided portable workstations will be securely maintained when in the possession of workforce members. Where possible, such workstations will be handled as carry-on (hand) baggage on public transport. They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.
4.164 Physical Access Control
4.164.1 Standard Owner: Facilities; | IT |
4.164.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.164.3 Standard
Individuals will inform the issuer when a key or ClarksonID card is lost or stolen. Individuals will return all keys to the issuer when the keys are no longer needed
4.165 Physical Access Control
4.165.1 Standard Owner: IT
4.165.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS: 9.1
4.165.3 Standard
Physical access to datacenters will have limited and controlled access and will be enforced by authorized proximity (Clarkson ID) cards.
4.166 Physical Access Control
4.166.1 Standard Owner: Information Security
4.166.2 Standard References
NIST: PE-3
GLBA: On Hold
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.166.3 Standard
A hardcopy diagram or chart of the facility will be prepared and kept up to date. The diagram will show the various alarm points and their locations throughout the facility
4.167 Physical Access Control
4.167.1 Standard Owner: Facilities
4.167.2 Standard References
NIST: PE-3
GLBA: Effective
GDPR:
ISO27001: A.11.1.1, A.11.1.2, A.11.1.3
HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)
PCI-DSS:
4.167.3 Standard
Organization delivery and loading areas will be controlled to prevent unauthorized access. Where possible, the following controls will be used:
- Access to a holding area from outside of the building will be restricted to identified and authorized
- The holding area will be designed so that supplies can be unloaded without delivery staff gaining access to other parts of the building.
- The external door(s) of a holding area will be secured when the internal door is
4.168 Access Control for Transmission Medium
4.168.1 Standard Owner: IT
4.168.2 Standard References
NIST: PE-4
GLBA: Effective
GDPR:
ISO27001: A.11.1.2, A.11.2.3
HIPAA: 164.310(a)(1), 164.310(c)
PCI-DSS: 9.1.3
4.168.3 Standard
Where possible, data connections to the server rooms or communication closets will be secured as much as possible. Tap points will be keyed to minimize access.
4.169 Access Control for Output Devices
4.169.1 Standard Owner: IT
4.169.2 Standard References
NIST: PE-4
GLBA: Effective
GDPR:
ISO27001: A.11.1.2, A.11.2.3
HIPAA: 164.310(a)(1), 164.310(c)
PCI-DSS: 9.1.2
4.169.3 Standard
Where possible, physical access to publicly accessible network jacks will be restricted.
4.170 Access Control for Output Devices
4.170.1 Standard Owner: IT
4.170.2 Standard References
NIST: PE-5
GLBA: Effective
GDPR:
ISO27001: A.11.1.2, A.11.2.3
HIPAA: 164.310(a)(1), 164.310(b), 164.310(c)
PCI-DSS: 9.5, 9.6
4.170.3 Standard
Printers and other output devices which produce sensitive data will be located in secured or monitored areas and printed output will be picked up as soon as possible, to the extent practicable.
4.171 Monitoring Physical Access
4.171.1 Standard Owner: Information Security
4.171.2 Standard References
NIST: PE-6
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS: 9.5,9.6.3
4.171.3 Standard
Equipment used to store, process or transmit non-public information (not including mobile devices and removable media) will not be taken off site without prior authorization by Information Security. An authorization procedure will be developed by Information Security should an exception be required.
4.172 Monitoring Physical Access
4.172.1 Standard Owner: Facilities; | IT |
4.172.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.172.3 Standard
Any malfunction or break in an alarm connection will be automatically reported as a device trouble alarm. Alarms will be tested annually and the results of those tests documented and retained
4.173 Monitoring Physical Access
4.173.1 Standard Owner: Facilities; | IT |
4.173.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS: 9.1.1
4.173.3 Standard
Video cameras or access control mechanisms will be employed to record and review individual physical access to secure areas
4.174 Monitoring Physical Access
4.174.1 Standard Owner: Information Security
4.174.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS: 9.1.1
4.174.3 Standard
Where practicable, video collected on digital recorders will be retained for at least 30 days. When a security event that requires further investigation has been recorded, the video will be copied and secured while awaiting action by the CSO.
4.175 Monitoring Physical Access
4.175.1 Standard Owner: Information Security
4.175.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.175.3 Standard
Door-held-open alarms will be installed and monitored on all data center doors.
4.176 Monitoring Physical Access
4.176.1 Standard Owner: Information Security
4.176.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.176.3 Standard
All access to organization data centers will:
- Be approved in writing by Director of Network Services and Information Security
- Have access requests documented and retained for audit (1 year minimum)
- Be reviewed annually by Director of Network Services and Information Security
4.177 Monitoring Physical Access
4.177.1 Standard Owner: Facilities
4.177.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.177.3 Standard
Vacant secure areas will be physically locked and periodically checked
4.178 Monitoring Physical Access
4.178.1 Standard Owner: Facilities
4.178.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.178.3 Standard
Where possible, workforce members will be informed if their work area is being monitored by security cameras. Cameras will not be used in areas where a reasonable expectation of privacy exists, such as locker rooms and rest rooms
4.179 Monitoring Physical Access
4.179.1 Standard Owner: Facilities
4.179.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.179.3 Standard
Director of Campus Safety and Security and Director of Network Services and Information Security are authorized to perform the initial review of video recordings of any suspected security event involving non-security personnel. Further review of this recording will be authorized by the Director of Network Services and Information Security, as necessary.
4.180 Monitoring Physical Access
4.180.1 Standard Owner: Information Security; | Facilities
4.180.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.180.3 Standard
Facilities and IT personnel will receive adequate training in the operation of the Camera system and recording software before being assigned to use the system.
4.181 Monitoring Physical Access
4.181.1 Standard Owner: IT
4.181.2 Standard References
NIST: PE-6
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.181.3 Standard
Where possible, cameras and microphones on recording systems will provide feedback indicating they are in use.
4.182 Monitoring Physical Access
4.182.1 Standard Owner: Facilities
4.182.2 Standard References
NIST: PE-6
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS:
4.182.3 Standard
Discreetly operable panic alarms will be installed and the alarms will terminate at a centralized location(s).
4.183 Visitor Access Records
4.183.1 Standard Owner: Information Security
4.183.2 Standard References
NIST: PE-8
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.310(a)(2)(iii)
PCI-DSS: 9.1, 9.2, 9.4, 9.4.1, 9.4.2, 9.4.3, 9.4.4
4.183.3 Standard
All approved vendors/contractors to data centers will:
- Be required to sign in, noting date, time, primary organization contact, company they are with, who their primary contact is, and business justification for the visit. This log will be retained for audit purposes
- Provide proof of identity, which will be verified
- Escorted in and out and monitored at all times
- Required to wear a badge identifying them as a visitor (and not a workforce member)
- Will have their access revoked once it is no longer needed
- Be required to surrender their badge upon leaving the facility
4.184 Power Equipment and Cabling
4.184.1 Standard Owner: Facilities; | IT |
4.184.2 Standard References
NIST: PE-9
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
HIPAA:
PCI-DSS: 9.1.3
4.184.3 Standard
Where possible, power and communications cabling carrying data or supporting information services will be protected from interception or damage
4.185 Power Equipment and Cabling
4.185.1 Standard Owner: Facilities; | IT |
4.185.2 Standard References
NIST: PE-9
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
HIPAA:
PCI-DSS:
4.185.3 Standard
Where possible, data center equipment will be protected from power failures and other disruptions caused by failures in supporting utilities.
4.186 Power Equipment and Cabling
4.186.1 Standard Owner: Facilities; | IT |
4.186.2 Standard References
NIST: PE-9
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
HIPAA:
PCI-DSS:
4.186.3 Standard
Generator systems and fuel storage tanks located outdoors will be protected by locked panels.
4.187 Power Equipment and Cabling
4.187.1 Standard Owner: Facilities; | IT |
4.187.2 Standard References
NIST: PE-9
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
HIPAA:
PCI-DSS: 9.1.3
4.187.3 Standard
Where possible, the physical wiring path for network and cabling connected to the organization's systems will be routed in physical space controlled by the organization or by an organization physical security delegate, except for cabling made from fiber optics.
4.188 Power Equipment and Cabling
4.188.1 Standard Owner: Facilities; | IT |
4.188.2 Standard References
NIST: PE-9
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
HIPAA:
PCI-DSS: 9.1.3
4.188.3 Standard
The termination points for Internet service provider (ISP), dedicated lines, and miscellaneous Internet connections for connectivity to the organization's private network will be located in a locked room where physical access is controlled by IT or a delegate.
