Transcription
DIGITAL SECURITY PROGRAM (DSP)ACME Business Consulting, LLCIT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT (NDA)
TABLE OF CONTENTSNOTICE – REFERENCED FRAMEWORKS & SUPPORTING PRACTICES19DIGITAL SECURITY PROGRAM (DSP) OVERVIEWINTRODUCTIONPURPOSESCOPE & APPLICABILITYPOLICY OVERVIEWVIOLATIONS OF POLICIES, STANDARDS AND/OR PROCEDURESEXCEPTION TO STANDARDSUPDATES TO POLICIES & STANDARDSKEY TERMINOLOGY202020212121212122INFORMATION SECURITY PROGRAM STRUCTUREMANAGEMENT DIRECTION FOR INFORMATION SECURITYPOLICIES, STANDARDS, PROCEDURES & GUIDELINES STRUCTURE242424SECURITY & PRIVACY GOVERNANCE (GOV)GOV‐01: DIGITAL SECURITY GOVERNANCE PROGRAMGOV‐02: PUBLISHING SECURITY & PRIVACY POLICIESGOV‐03: PERIODIC REVIEW & UPDATE OF SECURITY & PRIVACY DOCUMENTATIONGOV‐04: ASSIGNED SECURITY & PRIVACY RESPONSIBILITIESGOV‐05: MEASURES OF PERFORMANCEGOV‐05(A): MEASURES OF PERFORMANCE KEY PERFORMANCE INDICATORS (KPIS)GOV‐05(B): MEASURES OF PERFORMANCE KEY RISK INDICATORS (KRIS)GOV‐06: CONTACTS WITH AUTHORITIESGOV‐07: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONSGOV‐08: DEFINED BUSINESS CONTEXT & MISSIONGOV‐09: DEFINED CONTROL OBJECTIVES252525252626262627272727ASSET MANAGEMENT (AST)AST‐01: ASSET GOVERNANCEAST‐01(A): ASSET GOVERNANCE ASSET‐SERVICE DEPENDENCIESAST‐01(B): ASSET GOVERNANCE STAKEHOLDER IDENTIFICATION & INVOLVEMENTAST‐02: ASSET INVENTORIESAST‐02(A): ASSET INVENTORIES UPDATES DURING INSTALLATIONS / REMOVALSAST‐02(B): ASSET INVENTORIES AUTOMATED UNAUTHORIZED COMPONENT DETECTIONAST‐02(C): ASSET INVENTORIES COMPONENT DUPLICATION AVOIDANCEAST‐02(D): ASSET INVENTORIES APPROVED DEVIATIONSAST‐02(E): ASSET INVENTORIES NETWORK ACCESS CONTROL (NAC)AST‐02(F): ASSET INVENTORIES DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) SERVER LOGGINGAST‐02(G): ASSET INVENTORIES SOFTWARE LICENSING RESTRICTIONSAST‐02(H): ASSET INVENTORIES DATA ACTION MAPPINGAST‐02(I): ASSET INVENTORIES CONFIGURATION MANAGEMENT DATABASE (CMDB)AST‐03: ASSIGNING OWNERSHIP OF ASSETSAST‐03(A): ASSIGNING OWNERSHIP OF ASSETS ACCOUNTABILITY INFORMATIONAST‐04: NETWORK DIAGRAMS & DATA FLOW DIAGRAMS (DFDS)AST‐05: SECURITY OF ASSETS & MEDIAAST‐06: UNATTENDED END‐USER EQUIPMENTAST‐06(A): UNATTENDED END‐USER EQUIPMENT ASSET STORAGE IN AUTOMOBILESAST‐07: KIOSKS & POINT OF SALE (POS) DEVICESAST‐08: TAMPER PROTECTION & DETECTIONAST‐09: SECURE DISPOSAL OR RE‐USE OF EQUIPMENTAST‐10: RETURN OF ASSETSAST‐11: REMOVAL OF ASSETSAST‐12: USE OF PERSONAL DEVICESAST‐13: USE OF THIRD‐PARTY DEVICESAST‐14: USAGE PARAMETERSAST‐15: TAMPER PROTECTIONAST‐15(A): TAMPER PROTECTION INSPECTION OF SYSTEMS, COMPONENTS & DEVICESAST‐16: BRING YOUR OWN DEVICE (BYOD) 53535353636363737IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT (NDA)Page 2 of 305
BUSINESS CONTINUITY & DISASTER RECOVERY (BCD)BCD‐01: BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS)BCD‐01(A): BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) COORDINATE WITH RELATED PLANSBCD‐01(B): BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) COORDINATE WITH EXTERNAL SERVICE PROVIDERSBCD‐01(C): BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) TRANSFER TO ALTERNATE PROCESSING / STORAGE SITEBCD‐01(D): BUSINESS CONTINUITY MANAGEMENT SYSTEM (BCMS) RECOVERY TIME / POINT OBJECTIVESBCD‐02: IDENTIFY CRITICAL ASSETSBCD‐02(A): IDENTIFY CRITICAL ASSETS RESUME ALL MISSIONS & BUSINESS FUNCTIONSBCD‐02(B): IDENTIFY CRITICAL ASSETS CONTINUE ESSENTIAL MISSION & BUSINESS FUNCTIONSBCD‐02(C): IDENTIFY CRITICAL ASSETS RESUME ESSENTIAL MISSION & BUSINESS FUNCTIONSBCD‐03: CONTINGENCY TRAININGBCD‐03(A): CONTINGENCY TRAINING SIMULATED EVENTSBCD‐03(B): CONTINGENCY TRAINING AUTOMATED TRAINING ENVIRONMENTSBCD‐04: CONTINGENCY PLAN TESTING & EXERCISESBCD‐04(A): CONTINGENCY PLAN TESTING & EXERCISES COORDINATED TESTING WITH RELATED PLANSBCD‐04(B): CONTINGENCY PLAN TESTING & EXERCISES ALTERNATE STORAGE & PROCESSING SITESBCD‐05: CONTINGENCY PLAN ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNEDBCD‐06: CONTINGENCY PLANNING & UPDATESBCD‐07: ALTERNATIVE SECURITY MEASURESBCD‐08: ALTERNATE STORAGE SITEBCD‐08(A): ALTERNATE STORAGE SITE SEPARATION FROM PRIMARY SITEBCD‐08(B): ALTERNATE STORAGE SITE ACCESSIBILITYBCD‐09: ALTERNATE PROCESSING SITEBCD‐09(A): ALTERNATE PROCESSING SITE SEPARATION FROM PRIMARY SITEBCD‐09(B): ALTERNATE PROCESSING SITE ACCESSIBILITYBCD‐09(C): ALTERNATE PROCESSING SITE PRIORITY OF SERVICEBCD‐09(D): ALTERNATE PROCESSING SITE PREPARATION FOR USEBCD‐09(E): ALTERNATE PROCESSING SITE INABILITY TO RETURN TO PRIMARY SITEBCD‐10: TELECOMMUNICATIONS SERVICES AVAILABILITYBCD‐10(A): TELECOMMUNICATIONS SERVICES AVAILABILITY PRIORITY OF SERVICE PROVISIONSBCD‐10(B): TELECOMMUNICATIONS SERVICES AVAILABILITY SEPARATION OF PRIMARY / ALTERNATE PROVIDERSBCD‐10(C): TELECOMMUNICATIONS SERVICES AVAILABILITY PROVIDER CONTINGENCY PLANBCD‐11: DATA BACKUPSBCD‐11(A): DATA BACKUPS TESTING FOR RELIABILITY & INTEGRITYBCD‐11(B): DATA BACKUPS SEPARATE STORAGE FOR CRITICAL INFORMATIONBCD‐11(C): DATA BACKUPS INFORMATION SYSTEM IMAGINGBCD‐11(D): DATA BACKUPS CRYPTOGRAPHIC PROTECTIONBCD‐11(E): DATA BACKUPS TEST RESTORATION USING SAMPLINGBCD‐11(F): DATA BACKUPS TRANSFER TO ALTERNATE STORAGE SITEBCD‐11(G): DATA BACKUPS REDUNDANT SECONDARY SYSTEMBCD‐11(H): DATA BACKUPS DUAL AUTHORIZATIONBCD‐12: INFORMATION SYSTEM RECOVERY & RECONSTITUTIONBCD‐12(A): INFORMATION SYSTEM RECOVERY & RECONSTITUTION TRANSACTION RECOVERYBCD‐12(B): INFORMATION SYSTEM RECOVERY & RECONSTITUTION FAILOVER CAPABILITYBCD‐12(C): INFORMATION SYSTEM RECOVERY & RECONSTITUTION ELECTRONIC DISCOVERY (EDISCOVERY)BCD‐12(D): INFORMATION SYSTEM RECOVERY & RECONSTITUTION RESTORE WITHIN TIME PERIODBCD‐13: BACKUP & RESTORATION HARDWARE 5051CAPACITY & PERFORMANCE PLANNING (CAP)CAP‐01: CAPACITY & PERFORMANCE MANAGEMENTCAP‐02: RESOURCE PRIORITYCAP‐03: CAPACITY PLANNING52525252CHANGE MANAGEMENT (CHG)CHG‐01: CHANGE MANAGEMENT PROGRAMCHG‐02: CONFIGURATION CHANGE CONTROLCHG‐02(A): CONFIGURATION CHANGE CONTROL PROHIBITION OF CHANGESCHG‐02(B): CONFIGURATION CHANGE CONTROL TEST, VALIDATE & DOCUMENT CHANGESCHG‐02(C): CONFIGURATION CHANGE CONTROL SECURITY REPRESENTATIVE FOR CHANGECHG‐02(D): CONFIGURATION CHANGE CONTROL AUTOMATED SECURITY RESPONSE53535354545454IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT (NDA)Page 3 of 305
CHG‐02(E): CONFIGURATION CHANGE CONTROL CRYPTOGRAPHIC MANAGEMENTCHG‐03: SECURITY IMPACT ANALYSIS FOR CHANGESCHG‐04: ACCESS RESTRICTION FOR CHANGECHG‐04(A): ACCESS RESTRICTIONS FOR CHANGE AUTOMATED ACCESS ENFORCEMENT / AUDITINGCHG‐04(B): ACCESS RESTRICTIONS FOR CHANGE SIGNED COMPONENTSCHG‐04(C): ACCESS RESTRICTIONS FOR CHANGE DUAL AUTHORIZATION FOR CHANGECHG‐04(D): ACCESS RESTRICTIONS FOR CHANGE LIMIT PRODUCTION / OPERATIONAL PRIVILEGES (INCOMPATIBLE ROLES)CHG‐04(E): ACCESS RESTRICTIONS FOR CHANGE LIBRARY PRIVILEGESCHG‐05: STAKEHOLDER NOTIFICATION OF CHANGESCHG‐06: SECURITY FUNCTIONALITY VERIFICATIONCHG‐06(A): SECURITY FUNCTIONALITY VERIFICATION REPORT VERIFICATION RESULTS5455555555565656565757CLOUD SECURITY (CLD)CLD‐01: CLOUD SERVICESCLD‐02: CLOUD SECURITY ARCHITECTURECLD‐03: SECURITY MANAGEMENT SUBNETCLD‐04: APPLICATION & PROGRAM INTERFACE (API) SECURITYCLD‐05: VIRTUAL MACHINE IMAGESCLD‐06: MULTI‐TENANT ENVIRONMENTSCLD‐07: DATA HANDLING & PORTABILITYCLD‐08: STANDARDIZED