4.189 Emergency Power
4.189.1 Standard Owner: Facilities; | IT |
4.189.2 Standard References
NIST: PE-11
GLBA: Effective
GDPR:
ISO27001: A.11.2.2
HIPAA:
PCI-DSS:
4.189.3 Standard
Where practicable, data centers will be designed to protect computer equipment; designs will include redundant electrical power sources.
4.190 Emergency Lighting
4.190.1 Standard Owner: Facilities; | IT |
4.190.2 Standard References
NIST: PE-12
GLBA: Effective
GDPR:
ISO27001: A.11.2.2*
HIPAA:
PCI-DSS:
4.190.3 Standard
Data centers will be designed to protect computer equipment; designs will include emergency lighting.
4.191 Fire Protection
4.191.1 Standard Owner: Facilities; | IT |
4.191.2 Standard References
NIST: PE-13
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1
HIPAA:
PCI-DSS:
4.191.3 Standard
Data centers will be designed to protect computer equipment; designs and will include environmental controls and alarms for fire protection and suppression.
4.192 Fire Protection
4.192.1 Standard Owner: Facilities; | IT |
4.192.2 Standard References
NIST: PE-13
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1
HIPAA:
PCI-DSS:
4.192.3 Standard
Local fire codes regarding safety and unimpeded emergency exits will be consulted and followed when establishing physical access controls
4.193 Temperature and Humidity Controls
4.193.1 Standard Owner: Facilities; | IT |
4.193.2 Standard References
NIST: PE-14
GLBA: Effective
GDPR:
ISO27001: A.11.1.4, A.11.2.1, A.11.2.2
HIPAA:
PCI-DSS:
4.193.3 Standard
Server rooms will need to have dedicated air-conditioning which is monitored for faults.
4.194 Location of Information system components
4.194.1 Standard Owner: Facilities; | IT |
4.194.2 Standard References
NIST: PE-18
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.11.1.4, A.11.2.1
HIPAA: 164.310(c)
PCI-DSS:
4.194.3 Standard
Raised floor environments will have barriers designed to prevent someone from gaining access through spaces under the floor, including under ramps and stairs
4.195 Security Planning Policy and Procedures
4.195.1 Standard Owner: Information Security
4.195.2 Standard References
NIST: PL-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.316(a)
PCI-DSS: 12.1, 12.1.1
4.195.3 Standard
The organization will:
- Develop, document, and disseminate security planning standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.196 System Security Plan
4.196.1 Standard Owner: Information Security
4.196.2 Standard References
NIST: PL-2
GLBA: On Hold
GDPR:
ISO27001: A.14.1.1
HIPAA: 164.310(a)(2)(ii), 164.316(a), 164.316(b)(1)
PCI-DSS:
4.196.3 Standard
Information Security will develop a security plan that categorizes information and encompasses the infrastructure and operational environment.
4.197 Rules of Behavior
4.197.1 Standard Owner: Information Security
4.197.2 Standard References
NIST: PL-4
GLBA: Effective
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.8.1.3
HIPAA:
PCI-DSS: 4.2,9.6.1
4.197.3 Standard
The organization will publish and maintain a Data Classification policy. The policy will be readily available for reference and review by appropriate employees, contractors, business associates, and service providers
4.198 Rules of Behavior
4.198.1 Standard Owner: Information Security
4.198.2 Standard References
NIST: PL-4
GLBA: Effective
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.8.1.3
HIPAA:
PCI-DSS: 4.2,9.6.1
4.198.3 Standard
The organization will publish and maintain an Acceptable Use policy. The policy will be readily available for reference and review by appropriate employees, contractors, business associates (HIPAA term), and service providers
4.199 Rules of Behavior
4.199.1 Standard Owner: HR
4.199.2 Standard References
NIST: PL-4
GLBA: Effective
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.8.1.3
HIPAA:
PCI-DSS: 12.1.1
4.199.3 Standard
A organization workforce member will not prevent another member from reporting a security incident.
4.200 Rules of Behavior
4.200.1 Standard Owner: Information Security
4.200.2 Standard References
NIST: PL-4
GLBA: Effective
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.8.1.3
HIPAA:
PCI-DSS: 3.2.2,3.2.3
4.200.3 Standard
Organization workforce members will not attempt to access, duplicate or transmit Non-public Information or gain physical access to secure areas for which they have not been given appropriate authorization.
4.201 Rules of Behavior
4.201.1 Standard Owner: Information Security
4.201.2 Standard References
NIST: PL-4
GLBA: On Hold
GDPR:
ISO27001: A.7.1.2, A.7.2.1, A.8.1.3
HIPAA:
PCI-DSS:
4.201.3 Standard
Photographic, video, audio, or other recording equipment will not be utilized in secure areas. Exceptions will be granted for monitoring the organization's data centers.
4.202 Information Security Program Plan
4.202.1 Standard Owner: Information Security
4.202.2 Standard References
NIST: PM-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10, 10.8,11.1.2, 11.6, 12.1, 12.1.1,12.10.1, 12.4
4.202.3 Standard
The organization will:
- Develop and disseminate information security program standards and a description of the security program management controls and common controls in place or planned for meeting those
- Establish and maintain organizational policies, standards, and procedures to address all relevant statutory and regulatory requirements, and ensure and support the confidentiality, integrity, and availability of its information
- Make relevant policies, standards, and procedures readily available to all effected
- Conduct a periodic formal review of policies, standards, and procedures for security and update them, at a minimum, annually.
4.203 Senior Information Security Officer
4.203.1 Standard Owner: Information Security
4.203.2 Standard References
NIST: PM-2
GLBA: Effective
GDPR:
ISO27001: A.6.1.1*
HIPAA:
PCI-DSS: 12.5, 12.5.1, 12.5.2, 12.5.3, 12.5.4, 12.5.5
4.203.3 Standard
The organization will appoint a Chief Security Officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. Responsibilities will include:
- Development, maintenance, and distribution of policies and procedures
- Ensuring responsibilities and assignment for monitoring alerts and responding to incidents is performed
- Development, maintenance, and implementation of a security incident response
- Ensure access control processes are defined and implemented
- Ensure all access control processes are monitored
4.204 Risk Management Strategy
4.204.1 Standard Owner: Information Security
4.204.2 Standard References
NIST: PM-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 2.4, 7.2.1,9.7 9.7.1, 9.9.1, 11.1.1, 12.2
4.204.3 Standard
The organization will conduct an organization-wide inventory to identify all of its information systems and electronic media that contain Non-public Information. Inventory results will be documented and stored in a secure manner, e.g., on a computer with appropriate file access permissions or in a locked drawer.
4.205 Risk Management Strategy
4.205.1 Standard Owner: Information Security
4.205.2 Standard References
NIST: PM-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 12.2
4.205.3 Standard
The organization will manage risk on a continuous basis and implement necessary security measures to ensure the confidentiality, integrity, and availability of information systems containing Non-public Information. A risk assessment will be performed, at a minimum, annually. Strategies for managing risk should be commensurate with the risks to such systems. One or more of the following methods may be used to manage risk:
- Risk acceptance
- Risk avoidance
- Risk mitigation
- Risk transference
4.206 Risk Management Strategy
4.206.1 Standard Owner: Information Security
4.206.2 Standard References
NIST: PM-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.206.3 Standard
The organization will implement security measures that reduce the risks to its information systems containing Non-public Information to reasonable and appropriate levels. Selection and implementation of such security measures will be based on a formal, documented risk management process.
4.207 Risk Management Strategy
4.207.1 Standard Owner: Information Security
4.207.2 Standard References
NIST: PM-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 6.2, 11.3.3,11.3.2, 11.3.4
4.207.3 Standard
Non-compliance with any organization policy or standard will be documented (as an exception), reviewed, and addressed where possible. Documented exceptions will include:
- The policy or standard where non-compliance may exist
- The specific non-compliant situation, service, or process
- The operational risk introduced by the gap
- Any current controls which may partially mitigate the risk
- If remediated, a corrective action plan (CAP) with a respective owner
- The acceptance of the risk and remediation plans
4.208 Risk Management Strategy
4.208.1 Standard Owner: Information Security
4.208.2 Standard References
NIST: PM-9
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.8.3
4.208.3 Standard
The organization will manage the security state of organizational information systems and the environments in which those systems operate through the security authorization processes. The Information Security Officer will be responsible for ensuring the performance of a risk assessment when appropriate for new services/capabilities/technologies before they can be implemented into production.
4.209 Risk Assessment Policy and Procedures
4.209.1 Standard Owner: Information Security
4.209.2 Standard References
NIST: RA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(1)(i), 164.316(a)
PCI-DSS: 12.1, 12.1.1,12.8,12.8.1,12.8.2,12.8.3,12.8.4
4.209.3 Standard
The organization will:
- Develop, document, and disseminate risk assessment standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.210 Security Categorization
4.210.1 Standard Owner: Information Security
4.210.2 Standard References
NIST: RA-2
GLBA: Effective
GDPR:
ISO27001: A.8.2.1
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(7)(ii)(E)
PCI-DSS: 2.4, 7.2.1, 9.7.1, 9.9.1, 11.1.1, 12.2
4.210.3 Standard
The organization will categorize and document information and the information systems in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance.
4.211 Risk Assessment
4.211.1 Standard Owner: Information Security
4.211.2 Standard References
NIST: RA-3
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.316(a)
PCI-DSS: 12.2,12.8.4
4.211.3 Standard
An organizational security risk assessment will be conducted, at a minimum, on a three year cycle. Results from the analysis will be documented and presented to organization management. The criticality analysis report will be securely maintained.
4.212 Risk Assessment
4.212.1 Standard Owner: Procurement
4.212.2 Standard References
NIST: RA-3
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.316(a)
PCI-DSS: 12.8.4
4.212.3 Standard
Service providers with access to sensitive data will be reviewed at each contract renewal or whenever there is a significant security incident or a change to a system or service provided to the organization
4.213 Risk Assessment
4.213.1 Standard Owner: Information Security
4.213.2 Standard References
NIST: RA-3
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.316(a)
PCI-DSS: 9.5.1,12.1, 12.1.1,12.8,12.8.1,12.8.2,12.8.3,12.8.4
4.213.3 Standard
At a minimum, the organization risk management process will address the following:
- Assessment and prioritization of risks to organization information systems containing Non-public
- Selection and implementation of reasonable, appropriate, and cost-effective security measures to manage, mitigate, or accept identified
- Review, prior to implementation, of all critical systems or services
- Review, prior to implementation, credit card processing capabilities to a new or existing system
4.214 Risk Assessment
4.214.1 Standard Owner: Information Security
4.214.2 Standard References
NIST: RA-3
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.316(a)
PCI-DSS: 12.2,12.8.3
4.214.3 Standard
The risk assessment process will be based on an acceptable industry standard.
4.215 Risk Assessment
4.215.1 Standard Owner: Information Security
4.215.2 Standard References
NIST: RA-3
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.316(a)
PCI-DSS: 12.2,12.8.2
4.215.3 Standard
Judgments used in risk analyses, such as assumptions, defaults, and uncertainties, should be explicitly stated and documented.
4.216 Risk Assessment
4.216.1 Standard Owner: Information Security
4.216.2 Standard References
NIST: RA-3
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.316(a)
PCI-DSS: 12.8.2,12.8.4
4.216.3 Standard
In addition to regularly performed risk analysis, the organization will conduct a risk analysis when environmental or operational changes occur which significantly impact the confidentiality, integrity, or availability of specific information systems containing Non-public Information. Such changes include but are not limited to:
- Significant security incidents to specific organization information systems containing Non-public
- Significant new threats or risks to specific organization information systems containing Non-public
- Significant changes to the organizational or technical infrastructure that affect specific organization information systems containing Non-public
- Significant changes to information security requirements or responsibilities that affect specific organization information systems containing Non-public
4.217 Vulnerability Scanning
4.217.1 Standard Owner: Information Security
4.217.2 Standard References
NIST: RA-5
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA:
PCI-DSS: 6.1, 6.3, 11.2, 11.2.3, 6.3.2, 6.5, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 11.2, 11.2.1,
11.2.2
4.217.3 Standard
IT will conduct internal (at least quarterly) and external scans, and rescans annually, to include: organization Information Systems to identify potential vulnerabilities (e.g., configuration issues, missing patches) at least annually. Scans will be performed by qualified personnel.
Vulnerabilities will be assigned a rank of "High", "Medium", or "Low" using reputable outside resources. Scans will address missing software patches.
4.218 Vulnerability Scanning
4.218.1 Standard Owner: Information Security
4.218.2 Standard References
NIST: RA-5
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA:
PCI-DSS: 6.2, 11.3.3
4.218.3 Standard
Critical security vulnerabilities, as identified by review of vulnerability scans and PEN testing, will be addressed within 90 days of identification.
4.219 Vulnerability Scanning
4.219.1 Standard Owner: Information Security
4.219.2 Standard References
NIST: RA-5
GLBA: Effective
GDPR:
ISO27001: A.12.6.1*
HIPAA:
PCI-DSS: 6.2, 11.3.3,11.3.2, 11.3.4
4.219.3 Standard
Any exception on vulnerability remediation will be documented by the system administrator and approved by the Information Security Steering Committee. These exceptions will only be in the cases where the remediation would interfere with normal functionality (i.e., a service pack upgrade would break the application.) These exceptions will be revisited on a quarterly basis to make sure the reason for the exception is still valid.
4.220 Vulnerability Scanning
4.220.1 Standard Owner: Information Security
4.220.2 Standard References
NIST: RA-5
GLBA: On Hold
GDPR:
ISO27001: A.12.6.1*
HIPAA:
PCI-DSS: 6.2,6.3, 6.3.2, 6.5, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
4.220.3 Standard
Before a new system is brought online, a security scan will be performed. In addition to this security scan, any information that needs to be incorporated into DR/BCP will need to be created. Also, a backup plan for the data on the system will be created
4.221 Security Assessment and Authorization Policies and Procedures
4.221.1 Standard Owner: IT
4.221.2 Standard References
NIST: CA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.308(a)(8)
PCI-DSS: 12.1, 12.1.1
4.221.3 Standard
The organization will:
- Develop, document, and disseminate security assessment and authorization standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.222 Penetration Testing
4.222.1 Standard Owner: IT
4.222.2 Standard References
NIST: CA-8
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 11.3, 11.3.2, 11.3.4
4.222.3 Standard
A network PEN test will be performed, at a minimum annually, on all external-facing systems. PEN tests must utilize industry-accepted standards (e.g., NIST SP800-115) and must be performed by qualified personnel.
4.223 Penetration Testing
4.223.1 Standard Owner: IT
4.223.2 Standard References
NIST: CA-8
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.223.3 Standard
An annual Physical PEN test will be performed for all datacenters. PEN tests must utilize industry-accepted standards (e.g., NIST SP800-115). The risk assessment report will place organization information systems containing non-Public Information into defined categories of risk such as:
- Highly Sensitive – areas where large amounts of non-Public Information are stored and Access to such areas requires security controls such as card keys, visitor escort, and login sheets.
- Sensitive – areas that have a high concentration of patients and/or visitors and terminals that access non-Public Information.
4.224 Penetration Testing
4.224.1 Standard Owner: IT
4.224.2 Standard References
NIST: CA-8
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 6.6, 11.3.1
4.224.3 Standard
For public-facing web applications that are storing, processing, or transmitti ng non-Public Information, an application PEN test will be performed at least annually and after any significant change. PEN tests must utilize industry-accepted standards (e.g., NIST SP800-115) and must be performed by qualified personnel.
4.225 System and Communications Protection Policy and Procedures
4.225.1 Standard Owner: IT
4.225.2 Standard References
NIST: SC-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 12.1, 12.1.1
4.225.3 Standard
The organization will:
- Develop, document, and disseminate system and communications protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update these standards and associated procedures, at a minimum,
4.226 Application Partitioning
4.226.1 Standard Owner: IT
4.226.2 Standard References
NIST: SC-2
GLBA: Effective GDPR: ISO27001: -- HIPAA:
PCI-DSS:
4.226.3 Standard
Where possible, separation between user accounts and management accounts will be maintained
4.227 Application Partitioning
4.227.1 Standard Owner: IT
4.227.2 Standard References
NIST: SC-2
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.227.3 Standard
Where possible, separation between user accessible areas and management areas of a system will be maintained
4.228 Denial of Service Protection
4.228.1 Standard Owner: IT
4.228.2 Standard References
NIST: SC-5
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.228.3 Standard
Denial of Service attacks will be mitigated or eliminated. Organization firewalls shall only allow traffic which has been deemed necessary to enter the network and where possible be configured in a "default deny" security posture.