VIRTUALIZATION FORMATSCLD‐09 GEOLOCATION REQUIREMENTS FOR PROCESSING, STORAGE AND SERVICE LOCATIONSCLD‐10: SENSITIVE DATA IN PUBLIC CLOUD PROVIDERSCLD‐11: CLOUD ACCESS POINT (CAP)585858595959596060606061COMPLIANCE (CPL)CPL‐01: STATUTORY, REGULATORY & CONTRACTUAL COMPLIANCECPL‐02: SECURITY CONTROLS OVERSIGHTCPL‐02(A): SECURITY CONTROLS OVERSIGHT INTERNAL AUDIT FUNCTIONCPL‐03: SECURITY ASSESSMENTSCPL‐03(A): SECURITY ASSESSMENTS INDEPENDENT ASSESSORSCPL‐03(B): SECURITY ASSESSMENTS FUNCTIONAL REVIEW OF SECURITY CONTROLSCPL‐04: AUDIT ACTIVITIES6262626363646464CONFIGURATION MANAGEMENT (CFG)CFG‐01: CONFIGURATION MANAGEMENT PROGRAMCFG‐01(A): CONFIGURATION MANAGEMENT PROGRAM ASSIGNMENT OF RESPONSIBILITYCFG‐02: SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONSCFG‐02(A): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS REVIEWS & UPDATESCFG‐02(B): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS AUTOMATED CENTRAL MANAGEMENT &VERIFICATIONCFG‐02(C): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS RETENTION OF PREVIOUS CONFIGURATIONSCFG‐02(D): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS DEVELOPMENT & TEST ENVIRONMENTSCFG‐02(E): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS CONFIGURE SYSTEMS, COMPONENTS OR DEVICESFOR HIGH‐RISK AREASCFG‐02(F): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS NETWORK DEVICE CONFIGURATION FILESYNCHRONIZATIONCFG‐02(G): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS APPROVED DEVIATIONSCFG‐02(H): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS RESPOND TO UNAUTHORIZED CHANGESCFG‐02(I): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS BASELINE TAILORINGCFG‐03: LEAST FUNCTIONALITYCFG‐03(A): LEAST FUNCTIONALITY PERIODIC REVIEWCFG‐03(B): LEAST FUNCTIONALITY PREVENT PROGRAM EXECUTIONCFG‐03(C): LEAST FUNCTIONALITY UNAUTHORIZED OR AUTHORIZED SOFTWARE (BLACKLISTING OR WHITELISTING)CFG‐03(D): LEAST FUNCTIONALITY SPLIT TUNNELINGCFG‐04: SOFTWARE USAGE RESTRICTIONSCFG‐04(A): SOFTWARE USAGE RESTRICTIONS OPEN SOURCE SOFTWARECFG‐04(B): SOFTWARE USAGE RESTRICTIONS UNSUPPORTED INTERNET BROWSERS & EMAIL CLIENTSCFG‐05: USER‐INSTALLED SOFTWARECFG‐05(A): USER‐INSTALLED SOFTWARE UNAUTHORIZED INSTALLATION ALERTS6565656566IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT (NDA)676767686868686969707070707171717272Page 4 of 305
CFG‐05(B): USER‐INSTALLED SOFTWARE PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUSCONTINUOUS MONITORING (MON)MON‐01: CONTINUOUS MONITORINGMON‐01(A): CONTINUOUS MONITORING INTRUSION DETECTION & PREVENTION SYSTEMS (IDS & IPS)MON‐01(B): CONTINUOUS MONITORING AUTOMATED TOOLS FOR REAL‐TIME ANALYSISMON‐01(C): CONTINUOUS MONITORING INBOUND & OUTBOUND COMMUNICATIONS TRAFFICMON‐01(D): CONTINUOUS MONITORING SYSTEM GENERATED ALERTSMON‐01(E): CONTINUOUS MONITORING WIRELESS INTRUSION DETECTION SYSTEM (WIDS)MON‐01(F): CONTINUOUS MONITORING HOST‐BASED DEVICESMON‐01(G): CONTINUOUS MONITORING FILE INTEGRITY MONITORING (FIM)MON‐01(H): CONTINUOUS MONITORING REVIEWS & UPDATESMON‐01(I): CONTINUOUS MONITORING PROXY LOGGINGMON‐01(J): CONTINUOUS MONITORING DEACTIVATED ACCOUNT ACTIVITYMON‐01(K): CONTINUOUS MONITORING AUTOMATED RESPONSE TO SUSPICIOUS EVENTSMON‐01(L): CONTINUOUS MONITORING AUTOMATED ALERTSMON‐01(M): CONTINUOUS MONITORING ANALYZE TRAFFIC / EVENT PATTERNSMON‐01(N): CONTINUOUS MONITORING INDIVIDUALS POSING GREATER RISKMON‐01(O): CONTINUOUS MONITORING PRIVILEGED USER OVERSIGHTMON‐01(P): CONTINUOUS MONITORING ANALYZE & PRIORITIZE MONITORING REQUIREMENTSMON‐02: CENTRALIZED EVENT LOG COLLECTIONMON‐02(A): CENTRALIZED SECURITY EVENT LOG COLLECTION CORRELATE MONITORING INFORMATIONMON‐02(B): CENTRALIZED