4.229 Boundary Protection
4.229.1 Standard Owner: IT
4.229.2 Standard References
NIST: SC-7
GLBA: Effective
GDPR:
ISO27001: A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3
HIPAA:
PCI-DSS: 1.3.4, 1.3.6
4.229.3 Standard
Firewalls implemented will support anti-spoofing and stateful inspection (also known as dynamic packet filtering, which only allows “established” connections into the network) technology.
4.230 Boundary Protection
4.230.1 Standard Owner: IT
4.230.2 Standard References
NIST: SC-7
GLBA: Effective
GDPR:
ISO27001: A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3
HIPAA:
PCI-DSS: 1.1.4, 1.2,1.2.3 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.5
4.230.3 Standard
A firewall will be located at each Internet connection; direct Internet access to any organization computing asset is prohibited. Depending on the PCI SAQ level, for cardholder data environments (CDE), a firewall will be located between any demilitarized zone (DMZ) and the internal network and only allow inbound/outbound traffic required to process credit cardholder data or provide IT support capabilities; access will be limited by specific IP addresses
4.231 Boundary Protection
4.231.1 Standard Owner: IT
4.231.2 Standard References
NIST: SC-7
GLBA: Effective
GDPR:
ISO27001: A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3
HIPAA:
PCI-DSS: 1.2, 1.2.1, 1.3, 1.3.1, 1.3.3, 1.3.5
4.231.3 Standard
Organization firewalls will control the flow of traffic into and out of the network. A business justification must be documented to allow access from an untrusted network into a trusted network. All traffic entering the network is setup as “deny all, permit by exception”
4.232 Boundary Protection
4.232.1 Standard Owner: IT
4.232.2 Standard References
NIST: SC-7
GLBA: Effective
GDPR:
ISO27001: A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3
HIPAA:
PCI-DSS: 1.2.3,1.3, 1.3.1,2.1.1,4.1,4.1.1,12.3
4.232.3 Standard
Only IT maintained and authorized network connections are allowed. Unless prior authorization is granted, users may not setup their own network links (such as routing via a cellular device)
4.233 Boundary Protection
4.233.1 Standard Owner: IT
4.233.2 Standard References
NIST: SC-7
GLBA: Validate
GDPR:
ISO27001: A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.3
HIPAA:
PCI-DSS: 1.1.7
4.233.3 Standard
Depending on PCI SAQ level, for PCI environments, a router and firewall review will be conducted, at a minimum, every 12 months. For non-PCI information, a router and firewall review will be conducted, at a minimum, annually.
4.234 Transmission Confidentiality and Integrity
4.234.1 Standard Owner: IT
4.234.2 Standard References
NIST: SC-8
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PCI-DSS: 1.1.2, 1.1.3
4.234.3 Standard
A network diagram that identifies all connections between the cardholder data environment and other networks will be created and maintained. This diagram will include data flow of credit cardholder data.
4.235 Transmission Confidentiality and Integrity
4.235.1 Standard Owner: IT
4.235.2 Standard References
NIST: SC-8
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PCI-DSS: 1.3.8
4.235.3 Standard
Private IP addresses and routing information will not be disclosed to unauthorized parties. Such techniques as Network Address Translation (NAT), proxies, removal of route advertisements, etc. will be employed
4.236 Transmission Confidentiality and Integrity
4.236.1 Standard Owner: IT
4.236.2 Standard References
NIST: SC-8
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PCI-DSS: 1.3,1.3.3,1.3.6,1.3.7
4.236.3 Standard
Depending on the PCI SAQ level, system components that store cardholder data (such as a database or webserver) will be placed in an internal network zone, segregated from the DMZ and other untrusted networks.
4.237 Transmission Confidentiality and Integrity
4.237.1 Standard Owner: IT
4.237.2 Standard References
NIST: SC-8
GLBA: Validate
GDPR:
ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PCI-DSS: 1.2.3, 2.1.1, 4.1, 4.1.1
4.237.3 Standard
Wireless networks are prohibited from transmitti ng credit cardholder data.
Transmission Confidentiality and Integrity
4.237.4 Standard Owner: IT
4.237.5 Standard References
NIST: SC-8
GLBA: Effective
GDPR:
ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PCI-DSS: 2.3, 8.2.1
4.237.6 Standard
Transmission of all non-console administrative access will be encrypted.
4.238 Cryptographic Key Establishment and Management
4.238.1 Standard Owner: IT
4.238.2 Standard References
NIST: SC-12
GLBA: Effective
GDPR:
ISO27001: A.10.1.2
HIPAA: 164.312(e)(2)(ii)
PCI-DSS: 3.5, 3.5.1, 3.5.2, 3.5.3, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7,4.1
4.238.3 Standard
Cryptographic key management procedures will be developed and maintained. The organization will protect all of its cryptographic keys against modification and destruction; its secret and private keys will be protected against unauthorized disclosure. Cryptographic procedures will address, at a minimum:
- A procedure for generating keys for different cryptographic systems
- A procedure for distributing keys to intended users and then activating them
- A procedure for enabling authorized users to access stored keys
- A procedure for changing and updating keys
- A procedure for revoking keys
- A procedure for recovering keys that are lost or corrupted
- A procedure for archiving keys
- Appropriate logging and auditing of cryptographic key management
4.239 Cryptographic Key Establishment and Management
4.239.1 Standard Owner: IT
4.239.2 Standard References
NIST: SC-12
GLBA: Effective
GDPR:
ISO27001: A.10.1.2 HIPAA: 164.312(e)(2)(ii) PCI-DSS:
4.239.3 Standard
All encryption used to protect the confidentiality, integrity, and availability of non-Public Information contained on organization information systems will be approved by the organization Security Officer or security operations team.
4.240 Cryptographic Key Establishment and Management
4.240.1 Standard Owner: IT
4.240.2 Standard References
NIST: SC-12
GLBA: Effective
GDPR:
ISO27001: A.10.1.2 HIPAA: 164.312(e)(2)(ii) PCI-DSS: 4.1
4.240.3 Standard
When possible, organization cryptographic keys will have defined activation and deactivation dates
4.241 Cryptographic Protection
4.241.1 Standard Owner: IT
4.241.2 Standard References
NIST: SC-13
GLBA: Effective
GDPR:
ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
PCI-DSS: 2.2.3, 4.1, 8.2.1
4.241.3 Standard
Wherever possible, encrypted data paths will be used both to protect data in transmission and verify the remote hosts validity. All transmissions of authentication information and non-Public Information will be encrypted.
4.242 Cryptographic Protection
4.242.1 Standard Owner: IT
4.242.2 Standard References
NIST: SC-13
GLBA: Validate
GDPR:
ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
PCI-DSS: 2.2.3, 4.1
4.242.3 Standard
The organization does not use insecure protocols, where a replacement is available, is prohibited (e.g., Telnet, HTTP, FTP, NetBIOS).
4.243 Cryptographic Protection
4.243.1 Standard Owner: IT
4.243.2 Standard References
NIST: SC-13
GLBA: Effective
GDPR:
ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
PCI-DSS: 4.1
4.243.3 Standard
Encryption and integrity controls will always be used when sending non-Public Information outside of the organization wide area network. This includes virtual private networks, wireless transmission and dial-up connectivity
4.244 Cryptographic Protection
4.244.1 Standard Owner: IT
4.244.2 Standard References
NIST: SC-13
GLBA: Validate
GDPR:
ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5
HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)
PCI-DSS: 8.2.1
4.244.3 Standard
All non-Public Information stored on laptops and mobile devices will be encrypted. Storage of non-Public Information on unencrypted removable media is prohibited.
4.245 Public Key Infrastructure Certificates
4.245.1 Standard Owner: IT
4.245.2 Standard References
NIST: SC-17
GLBA: Validate
GDPR:
ISO27001: A.10.1.2
HIPAA:
PCI-DSS: 4.1
4.245.3 Standard
Certificates will be obtained via reputable vendors, such as DigiCert, Verisign, GeoTrust, etc..
4.246 Public Key Infrastructure Certificates
4.246.1 Standard Owner: IT
4.246.2 Standard References
NIST: SC-17
GLBA: Effective
GDPR:
ISO27001: A.10.1.2
HIPAA:
PCI-DSS: 4.1
4.246.3 Standard
Self-signed certificates will not be used on public facing systems.
4.247 Public Key Infrastructure Certificates
4.247.1 Standard Owner: IT
4.247.2 Standard References
NIST: SC-17
GLBA: Effective
GDPR:
ISO27001: A.10.1.2
HIPAA:
PCI-DSS: 4.1
4.247.3 Standard
For internal systems, the organization Certificate Authority is the only authority which will be recognized. Self-signed certificates will not be used on public facing systems.
4.248 Honeypots
4.248.1 Standard Owner: IT
4.248.2 Standard References
NIST: SC-26
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.248.3 Standard
4.249 Concealment and Misdirection
4.249.1 Standard Owner: IT
4.249.2 Standard References
NIST: SC-30
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 2.2.4
4.249.3 Standard
4.250 System & Information Integrity Policy & Procedures
4.250.1 Standard Owner: IT
4.250.2 Standard References
NIST: SI-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA: 164.312(c)(1)
PCI-DSS: 12.1, 12.1.1
4.250.3 Standard
The organization will:
- Develop, document, and disseminate system and information integrity standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review and update this policy and associated procedures, at a minimum,
4.251 Flaw Remediation
4.251.1 Standard Owner: IT
4.251.2 Standard References
NIST: SI-2
GLBA: Effective
GDPR:
ISO27001: A.12.6.1, A.14.2.2, A.14.2.3, A.16.1.3
HIPAA:
PCI-DSS: 6.2
4.251.3 Standard
Critical security vulnerabilities, as identified by review of vulnerability scans, will be addressed within 90 days of identification.
4.252 Malicious Code Protection
4.252.1 Standard Owner: IT
4.252.2 Standard References
NIST: SI-3
GLBA: Effective
GDPR:
ISO27001: A.12.2.1
HIPAA:
PCI-DSS: 6.3, 6.5, 8.7, 9.5, 11.4, 11.5, 11.5.1, 12.3.10
4.252.3 Standard
The development of applications and databases used to store, process, or transmit credit cardholder data are prohibited. Only applications from authorized service providers are permitted. The organization will not be storing credit cardholder data on servers.
4.253 Malicious Code Protection
4.253.1 Standard Owner: IT
4.253.2 Standard References
NIST: SI-3
GLBA: Effective
GDPR:
ISO27001: A.12.2.1
HIPAA:
PCI-DSS: 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 5.4
4.253.3 Standard
IT approved anti-virus software will be installed on all workstations and servers to prevent transmission of malicious software. Such software will be:
- Kept current, both the scanning engines and virus signature files
- Perform periodic scans
- Generate audit logs which will be retained
4.254 Malicious Code Protection
4.254.1 Standard Owner: IT
4.254.2 Standard References
NIST: SI-3
GLBA: Effective
GDPR:
ISO27001: A.12.2.1
HIPAA: 164.308(a)(5)(ii)(B)
PCI-DSS: 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 5.4
4.254.3 Standard
IT approved anti-malware software will be installed on all workstations and servers to prevent transmission of malicious software.
4.255 Information System Monitoring
4.255.1 Standard Owner: IT
4.255.2 Standard References
NIST: SI-4
GLBA: Draft
GDPR:
ISO27001: --
HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B)
PCI-DSS: 10.6
4.255.3 Standard
Logs that have been collected by the central logging server will be notated for review; any events noted will be escalated, as appropriate, to the Incident Response Team.
4.256 Security Function Verification
4.256.1 Standard Owner: IT
4.256.2 Standard References
NIST: SI-6
GLBA: Effective GDPR: ISO27001: -- HIPAA:
PCI-DSS:
4.256.3 Standard
Regular tests of security controls will be executed to verify they are running as expected. This includes verifying firewall rules are blocking traffic, network policies are restricting traffic as designed, etc.
4.257 Software, Firmware, and Information Integrity
4.257.1 Standard Owner: IT
4.257.2 Standard References
NIST: SI-7
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)
PCI-DSS:
4.257.3 Standard
Servers which house non-Public Information will employ automated software to verify system software does not change without administrator knowledge. Tripwire, AIDE, and other tools are examples of how to accomplish this.
4.258 Spam Protection
4.258.1 Standard Owner: IT
4.258.2 Standard References
NIST: SI-8
GLBA: Effective
GDPR:
ISO27001: --
HIPAA: 164.308(a)(5)(ii)(B)
PCI-DSS:
4.258.3 Standard
Spam protection will be maintained by IT and all inbound e-mail will flow through these central gateways
4.259 Information Input Validation
4.259.1 Standard Owner: IT
4.259.2 Standard References
NIST: SI-10
GLBA: On Hold
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.259.3 Standard
Wherever possible, data will be checked for validity against rules for the given input field. Data will also be sanitized to prevent an input string being interpreted as commands (SQL injection, etc.)
4.260 Error Handling
4.260.1 Standard Owner: IT
4.260.2 Standard References
NIST: SI-11
GLBA: Effective
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.260.3 Standard
Error messages will be specific enough to allow support without logging sensitive information (i.e., Password failures will not log the attempted password)
4.261 System and Services Acquisition Policy and Procedures
4.261.1 Standard Owner: Finance
4.261.2 Standard References
NIST: SA-1
GLBA: Effective
GDPR:
ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2
HIPAA:
PCI-DSS: 12.1, 12.1.1
4.261.3 Standard
The organization will:
- Develop, document, and disseminate system and services acquisition standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
- Develop procedures to facilitate the implementation of these
- Review of Standards will be on an annual cadence
- Review and update the associated procedures will be done as changes occur, and on an annual
4.262 Allocation of Resources
4.262.1 Standard Owner: Information Security
4.262.2 Standard References
NIST: SA-2
GLBA: Draft
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.262.3 Standard
The CSO will determine information security requirements for information systems or information system services for projects that are submitted during the budget planning process.
4.263 Acquisition Process
4.263.1 Standard Owner: Finance
4.263.2 Standard References
NIST: SA-4
GLBA: Effective
GDPR:
ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2
HIPAA: 164.314(a)(2)(i)
PCI-DSS: 9.5.1, 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.8, 12.8.3, 12.8.4
4.263.3 Standard
A vendor risk assessment will be performed for all service providers who will have access to the organization’s Non-Public Information or provide a business critical service(s). This review will be conducted:
- Before the execution of a contract agreement
- Risk based assessment based upon data classification. Annually or whenever there is a significant security incident or a change to a service being
4.264 Acquisition Process
4.264.1 Standard Owner: Compliance | Finance
4.264.2 Standard References
NIST: SA-4
GLBA: Draft
GDPR:
ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2
HIPAA: 164.314(a)(2)(i)
PCI-DSS: 12.8, 12.8.2,12.8.3,12.8.4
4.264.3 Standard
If service provider has access to organization information or assets, service provider agreements will:
- Contain non-disclosure agreements approved by the company
- A Data Security Addendum (DSA) if business arrangement meets any of the following criteria:
- If accessing, storing, or processing Non-Public Information
- If providing a business critical service involving electronic information
- If providing data center processing facilities
- For service providers providing network services - security features, and service levels, management requirements will be identified and included, whether the services are provided in-house or
4.265 Acquisition Process
4.265.1 Standard Owner: Finance
4.265.2 Standard References
NIST: SA-4
GLBA: Validate
GDPR:
ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2
HIPAA: 164.314(a)(2)(i)
PCI-DSS: 9.5.1,12.8.2,12.8.4
4.265.3 Standard
If a third party has access to payment card information subject to the Payment Card Industry Data Security Standard (PCI-DSS), the third party will validate and attest to its PCI compliance
4.266 Acquisition Process
4.266.1 Standard Owner: Finance
4.266.2 Standard References
NIST: SA-4
GLBA: Effective
GDPR:
ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2
HIPAA: 164.314(a)(2)(i)
PCI-DSS: 7.2.1, 12.8.1, 12.8.4, 12.8.5
4.266.3 Standard
The organization will maintain an inventory of critical service providers and associated accessed information:
- All written agreements with service providers
- Risk assessments performed
- Associated incident response plans
4.267 Acquisition Process
4.267.1 Standard Owner: Finance
4.267.2 Standard References
NIST: SA-4
GLBA: On Hold
GDPR:
ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2
HIPAA: 164.314(a)(2)(i)
PCI-DSS: 12.8
4.267.3 Standard
Service providers or business associates will be informed of changes to organization security standards and procedures on a regular basis.