SECURITY EVENT LOG COLLECTION CENTRAL REVIEW & ANALYSISMON‐02(C): CENTRALIZED SECURITY EVENT LOG COLLECTION INTEGRATION OF SCANNING & OTHER MONITORINGINFORMATIONMON‐02(D): CENTRALIZED SECURITY EVENT LOG COLLECTION CORRELATION WITH PHYSICAL MONITORINGMON‐02(E): CENTRALIZED SECURITY EVENT LOG COLLECTION PERMITTED ACTIONSMON‐02(F): CENTRALIZED SECURITY EVENT LOG COLLECTION AUDIT LEVEL ADJUSTMENTMON‐02(G): CENTRALIZED SECURITY EVENT LOG COLLECTION SYSTEM‐WIDE / TIME‐CORRELATED AUDIT TRAILMON‐02(H): CENTRALIZED SECURITY EVENT LOG COLLECTION CHANGES BY AUTHORIZED INDIVIDUALSMON‐03: CONTENT OF AUDIT RECORDSMON‐03(A): CONTENT OF AUDIT RECORDS SENSITIVE AUDIT INFORMATIONMON‐03(B): CONTENT OF AUDIT RECORDS AUDIT TRAILSMON‐03(C): CONTENT OF AUDIT RECORDS PRIVILEGED FUNCTIONS LOGGINGMON‐03(D): CONTENT OF AUDIT RECORDS VERBOSITY LOGGING FOR BOUNDARY DEVICESMON‐03(E): CONTENT OF AUDIT RECORDS LIMIT PERSONAL DATA (PD) IN AUDIT RECORDSMON‐03(F): CONTENT OF AUDIT RECORDS CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENTMON‐04: AUDIT STORAGE CAPACITYMON‐05: RESPONSE TO AUDIT PROCESSING FAILURESMON‐05(A): RESPONSE TO AUDIT PROCESSING FAILURES REAL‐TIME ALERTS OF AUDIT FAILUREMON‐05(B): RESPONSE TO AUDIT PROCESSING FAILURES AUDIT STORAGE CAPACITY ALERTINGMON‐06: MONITORING REPORTINGMON‐06(A): MONITORING REPORTING QUERY PARAMETER AUDITS OF PERSONAL DATA (PD)MON‐06(B): MONITORING REPORTING TREND ANALYSIS REPORTINGMON‐07: TIME STAMPSMON‐07(A): TIME STAMPS SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCEMON‐08: PROTECTION OF AUDIT INFORMATIONMON‐08(A): PROTECTION OF AUDIT INFORMATION AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTSMON‐08(B): PROTECTION OF AUDIT INFORMATION ACCESS BY SUBSET OF PRIVILEGED USERSMON‐08(C): PROTECTION OF AUDIT INFORMATION CRYPTOGRAPHIC PROTECTION OF AUDIT INFORMATIONMON‐08(D): PROTECTION OF AUDIT INFORMATION DUAL AUTHORIZATIONMON‐09: NON‐REPUDIATIONMON‐10: AUDIT RECORD RETENTIONMON‐11: MONITORING FOR INFORMATION DISCLOSUREMON‐11(A): MONITORING FOR INFORMATION DISCLOSURE ANALYZE TRAFFIC FOR COVERT EXFILTRATION)MON‐11(B): MONITORING FOR INFORMATION DISCLOSURE UNAUTHORIZED NETWORK SERVICESMON‐11(C): MONITORING FOR INFORMATION DISCLOSURE MONITORING FOR INDICATORS OF COMPROMISE (IOC)MON‐12: SESSION AUDITMON‐13: ALTERNATE AUDIT CAPABILITYIT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT 5868686878787878788Page 5 of 305
MON‐14: CROSS‐ORGANIZATIONAL MONITORINGMON‐14(A): CROSS‐ORGANIZATIONAL MONITORING SHARING OF AUDIT INFORMATIONMON‐15: COVERT CHANNEL ANALYSISMON‐16 ANOMALOUS BEHAVIORMON‐16(A): ANOMALOUS BEHAVIOR INSIDER THREATSMON‐16(B): ANOMALOUS BEHAVIOR THIRD‐PARTY THREATSMON‐16(C): ANOMALOUS BEHAVIOR UNAUTHORIZED ACTIVITIES88888989898990CRYPTOGRAPHIC PROTECTIONS (CRY)CRY‐01: USE OF CRYPTOGRAPHIC CONTROLSCRY‐01(A): USE OF CRYPTOGRAPHIC CONTROLS ALTERNATE PHYSICAL PROTECTIONCRY‐01(B): USE OF CRYPTOGRAPHIC CONTROLS EXPORT‐CONTROLLED TECHNOLOGYCRY‐01(C): USE OF CRYPTOGRAPHIC CONTROLS PRE / POST TRANSMISSION HANDLINGCRY‐01(D): USE OF CRYPTOGRAPHIC CONTROLS CONCEAL / RANDOMIZE COMMUNICATIONSCRY‐02: CRYPTOGRAPHIC MODULE AUTHENTICATIONCRY‐03: TRANSMISSION CONFIDENTIALITYCRY‐04: TRANSMISSION INTEGRITYCRY‐05: ENCRYPTING DATA AT RESTCRY‐05(A): ENCRYPTING DATA AT REST STORAGE MEDIACRY‐05(B): ENCRYPTING DATA AT REST OFFLINE STORAGECRY‐06: NON‐CONSOLE ADMINISTRATIVE ACCESSCRY‐07: WIRELESS ACCESS AUTHENTICATION & ENCRYPTIONCRY‐08: PUBLIC KEY INFRASTRUCTURE (PKI)CRY‐08(A): PUBLIC KEY INFRASTRUCTURE (PKI) AVAILABILITYCRY‐09: CRYPTOGRAPHIC KEY MANAGEMENTCRY‐09(A): CRYPTOGRAPHIC KEY MANAGEMENT SYMMETRIC KEYSCRY‐09(B): CRYPTOGRAPHIC KEY MANAGEMENT