4.268 Acquisition Process
4.268.1 Standard Owner: Finance
4.268.2 Standard References
NIST: SA-4
GLBA: Draft
GDPR:
ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2
HIPAA: 164.314(a)(2)(i)
PCI-DSS: 12.8
4.268.3 Standard
It is the responsibility of each organization employee who authorizes the services of a service provider to ensure standards, procedure, and contractual compliance.
4.269 External Information System Services
4.269.1 Standard Owner: Finance
4.269.2 Standard References
NIST: SA-9
GLBA: Effective
GDPR:
ISO27001: A.6.1.1, A.6.1.5, A.7.2.1, A.13.1.2, A.13.2.2, A.15.2.1, A.15.2.2
HIPAA: 164.308(b)(1), 164.308(b)(4), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)
PCI-DSS:
4.269.3 Standard
All contract arrangements with service providers must comply with organizational information security requirements, federal and State laws, regulations, standards and guidelines.
4.270 Developer Configuration Management
4.270.1 Standard Owner: Information Technology
4.270.2 Standard References
NIST: SA-10
GLBA: Effective
GDPR:
ISO27001: A.12.1.2, A.14.2.2, A.14.2.4, A.14.2.7
HIPAA:
PCI-DSS:
4.270.3 Standard
All developers, including vendors, who develop information systems, system components, or information system services must perform configuration management to manage the integrity of the configuration.
4.271 Developer Security Testing and Evaluation
4.271.1 Standard Owner: Information Technology
4.271.2 Standard References
NIST: SA-11
GLBA: Effective
GDPR:
ISO27001: A.14.2.7, A.14.2.8
HIPAA:
PCI-DSS:
4.271.3 Standard
All developers, including vendors, who develop information systems, system components, or information system services must create a security assessment plan that includes testing and evaluation.
4.272 Developer-Provided Training
4.272.1 Standard Owner: Information Technology
4.272.2 Standard References
NIST: SA-16
GLBA: Validate
GDPR:
ISO27001: --
HIPAA:
PCI-DSS:
4.272.3 Standard
All developers of the information systems, system component, or information system service must completed training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
4.273 Tamper Resistance and Detection
4.273.1 Standard Owner: Finance
4.273.2 Standard References
NIST: SA-18
GLBA: Validate
GDPR:
ISO27001: --
HIPAA:
PCI-DSS: 9.9, 9.9.2
4.273.3 Standard
Devices that capture credit cardholder data will be inspected on a periodic basis to ensure they have not been compromised or tampered with.
4.274 Privacy Policy and Procedures
4.274.1 Standard Owner: Legal
4.274.2 Standard References
NIST: PT-1
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.274.3 Standard
The organization will:
- Develop, document, and disseminate a personally identifiable information processing and transparency policy that:
- Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- Develop, document, and disseminate Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency
4.275 Privacy Policy and Procedures
4.275.1 Standard Owner: Legal
4.275.2 Standard References
NIST: PT-1
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.275.3 Standard
The [Role] will manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures. Additionally, the [Role] will
review and update the current personally identifiable information processing and transparency polic and procedures.
4.276 Authority to Process Personally Identifiable Information
4.276.1 Standard Owner: Legal
4.276.2 Standard References
NIST: PT-2
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.276.3 Standard
The [Role(s)] are the only individual(s) permited to process personally identifiable information.
4.277 Authority to Process Personally Identifiable Information
4.277.1 Standard Owner: Legal
4.277.2 Standard References
NIST: PT-2
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.277.3 Standard
4.278 Authority to Process Personally Identifiable Information - Data Tagging
4.278.1 Standard Owner: Legal
4.278.2 Standard References
NIST: PT-2
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.278.3 Standard
4.279 Authority to Process Personally Identifiable Information - Automation
4.279.1 Standard Owner: Legal
4.279.2 Standard References
NIST: PT-2
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.279.3 Standard
The organization will enforce the authorized processing of personally identifiable information using a [automated mechanisms].
4.280 Personally Identifiable Information Processing Purposes
4.280.1 Standard Owner: Legal
4.280.2 Standard References
NIST: PT-3
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.280.3 Standard
The organization will identify and document the business purpose for processing personally identifiable information.
4.281 Personally Identifiable Information Processing Purposes
4.281.1 Standard Owner: Legal
4.281.2 Standard References
NIST: PT-3
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.281.3 Standard
Business justifications will be described in the public privacy notices and policies of the organization.
4.282 Personally Identifiable Information Processing Purposes
4.282.1 Standard Owner: Legal
4.282.2 Standard References
NIST: PT-3
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.282.3 Standard
The processing of personally identifiable information is restricted to only that which is compatible with the identified purpose(s).
4.283 Personally Identifiable Information Processing Purposes
4.283.1 Standard Owner: Legal
4.283.2 Standard References
NIST: PT-3
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.283.3 Standard
All changes in processing personally identifiable information will be monitored to ensure that they are made in accordance with organization requirements.
4.284 Personally Identifiable Information Processing Purposes - Data Tagging
4.284.1 Standard Owner: Legal
4.284.2 Standard References
NIST: PT-3 GLBA: GDPR: ISO27001: HIPAA: PCI-DSS:
4.284.3 Standard
4.285 Personally Identifiable Information Processing Purposes - Automation
4.285.1 Standard Owner: Legal
4.285.2 Standard References
NIST: PT-3
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.285.3 Standard
[Automated mechanisms] will track processing purposes of personally identifiable information.
4.286 Consent
4.286.1 Standard Owner: Legal
4.286.2 Standard References
NIST: PT-4
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.286.3 Standard
A [tool or mechanism] will be implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.
4.287 Consent - Tailored Consent
4.287.1 Standard Owner: Legal
4.287.2 Standard References
NIST: PT-4
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.287.3 Standard
A [mechanisms] will be privded to allow individuals to tailor processing permissions to selected elements of personally identifiable information.
4.288 Consent - Just in Time Consent
4.288.1 Standard Owner: Legal
4.288.2 Standard References
NIST: PT-4
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.288.3 Standard
Provide method for individuals to consent [defined frequency] and in conjunction with personally identifiable information processing.
4.289 Consent - Revocation
4.289.1 Standard Owner: Legal
4.289.2 Standard References
NIST: PT-4
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.289.3 Standard
Individuals are provided a method to revoke consent to the processing of their personally identifiable information.
4.290 Privacy Notice
4.290.1 Standard Owner: Legal
4.290.2 Standard References
NIST: PT-5
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.290.3 Standard
Notice is provided to individuals about the processing of personally identifiable information that:
- Is available to individuals upon first interacting with an organization, and subsequently at [defined frequency];
- Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;
- Identifies the authority that authorizes the processing of personally identifiable information; and
- Identifies the purposes for which personally identifiable information is to be
4.291 Privacy Notice - Just in Time Notice
4.291.1 Standard Owner: Legal
4.291.2 Standard References
NIST: PT-5
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.291.3 Standard
Notice of personally identifiable information processing will be presented to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or [defined frequency].
4.292 Privacy Notice - Privacy Act Statements
4.292.1 Standard Owner: Legal
4.292.2 Standard References
NIST: PT-5
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.292.3 Standard
Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.
4.293 System of Records Notice
4.293.1 Standard Owner: Legal
4.293.2 Standard References
NIST: PT-6
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.293.3 Standard
Systems that process information that will be maintained in a Privacy Act system of records:
- Will draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;
- Will publish system of records notices in the Federal Register; and
- Keep system of records notices accurate, up-to-date, and scoped in accordance with
4.294 System of Records Notice - Routine Uses
4.294.1 Standard Owner: Legal
4.294.2 Standard References
NIST: PT-6
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.294.3 Standard
All routine uses published in the system of records notice will be reviewed at [defined frequency] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.
4.295 System of Records Notice - Exception Rules
4.295.1 Standard Owner: Legal
4.295.2 Standard References
NIST: PT-6
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.295.3 Standard
All Privacy Act exemptions claimed for the system of records will be reviewed at [defined frequency] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.
4.296 Specific Categories of Personally Identifiable Information
4.296.1 Standard Owner: Legal
4.296.2 Standard References
NIST: PT-7
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.296.3 Standard
The organization will apply [processing conditions] for specific categories of personally identifiable information.
4.297 Specific Categories of Personally Identifiable Information - SSN
4.297.1 Standard Owner: Legal
4.297.2 Standard References
NIST: PT-7
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.297.3 Standard
When processing Social Security numbers the system will:
- Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;
- Not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and
- Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of
4.298 Specific Categories of Personally Identifiable Information - First Amendment Information
4.298.1 Standard Owner: Legal
4.298.2 Standard References
NIST: PT-7
GLBA:
GDPR:
ISO27001:
HIPAA:
PCI-DSS:
4.298.3 Standard
The processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity is prohibited.
4.299 Computer Matching Requirements
4.299.1 Standard Owner: Legal
4.299.2 Standard References
NIST: PT-8 GLBA: GDPR: ISO27001: HIPAA: PCI-DSS:
4.299.3 Standard
When processing information for the purpose of conducting a matching program, the organization will:
- Obtain approval from the Data Integrity Board to conduct the matching program;
- Develop and enter into a computer matching agreement;
- Publish a matching notice in the Federal Register;
- Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and
- Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.
4.300 Information Protection Program
4.300.1 Standard Owner: InfoSec
4.300.2 Standard References
NIST: PM-1 PM-2 PM-3 PM-4 PM-6 PM-9 PM-13
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(A) § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS:
4.300.3 Standard
The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed.
4.301 Written, managed, monitored, and improved
4.301.1 Standard Owner: InfoSec
4.301.2 Standard References
NIST: PM-1 PM-2 PM-3 PM-4 PM-6 PM-9 PM-13
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(A) § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS:
4.301.3 Standard
The information protection program is formally documented (with written policy & procedures) and actively monitored, reviewed and updated to ensure program objectives continue to be met.
4.302 Assigned security team
4.302.1 Standard Owner: InfoSec
4.302.2 Standard References
NIST: AT-3 PL-4 PM-13 PM-14 PM-15 PM-2 PS-7
GLBA: GDPR: ISO27001:
HIPAA: § 164.308(a)(3)(ii)(A) § 164.308(a)(4)(ii)(B) § 164.308(b)(1) § 164.314(a)(1) § 164.314(a)(2)(i) § 164.314(a)(2)(ii)
PCI-DSS: 12.3 12.3.5
4.302.3 Standard
An individual or dedicated team is assigned to manage the information security of the organization.
4.303 Information Security Officer
4.303.1 Standard Owner: InfoSec
- Standard References NIST: AT-3 IR-2 PM-10 PM-2 SA-3 GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(2) § 164.308(a)(5)(i)
PCI-DSS: 12.4 12.5 12.5.1 12.5.2 12.5.3 12.5.4 12.5.5
4.303.3 Standard
The organization's senior-level information security official (ISO) coordinates, develops, implements, and maintains an organization-wide information security program, and assigns specific roles and responsibilities, which are coordinated and aligned with internal and external partners.
4.304 Assigned Security Roles
4.304.1 Standard Owner: InfoSec
4.304.2 Standard References
NIST: PL-4 PS-1 PS-2
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(3)(i) § 164.308(a)(3)(ii)(A) § 164.308(a)(3)(ii)(B) § 164.308(a)(3)(ii)(C)
PCI-DSS: 12.4.1
4.304.3 Standard
User security roles and responsibilities are clearly defined and communicated.
4.305 Security objectives, metrics, and measurement
4.305.1 Standard Owner: InfoSec
4.305.2 Standard References
NIST: AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 PE-1 PL-1 PM-1 PS-1 RA-1 SA-1 SC-1 SI-1
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.414(a) § 164.530(i) § 164.312(c)(1) § 164.316(a) § 164.316(b)(2)(i) § 164.316(b)(2)(ii)
PCI-DSS: 1.5 10.9 11.6 12.3 2.5 3.7 4.3 5.4 6.7 7.3 8.8 9.10
4.305.3 Standard
Information security objectives, approach, scope, importance, goals and principles for the organizations security program are formally identified, communicated throughout the organization to users in a form that is relevant, accessible and
understandable to the intended reader, and supported by a controls framework that considers legislative, regulatory, contractual requirements and other policy-related requirements.
4.306 Capital planning for security
4.306.1 Standard Owner: InfoSec
4.306.2 Standard References
NIST: AC-1 AR-1 AT-1 AU-1 CA-1 CA-2 CA-2(1) CM-1 CP-1 IA-1 IR-1 MA-1 PE-1 PL-1 PM-1 PM-2 PM-3 PM-9 PM-13 PS-1 RA-1 SA-1 SC-1 SI-1
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(2) § 164.308(a)(8) § 164.316(a)
PCI-DSS: 12.4.1 12.5 12.5.1
4.306.3 Standard
Capital planning and investment requests include the resources needed to implement the security program, employ a business case, and the organization ensures the resources are available for expenditure as planned.
4.307 Discrete security budget
4.307.1 Standard Owner: InfoSec
4.307.2 Standard References
NIST: IR-4 PL-2 Pl-2(3) PM-1 PM-3 SA-2
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.310(a)(2)(ii) § 164.316(a) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS: 12.5.2
4.307.3 Standard
Security requirements for information systems and information services are identified in mission/business processes and resources-allocated as part of the capital planning and investment control processes in a discrete budget line item.
4.308 Security planning
4.308.1 Standard Owner: InfoSec
4.308.2 Standard References
NIST: IR-4 PL-2 Pl-2(3) PM-1 PM-3 SA-2
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.310(a)(2)(ii) § 164.316(a) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS: 12.5.2
4.308.3 Standard
Security plans that meet applicable federal or leading practice requirements are developed for information systems, periodically reviewed, and communicated to relevant stakeholders.
4.309 Security communication
4.309.1 Standard Owner: InfoSec
4.309.2 Standard References
NIST: IR-4 PL-2 Pl-2(3) PM-1 PM-3 SA-2
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.310(a)(2)(ii) § 164.316(a) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS: 12.5.2
4.309.3 Standard
The organization employs an information sharing mechanism to communicate security information, nonconformities, and lessons learned to Information Security Steering Committee (ISSC).
4.310 Reporting to the board
4.310.1 Standard Owner: InfoSec
4.310.2 Standard References
NIST: AC-1 AR-1 AT-1 AU-1 CA-1 CA-2 CA-2(1) CM-1 CP-1 IA-1 IR-1 MA-1 PE-1 PL-1 PM-1 PM-2 PM-3 PM-9 PM-13 PS-1 RA-1 SA-1 SC-1 SI-1
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(2) § 164.308(a)(8) § 164.316(a)
PCI-DSS: 12.4.1 12.5 12.5.1
4.310.3 Standard
The ISO of the organization reports in writing on the organization's cybersecurity program and material cybersecurity risks at least annually to the organizations board of directors, equivalent governing body, or suitable committee.
4.311 Independent Audits
4.311.1 Standard Owner: InfoSec
4.311.2 Standard References
NIST: PM-1 PM-2 PM-3 PM-4 PM-6 PM-9 PM-13
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(A) § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS:
4.311.3 Standard
Independent audits are conducted at least annually to determine whether the information protection program is approved by executive management, communicated to stakeholders, adequately resourced, conforms to relevant legislation or regulations and other business requirements, and adjusted as needed to ensure the program continues to meet defined objectives.
4.312 Security program oversight
4.312.1 Standard Owner: InfoSec
4.312.2 Standard References
NIST: AC-1 AR-1 AT-1 AU-1 CA-1 CA-2 CA-2(1) CM-1 CP-1 IA-1 IR-1 MA-1 PE-1 PL-1 PM-1 PM-2 PM-3 PM-9 PM-13 PS-1 RA-1 SA-1 SC-1 SI-1
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(2) § 164.308(a)(8) § 164.316(a)
PCI-DSS: 12.4.1 12.5 12.5.1
4.312.3 Standard
Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight, establish and communicate the organization's priorities for organizational mission, objectives, and activities, review and update of the organization's security plan, ensure compliance with the security plan by the workforce, and to evaluate and accept security risks on behalf of the organization.
4.313 Specification of security controls is auditable
4.313.1 Standard Owner: InfoSec
4.313.2 Standard References
NIST: PM-1 PM-2 PM-3 PM-4 PM-6 PM-9 PM-13
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(A) § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS:
4.313.3 Standard
The organization provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection statements of such controls either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended.
4.314 Security Assurance Testing
4.314.1 Standard Owner: InfoSec
4.314.2 Standard References
NIST: AT-3 PL-4 PM-13 PM-14 PM-15 PM-2 PS-7
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(3)(ii)(A) § 164.308(a)(4)(ii)(B) § 164.308(b)(1) § 164.314(a)(1) § 164.314(a)(2)(i) § 164.314(a)(2)(ii)
PCI-DSS: 12.3 12.3.5
4.314.3 Standard
The organization ensures plans for security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency with the risk management strategy and response priorities.