ASYMMETRIC KEYSCRY‐09(C): CRYPTOGRAPHIC KEY MANAGEMENT CRYPTOGRAPHIC KEY LOSS OR CHANGECRY‐09(D): CRYPTOGRAPHIC KEY MANAGEMENT CONTROL & DISTRIBUTION OF CRYPTOGRAPHIC KEYSCRY‐09(E): CRYPTOGRAPHIC KEY MANAGEMENT ASSIGNED OWNERSCRY‐10: TRANSMISSION OF SECURITY & PRIVACY 979798DATA CLASSIFICATION & HANDLING (DCH)DCH‐01: DATA PROTECTIONDCH‐01(A): DATA PROTECTION DATA STEWARDSHIPDCH‐02: DATA & ASSET CLASSIFICATIONDCH‐03: MEDIA ACCESSDCH‐03(A): MEDIA ACCESS DISCLOSURE OF INFORMATIONDCH‐03(B): MEDIA ACCESS MASKING DISPLAYED DATADCH‐04: MEDIA MARKINGDCH‐04(A): MEDIA MARKING AUTOMATED MARKINGDCH‐05: SECURITY ATTRIBUTESDCH‐05(A): SECURITY ATTRIBUTES DYNAMIC ATTRIBUTE ASSOCIATIONDCH‐05(B): SECURITY ATTRIBUTES ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALSDCH‐05(C): SECURITY ATTRIBUTES MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEMDCH‐05(D): SECURITY ATTRIBUTES ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALSDCH‐05(E): SECURITY ATTRIBUTES ATTRIBUTE DISPLAYS FOR OUTPUT DEVICESDCH‐05(F): SECURITY ATTRIBUTES DATA SUBJECT ATTRIBUTE ASSOCIATIONSDCH‐05(G): SECURITY ATTRIBUTES CONSISTENT ATTRIBUTE INTERPRETATIONDCH‐05(H): SECURITY ATTRIBUTES IDENTITY ASSOCIATION TECHNIQUES & TECHNOLOGIESDCH‐05(I): SECURITY ATTRIBUTES ATTRIBUTE REASSIGNMENTDCH‐05(J): SECURITY ATTRIBUTES ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALSDCH‐05(K): SECURITY ATTRIBUTES AUDIT CHANGESDCH‐06: MEDIA STORAGEDCH‐06(A): MEDIA STORAGE PHYSICALLY SECURE ALL MEDIADCH‐06(B): MEDIA STORAGE SENSITIVE DATA INVENTORIESDCH‐06(C): MEDIA STORAGE PERIODIC SCANS FOR SENSITIVE DATADCH‐06(D): MEDIA STORAGE MAKING SENSITIVE DATA UNREADABLE IN STORAGEDCH‐06(E): MEDIA STORAGE STORING AUTHENTICATION DATADCH‐07: MEDIA 02102102102102103103103103104104104104105105IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT (NDA)Page 6 of 305
DCH‐07(A): MEDIA TRANSPORTATION CUSTODIANSDCH‐07(B): MEDIA TRANSPORTATION ENCRYPTING DATA IN STORAGE MEDIADCH‐08: PHYSICAL MEDIAL DISPOSALDCH‐09: DIGITAL MEDIA SANITIZATIONDCH‐09(A): MEDIA SANITIZATION MEDIA SANITIZATION DOCUMENTATIONDCH‐09(B): MEDIA SANITIZATION EQUIPMENT TESTINGDCH‐09(C): MEDIA SANITIZATION DESTRUCTION OF PERSONAL DATA (PD)DCH‐09(D): MEDIA SANITIZATION NON‐DESTRUCTIVE TECHNIQUESDCH‐09(E): MEDIA SANITIZATION DUAL AUTHORIZATIONDCH‐10: MEDIA USEDCH‐10(A): MEDIA USE LIMITATIONS ON USEDCH‐10(B): MEDIA USE PROHIBIT USE WITHOUT OWNERDCH‐11: MEDIA DOWNGRADINGDCH‐12: REMOVABLE MEDIA SECURITYDCH‐13: USE OF EXTERNAL INFORMATION SYSTEMSDCH‐13(A): USE OF EXTERNAL INFORMATION SYSTEMS LIMITS OF AUTHORIZED USEDCH‐13(B): USE OF EXTERNAL INFORMATION SYSTEMS PORTABLE STORAGE DEVICESDCH‐13(C): USE OF EXTERNAL INFORMATION SYSTEMS PROTECTING SENSITIVE DATA ON EXTERNAL SYSTEMSDCH‐13(D): USE OF EXTERNAL INFORMATION SYSTEMS NON‐ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS /DEVICESDCH‐14: INFORMATION SHARINGDCH‐14(A): INFORMATION SHARING INFORMATION SEARCH & RETRIEVALDCH‐15: PUBLICLY ACCESSIBLE CONTENTDCH‐16: DATA MINING PROTECTIONDCH‐17: AD‐HOC TRANSFERSDCH‐18: MEDIA & DATA RETENTIONDCH‐18(A): MEDIA & DATA RETENTION LIMIT PERSONAL DATA (PD) ELEMENTS IN TESTING, TRAINING & RESEARCHDCH‐18(B): MEDIA & DATA RETENTION MINIMIZE PERSONAL DATA (PD)DCH‐18(C): MEDIA & DATA RETENTION TEMPORARY FILES CONTAINING PERSONAL DATADCH‐19: GEOGRAPHIC LOCATION OF DATADCH‐20: ARCHIVED DATA SETSDCH‐21: INFORMATION DISPOSALDCH‐22: DATA QUALITY OPERATIONSDCH‐22(A): DATA QUALITY OPERATIONS UPDATING & CORRECTING PERSONAL DATA (PD)DCH‐22(B): DATA QUALITY OPERATIONS DATA TAGSDCH‐22(C): DATA QUALITY OPERATIONS PERSONAL DATA (PD) COLLECTIONDCH‐23: DE‐IDENTIFICATION (ANONYMIZATION)DCH‐23(A): DE‐IDENTIFICATION (ANONYMIZATION) COLLECTIONDCH‐23(B): DE‐IDENTIFICATION (ANONYMIZATION) ARCHIVINGDCH‐23(C): DE‐IDENTIFICATION (ANONYMIZATION) RELEASEDCH‐23(D): DE‐IDENTIFICATION (ANONYMIZATION) REMOVAL, MASKING, ENCRYPTION, HASHING OR REPLACEMENT OFDIRECT IDENTIFIERSDCH‐23(E): DE‐IDENTIFICATION (ANONYMIZATION) STATISTICAL DISCLOSURE CONTROLDCH‐23(F): DE‐IDENTIFICATION (ANONYMIZATION) DIFFERENTIAL PRIVACYDCH‐23(G): DE‐IDENTIFICATION (ANONYMIZATION) VALIDATED SOFTWAREDCH‐23(H): DE‐IDENTIFICATION (ANONYMIZATION) MOTIVATED INTRUDERDCH‐24: INFORMATION LOCATIONDCH‐24(A): INFORMATION LOCATION AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATIONDCH‐25: TRANSFER OF PERSONAL 19EMBEDDED TECHNOLOGY (EMB)EMB‐01: EMBEDDED TECHNOLOGY SECURITY PROGRAMEMB‐02: INTERNET OF THINGS (IOT)EMB‐03: OPERATIONAL TECHNOLOGY (OT)120120120120ENDPOINT SECURITY (END)END‐01: ENDPOINT SECURITYEND‐02: ENDPOINT PROTECTION MEASURESEND‐03: PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUSEND‐03(A): PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS UNAUTHORIZED INSTALLATION ALERTS122122122122123IT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT (NDA)Page 7 of 305
END‐03(B): PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS ACCESS RESTRICTION FOR CHANGEEND‐04: MALICIOUS CODE PROTECTION (ANTI‐MALWARE)END‐04(A): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) AUTOMATIC UPDATESEND‐04(B): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) DOCUMENTED PROTECTION MEASURESEND‐04(C): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) CENTRALIZED MANAGEMENTEND‐04(D): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) NONSIGNATURE‐BASED DETECTIONEND‐04(E): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) MALWARE PROTECTION MECHANISM TESTINGEND‐04(F): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) EVOLVING MALWARE THREATSEND‐04(G): MALICIOUS CODE PROTECTION (ANTI‐MALWARE) ALWAYS ON PROTECTIONEND‐05: SOFTWARE FIREWALLEND‐06: FILE INTEGRITY MONITORING (FIM)END‐06(A): FILE INTEGRITY MONITORING (FIM) INTEGRITY CHECKSEND‐06(B): FILE INTEGRITY MONITORING (FIM) INTEGRATION OF DETECTION & RESPONSEEND‐06(C): FILE INTEGRITY MONITORING (FIM) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONSEND‐06(D): FILE INTEGRITY MONITORING (FIM) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONSEND‐06(E): FILE INTEGRITY MONITORING (FIM) VERIFY BOOT PROCESSEND‐06(F): FILE INTEGRITY MONITORING (FIM) PROTECTION OF BOOT FIRMWAREEND‐06(G): FILE INTEGRITY MONITORING (FIM) BINARY OR MACHINE‐EXECUTABLE CODEEND‐07: HOST INTRUSION DETECTION AND PREVENTION SYSTEMS (HIDS / HIPS)END‐08: PHISHING & SPAM PROTECTIONEND‐08(A): PHISHING & SPAM PROTECTION CENTRAL MANAGEMENTEND‐08(B): PHISHING & SPAM PROTECTION AUTOMATIC UPDATESEND‐09: TRUSTED PATHEND‐10: MOBILE CODEEND‐11: THIN NODESEND‐12: PORT & INPUT / OUTPUT (I/O) DEVICE ACCESSEND‐13: SENSOR CAPABILITYEND‐13(A): SENSOR CAPABILITY AUTHORIZED USEEND‐13(B): SENSOR CAPABILITY NOTICE OF COLLECTIONEND‐13(C): SENSOR CAPABILITY COLLECTION MINIMIZATIONEND‐14: COLLABORATIVE COMPUTING DEVICESEND‐14(A): COLLABORATIVE COMPUTING DEVICES DISABLING / REMOVAL IN SECURE WORK AREASEND‐14(B): COLLABORATIVE COMPUTING DEVICES EXPLICITLY INDICATE CURRENT PARTICIPANTSEND‐15: HYPERVISOR ACCESSEND‐16: SECURITY FUNCTION ISOLATIONEND‐16(A): SECURITY FUNCTION ISOLATION HOST‐BASED SECURITY FUNCTION ISOLATIONHUMAN RESOURCES SECURITY (HRS)HRS‐01: HUMAN RESOURCES SECURITY MANAGEMENTHRS‐02: POSITION CATEGORIZATIONHRS‐02(A): POSITION CATEGORIZATION USERS WITH ELEVATED PRIVILEGESHRS‐03: ROLES & RESPONSIBILITIESHRS‐03(A): ROLES & RESPONSIBILITIES USER AWARENESSHRS‐03(B): ROLES & RESPONSIBILITIES COMPETENCY REQUIREMENTS FOR SECURITY‐RELATED POSITIONSHRS‐04: PERSONNEL SCREENINGHRS‐04(A): PERSONNEL SCREENING ROLES WITH SPECIAL PROTECTION MEASURESHRS‐04(B): PERSONNEL SCREENING FORMAL INDOCTRINATIONHRS‐05: TERMS OF EMPLOYMENTHRS‐05(A): TERMS OF EMPLOYMENT RULES OF BEHAVIORHRS‐05(B): TERMS OF EMPLOYMENT SOCIAL MEDIA & SOCIAL NETWORKING RESTRICTIONSHRS‐05(C): TERMS OF EMPLOYMENT USE OF COMMUNICATIONS TECHNOLOGYHRS‐05(D): TERMS OF EMPLOYMENT USE OF CRITICAL TECHNOLOGIESHRS‐05(E): TERMS OF EMPLOYMENT USE OF MOBILE DEVICESHRS‐06: ACCESS AGREEMENTSHRS‐06(A): ACCESS AGREEMENTS CONFIDENTIALITY AGREEMENTSHRS‐06(B): ACCESS AGREEMENTS POST‐EMPLOYMENT OBLIGATIONSHRS‐07: PERSONNEL SANCTIONSHRS‐07(A): PERSONNEL SANCTIONS WORKPLACE INVESTIGATIONSHRS‐08: PERSONNEL TRANSFERIT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT 37137137138138138138139139140Page 8 of 305
HRS‐09: PERSONNEL TERMINATIONHRS‐09(A): PERSONNEL TERMINATION ASSET COLLECTIONHRS‐09(B): PERSONNEL TERMINATION HIGH‐RISK TERMINATIONSHRS‐09(C): PERSONNEL TERMINATION POST‐EMPLOYMENT REQUIREMENTSHRS‐09(D): PERSONNEL TERMINATION AUTOMATED EMPLOYMENT STATUS NOTIFICATIONHRS‐10: THIRD‐PARTY PERSONNEL SECURITYHRS‐11: SEPARATION OF DUTIESHRS‐12: INCOMPATIBLE ROLESHRS‐12(A): INCOMPATIBLE ROLES TWO‐PERSON RULEHRS‐13: IDENTIFY CRITICAL SKILLS & GAPSHRS‐13(A): IDENTIFY CRITICAL SKILLS & GAPS REMEDIATE IDENTIFIED SKILLS DEFICIENCIESHRS‐13(B): IDENTIFY CRITICAL SKILLS & GAPS IDENTIFY VITAL CYBERSECURITY & PRIVACY STAFFHRS‐13(C): IDENTIFY CRITICAL SKILLS & GAPS ESTABLISH REDUNDANCY FOR VITAL CYBERSECURITY & PRIVACY STAFFHRS‐13(D): IDENTIFY CRITICAL SKILLS & GAPS PERFORM SUCCESSION PLANNINGIDENTIFICATION & AUTHENTICATION (IAC)IAC‐01: IDENTITY & ACCESS MANAGEMENT (IAM)IAC‐02: IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERSIAC‐02(A): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS GROUP AUTHENTICATIONIAC‐02(B): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS NETWORK ACCESS TO PRIVILEGED ACCOUNTS‐ REPLAY RESISTANTIAC‐02(C): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS ACCEPTANCE OF PIV CREDENTIALSIAC‐02(D): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS OUT‐OF‐BAND AUTHENTICATION (OOBA)IAC‐03: IDENTIFICATION & AUTHENTICATION FOR NON‐ORGANIZATIONAL USERSIAC‐03(A): IDENTIFICATION & AUTHENTICATION FOR NON‐ORGANIZATIONAL USERS ACCEPTANCE OF PIV CREDENTIALSFROM OTHER ORGANIZATIONSIAC‐03(B): IDENTIFICATION & AUTHENTICATION FOR NON‐ORGANIZATIONAL USERS ACCEPTANCE OF THIRD‐PARTYCREDENTIALSIAC‐03(C): IDENTIFICATION & AUTHENTICATION FOR NON‐ORGANIZATIONAL USERS USE OF FICAM‐ISSUED PROFILESIAC‐03(D): IDENTIFICATION & AUTHENTICATION FOR NON‐ORGANIZATIONAL USERS DISASSOCIABILITYIAC‐04: IDENTIFICATION & AUTHENTICATION FOR DEVICESIAC‐04(A): IDENTIFICATION & AUTHENTICATION FOR DEVICES DEVICE ATTESTATIONIAC‐05: IDENTIFICATION & AUTHENTICATION FOR THIRD PARTY SYSTEMS & SERVICESIAC‐05(A): IDENTIFICATION & AUTHENTICATION FOR THIRD PARTY SYSTEMS & SERVICES INFORMATION EXCHANGEIAC‐06: MULTIFACTOR AUTHENTICATION (MFA)IAC‐06(A): MULTI‐FACTOR AUTHENTICATION (MFA) NETWORK ACCESS TO PRIVILEGED ACCOUNTSIAC‐06(B): MULTI‐FACTOR AUTHENTICATION (MFA) NETWORK ACCESS TO NON‐PRIVILEGED ACCOUNTSIAC‐06(C): MULTI‐FACTOR AUTHENTICATION (MFA) LOCAL ACCESS TO PRIVILEGED ACCOUNTSIAC‐06(D): MULTI‐FACTOR AUTHENTICATION (MFA) OUT OF BAND (OOB) FACTORIAC‐07: USER PROVISIONING & DE‐PROVISIONINGIAC‐07(A): USER PROVISIONING & DE‐PROVISIONING CHANGE OF ROLES & DUTIESIAC‐07(B): USER PROVISIONING & DE‐PROVISIONING TERMINATION OF EMPLOYMENTIAC‐08: ROLE‐BASED ACCESS CONTROL (RBAC)IAC‐09: IDENTIFIER MANAGEMENT (USER