4.315 Independent Audits
4.315.1 Standard Owner: InfoSec
- Standard References NIST: AR-4 CA-2 CA-2(1) CA-7 CA-7(1) GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(D) § 164.308(a)(8)
PCI-DSS:
4.315.3 Standard
An independent review of the organization's information security management program is initiated by ISSC to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security.
4.316 Risk assessment
4.316.1 Standard Owner: InfoSec
4.316.2 Standard References
NIST: AC-1 AR-1 AT-1 AU-1 CA-1 CA-2 CA-2(1) CM-1 CP-1 IA-1 IR-1 MA-1 PE-1 PL-1 PM-1 PM-2 PM-3 PM-9 PM-13 PS-1 RA-1 SA-1 SC-1 SI-1
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(i) § 164.308(a)(2) § 164.308(a)(8) § 164.316(a)
PCI-DSS: 12.4.1 12.5 12.5.1
4.316.3 Standard
The organization's information protection and risk management programs, including the risk assessment process, are formally approved and are reviewed for effectiveness and updated annually.
4.317 Cross-organizational planning
4.317.1 Standard Owner: InfoSec
4.317.2 Standard References
NIST: IR-4 PL-2 Pl-2(3) PM-1 PM-3 SA-2
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.310(a)(2)(ii) § 164.316(a) § 164.316(b)(1) § 164.316(b)(2)(iii)
PCI-DSS: 12.5.2
4.317.3 Standard
Security activities (e.g., implementing controls, correcting nonconformities) are coordinated in advance and communicated across the entire organization.
4.318 Formal sanctions for security violations
4.318.1 Standard Owner: InfoSec
4.318.2 Standard References
NIST: IR-5 PS-8
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.414(a) § 164.530(e) § 164.530(e)(1) § 164.530(e)(2) § 164.308(a)(1)(ii)(C)
PCI-DSS:
4.318.3 Standard
The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures and notifies defined personnel (e.g., supervisors) when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. Further, the organization includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action.
4.319 Policy communication for non-employees
4.319.1 Standard Owner: InfoSec
4.319.2 Standard References
NIST: AT-3 PL-4 PM-13 PM-14 PM-15 PM-2 PS-7
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(a)(3)(ii)(A) § 164.308(a)(4)(ii)(B) § 164.308(b)(1) § 164.314(a)(1) § 164.314(a)(2)(i) § 164.314(a)(2)(ii)
PCI-DSS: 12.3 12.3.5
4.319.3 Standard
Non-employees are provided the organization's data privacy and security policy requirements prior to accessing system resources and data.
4.320 Business associate agreements
4.320.1 Standard Owner: InfoSec
4.320.2 Standard References
NIST:
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(b)(1) § 164.314(a)(1)
PCI-DSS:
4.320.3 Standard
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
4.321 Written business associate agreements
4.321.1 Standard Owner: InfoSec
4.321.2 Standard References
NIST:
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(b)(3) § 164.314(a)(2)(i)(A)
PCI-DSS:
4.321.3 Standard
Business associate agreements must be documented with a written contract.
4.322 Subcontractors of business associates
4.322.1 Standard Owner: InfoSec
4.322.2 Standard References
NIST:
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.308(b)(1) § 164.314(a)(2)(i)(B) § 164.314(a)(2)(iii)
PCI-DSS:
4.322.3 Standard
The organization will require that business associates enter into and maintain business associate agreements with all of their subcontractors, in accordance with § 164.314(a).
4.323 Breach notification
4.323.1 Standard Owner: InfoSec
4.323.2 Standard References
NIST:
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.314(a)(2)(i)(C)
PCI-DSS:
4.323.3 Standard
A business associate must report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.
4.324 Data Privacy Officer
4.324.1 Standard Owner: Legal
4.324.2 Standard References
NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12
GLBA:
GDPR: Article 27(1) Article 27(2) Article 27(3) Article 27(4) Article 27(5) Article 37(1) Article 37(2) Article 37(3) Article 37(4)
Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)
ISO27001:
HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)
PCI-DSS: 3.1 3.4 3.4.1
4.324.3 Standard
The organization has formally appointed a qualified data protection officer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information.
4.325 Customer Consent
4.325.1 Standard Owner: Legal
4.325.2 Standard References
NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12
GLBA:
GDPR: Article 27(1) Article 27(2) Article 27(3) Article 27(4) Article 27(5) Article 37(1) Article 37(2) Article 37(3) Article 37(4)
Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)
ISO27001:
HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)
PCI-DSS: 3.1 3.4 3.4.1
4.325.3 Standard
When required, consent is obtained before any PII (e.g. about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization.
4.326 Data classification, authorization to process, and retention
4.326.1 Standard Owner: Legal
4.326.2 Standard References
NIST: AU-11 AU-9 DM-2 DM-2(1) RA-2 SI-12
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.414(a) § 160.103 § 164.502(f) § 164.520(e) § 164.522(a)(3) § 164.524(e) § 164.528(d) § 164.530(j) § 164.530(j)(2)
PCI-DSS: 3.1
4.326.3 Standard
The organization documents and maintains records (PII) that are subject to access by individuals and the titles of the persons or office responsible for receiving and processing requests for access by individuals as organizational records for a period of six (6) years.
4.327 Data Retention for accountings of disclosure
4.327.1 Standard Owner: Legal
4.327.2 Standard References
NIST: AU-11 AU-9 DM-2 DM-2(1) RA-2 SI-12
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.414(a) § 160.103 § 164.502(f) § 164.520(e) § 164.522(a)(3) § 164.524(e) § 164.528(d) § 164.530(j) § 164.530(j)(2)
PCI-DSS: 3.1
4.327.3 Standard
The organization documents and maintains accountings of disclosure as organizational records for a period of six (6) years, including the information required for disclosure, the written accounting provided to the individual, and the titles of the persons or offices responsible for receiving and processing requests for an accounting.
4.328 Protection during transfer
4.328.1 Standard Owner: Legal
4.328.2 Standard References
NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12
GLBA:
GDPR: Article 27(1) Article 27(2) Article 27(3) Article 27(4) Article 27(5) Article 37(1) Article 37(2) Article 37(3) Article 37(4)
Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)
ISO27001:
HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)
PCI-DSS: 3.1 3.4 3.4.1
4.328.3 Standard
Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information.
4.329 Encryption of Data-at-rest
4.329.1 Standard Owner: Legal
4.329.2 Standard References
NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12
GLBA:
GDPR: Article 27(1) Article 27(2) Article 27(3) Article 27(4) Article 27(5) Article 37(1) Article 37(2) Article 37(3) Article 37(4)
Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)
ISO27001:
HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)
PCI-DSS: 3.1 3.4 3.4.1
4.329.3 Standard
The confidentiality and integrity of covered information at rest is protected using an encryption method appropriate to the medium where it is stored; where the organization chooses not to encrypt covered information, a documented rationale
for not doing so is maintained or alternative compensating controls are used if the method is approved and reviewed annually by the CISO.
4.330 Data Retention
4.330.1 Standard Owner: Legal
4.330.2 Standard References
NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12
GLBA:
GDPR: Article 27(1) Article 27(2) Article 27(3) Article 27(4) Article 27(5) Article 37(1) Article 37(2) Article 37(3) Article 37(4)
Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)
ISO27001:
HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)
PCI-DSS: 3.1 3.4 3.4.1
4.330.3 Standard
Covered information is retained only for as long as required.
4.331 Data retention for policies & ePHI
4.331.1 Standard Owner: Legal
4.331.2 Standard References
NIST: AU-11 AU-9 DM-2 DM-2(1) RA-2 SI-12
GLBA:
GDPR:
ISO27001:
HIPAA: § 164.414(a) § 160.103 § 160.203 § 164.502(f) § 164.520(e) § 164.522(a)(3) § 164.524(e) § 164.528(d) § 164.530(j)
- 164.530(j)(2)
PCI-DSS: 3.1
4.331.3 Standard
The organization's formal policies and procedures, other critical records and disclosures of individuals' protected health information made are retained for a minimum of six (6) years.
5 Revision History
Revision |
Date |
Initiator |
Nature of Change |
1 |
1/27/2023 |
B. Huntley |
Initial Draft - Information Security Standards |
2 | 4/24/2023 | L. Perry | Presidential approval |