NAMES)IAC‐09(A): IDENTIFIER MANAGEMENT USER IDENTITY (ID) MANAGEMENTIAC‐09(B): IDENTIFIER MANAGEMENT IDENTITY USER STATUSIAC‐09(C): IDENTIFIER MANAGEMENT DYNAMIC MANAGEMENTIAC‐09(D): IDENTIFIER MANAGEMENT CROSS‐ORGANIZATION MANAGEMENTIAC‐09(E): IDENTIFIER MANAGEMENT PRIVILEGED ACCOUNT IDENTIFIERSIAC‐09(F): IDENTIFIER MANAGEMENT PAIRWISE PSEUDONYMOUS IDENTIFIERS (PPID)IAC‐10: AUTHENTICATOR MANAGEMENT (PASSWORDS)IAC‐10(A): AUTHENTICATOR MANAGEMENT PASSWORD‐BASED AUTHENTICATIONIAC‐10(B): AUTHENTICATOR MANAGEMENT PKI‐BASED AUTHENTICATIONIAC‐10(C): AUTHENTICATOR MANAGEMENT IN‐PERSON OR TRUSTED THIRD‐PARTY REGISTRATIONIAC‐10(D): AUTHENTICATOR MANAGEMENT AUTOMATED SUPPORT FOR PASSWORD STRENGTHIAC‐10(E): AUTHENTICATOR MANAGEMENT PROTECTION OF AUTHENTICATORSIAC‐10(F): AUTHENTICATOR MANAGEMENT NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORSIAC‐10(G): AUTHENTICATOR MANAGEMENT HARDWARE TOKEN‐BASED AUTHENTICATIONIAC‐10(H): AUTHENTICATOR MANAGEMENT VENDOR‐SUPPLIED DEFAULTSIT IS PROHIBITED TO DISCLOSE THIS DOCUMENT TO THIRD‐PARTIESWITHOUT AN EXECUTED NON‐DISCLOSURE AGREEMENT 55155156156156156157Page 9 of 305
IAC‐10(I): AUTHENTICATOR MANAGEMENT MULTIPLE INFORMATION SYSTEM ACCOUNTSIAC‐10(J): AUTHENTICATOR MANAGEMENT EXPIRATION OF CACHED AUTHENTICATORSIAC‐11: AUTHENTICATOR FEEDBACKIAC‐12: CRYPTOGRAPHIC MODULE AUTHENTICATIONIAC‐13: ADAPTIVE IDENTIFICATION & AUTHENTICATIONIAC‐14: RE‐AUTHENTICATIONIAC‐15: ACCOUNT MANAGEMENTIAC‐15(A): ACCOUNT MANAGEMENT AUTOMATED SYSTEM ACCOUNT MANAGEMENTIAC‐15(B): ACCOUNT MANAGEMENT REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTSIAC‐15(C): ACCOUNT MANAGEMENT DISABLE INACTIVE ACCOUNTSIAC‐15(D): ACCOUNT MANAGEMENT AUTOMATED AUDIT ACTIONSIAC‐15(E): ACCOUNT MANAGEMENT RESTRICTIONS ON SHARED GROUPS / ACCOUNTSIAC‐15(F): ACCOUNT MANAGEMENT ACCOUNT DISABLING FOR HIGH RISK INDIVIDUALSIAC‐15(G): ACCOUNT MANAGEMENT SYSTEM ACCOUNTSIAC‐15(H): ACCOUNT MANAGEMENT USAGE CONDITIONSIAC‐16: PRIVILEGED ACCOUNT MANAGEMENT (PAM)IAC‐16(A): PRIVILEGED ACCOUNT MANAGEMENT (PAM) PRIVILEGED ACCOUNT INVENTORIESIAC‐17: PERIODIC REVIEW OF USER PRIVILEGESIAC‐18: USER RESPONSIBILITIES FOR ACCOUNT MANAGEMENTIAC‐19: CREDENTIAL SHARINGIAC‐20: ACCESS ENFORCEMENTIAC‐20(A): ACCESS ENFORCEMENT ACCESS TO SENSITIVE DATAIAC‐20(B): ACCESS ENFORCEMENT DATABASE ACCESSIAC‐20(C): ACCESS ENFORCEMENT USE OF PRIVILEGED UTILITY PROGRAMSIAC‐20(D): ACCESS ENFORCEMENT DEDICATED ADMINISTRATIVE MACHINESIAC‐20(E): ACCESS ENFORCEMENT DUAL AUTHORIZATION FOR PRIVILEGED COMMANDSIAC‐21: LEAST PRIVILEGEIAC‐21(A): LEAST PRIVILEGE AUTHORIZE ACCESS TO SECURITY FUNCTIONSIAC‐21(B): LEAST PRIVILEGE NON‐PRIVILEGED ACCESS FOR NON‐SECURITY FUNCTIONSIAC‐21(C): LEAST PRIVILEGE PRIVILEGED ACCOUNTSIAC‐21(D): LEAST PRIVILEGE AUDITING USE OF PRIVILEGED FUNCTIONSIAC‐21(E): LEAST PRIVILEGE PROHIBIT NON‐PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONSIAC‐21(F): LEAST PRIVILEGE NETWORK ACCESS TO PRIVILEGED COMMANDSIAC‐21(G): LEAST PRIVILEGE PRIVILEGE LEVELS FOR CODE EXECUTIONIAC‐22: ACCOUNT LOCKOUTIAC‐23: CONCURRENT SESSION CONTROLIAC‐24: SESSION LOCKIAC‐24(A): SESSION LOCK PATTERN‐HIDING DISPLAYSIAC‐25: SESSION TERMINATIONIAC‐25(A): SESSION TERMINA
it is prohibited to disclose this document to third‐parties page 4 of 305 without an executed non‐disclosure agreement (nda) chg‐02(e): configuration change control cryptographic management 54 chg‐03: security impact analysis for changes 55 chg‐04: access restriction for change 55 chg‐04(a): access restrictions for change automated access enforcement / auditing 55
![FIPS 140-2 Non-Proprietary Security Policy Acme Packet 1100 [1] and .](/img/49/140sp3490-5601486.jpg)
