compliance controls are associated with this Policy definition 'Update information security policies' (5226dee6-3420-711b-4709-8e675ebd828f)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AT-1 |
FedRAMP_High_R4_AT-1 |
FedRAMP High AT-1 |
Awareness And Training |
Security Awareness And Training Policy Andprocedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. |
link |
2 |
| FedRAMP_High_R4 |
AU-1 |
FedRAMP_High_R4_AU-1 |
FedRAMP High AU-1 |
Audit And Accountability |
Audit And Accountability Policy And
Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| FedRAMP_High_R4 |
PL-4 |
FedRAMP_High_R4_PL-4 |
FedRAMP High PL-4 |
Planning |
Rules Of Behavior |
Shared |
n/a |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.
Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18. |
link |
9 |
| FedRAMP_Moderate_R4 |
AT-1 |
FedRAMP_Moderate_R4_AT-1 |
FedRAMP Moderate AT-1 |
Awareness And Training |
Security Awareness And Training Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. |
link |
2 |
| FedRAMP_Moderate_R4 |
AU-1 |
FedRAMP_Moderate_R4_AU-1 |
FedRAMP Moderate AU-1 |
Audit And Accountability |
Audit And Accountability Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| FedRAMP_Moderate_R4 |
PL-4 |
FedRAMP_Moderate_R4_PL-4 |
FedRAMP Moderate PL-4 |
Planning |
Rules Of Behavior |
Shared |
n/a |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.
Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18. |
link |
9 |
| hipaa |
0101.00a1Organizational.123-00.a |
hipaa-0101.00a1Organizational.123-00.a |
0101.00a1Organizational.123-00.a |
01 Information Protection Program |
0101.00a1Organizational.123-00.a 0.01 Information Security Management Program |
Shared |
n/a |
The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed. |
|
5 |
| hipaa |
0102.00a2Organizational.123-00.a |
hipaa-0102.00a2Organizational.123-00.a |
0102.00a2Organizational.123-00.a |
01 Information Protection Program |
0102.00a2Organizational.123-00.a 0.01 Information Security Management Program |
Shared |
n/a |
The information protection program is formally documented and actively monitored, reviewed, and updated to ensure program objectives continue to be met. |
|
3 |
| hipaa |
0104.02a1Organizational.12-02.a |
hipaa-0104.02a1Organizational.12-02.a |
0104.02a1Organizational.12-02.a |
01 Information Protection Program |
0104.02a1Organizational.12-02.a 02.01 Prior to Employment |
Shared |
n/a |
User security roles and responsibilities are clearly defined and communicated. |
|
14 |
| hipaa |
0109.02d1Organizational.4-02.d |
hipaa-0109.02d1Organizational.4-02.d |
0109.02d1Organizational.4-02.d |
01 Information Protection Program |
0109.02d1Organizational.4-02.d 02.03 During Employment |
Shared |
n/a |
Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). |
|
20 |
| hipaa |
0113.04a1Organizational.123-04.a |
hipaa-0113.04a1Organizational.123-04.a |
0113.04a1Organizational.123-04.a |
01 Information Protection Program |
0113.04a1Organizational.123-04.a 04.01 Information Security Policy |
Shared |
n/a |
Information security objectives, approach, scope, importance, goals, and principles for the organization’s security program are formally identified, communicated throughout the organization to users in a form that is relevant, accessible, and understandable to the intended reader; and supported by a controls framework that considers legislative, regulatory, contractual requirements, and other policy-related requirements. |
|
3 |
| hipaa |
0114.04b1Organizational.1-04.b |
hipaa-0114.04b1Organizational.1-04.b |
0114.04b1Organizational.1-04.b |
01 Information Protection Program |
0114.04b1Organizational.1-04.b 04.01 Information Security Policy |
Shared |
n/a |
The security policies are regularly reviewed and updated to ensure they reflect leading practices (e.g., for systems and services development and acquisition), and are communicated throughout the organization. |
|
9 |
| hipaa |
0115.04b2Organizational.123-04.b |
hipaa-0115.04b2Organizational.123-04.b |
0115.04b2Organizational.123-04.b |
01 Information Protection Program |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy |
Shared |
n/a |
The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. |
|
20 |
| hipaa |
0118.05a1Organizational.2-05.a |
hipaa-0118.05a1Organizational.2-05.a |
0118.05a1Organizational.2-05.a |
01 Information Protection Program |
0118.05a1Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. |
|
8 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| hipaa |
1008.01d2System.3-01.d |
hipaa-1008.01d2System.3-01.d |
1008.01d2System.3-01.d |
10 Password Management |
1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Users sign a statement acknowledging their responsibility to keep passwords confidential. |
|
15 |
| hipaa |
1110.01b1System.5-01.b |
hipaa-1110.01b1System.5-01.b |
1110.01b1System.5-01.b |
11 Access Control |
1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Users are given a written statement of their access rights, which they are required to sign stating they understand the conditions of access. Guest/anonymous, shared/group, emergency and temporary accounts are specifically authorized and use monitored. |
|
11 |
| hipaa |
1201.06e1Organizational.2-06.e |
hipaa-1201.06e1Organizational.2-06.e |
1201.06e1Organizational.2-06.e |
12 Audit Logging & Monitoring |
1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. |
|
12 |
| hipaa |
12101.09ab1Organizational.3-09.ab |
hipaa-12101.09ab1Organizational.3-09.ab |
12101.09ab1Organizational.3-09.ab |
12 Audit Logging & Monitoring |
12101.09ab1Organizational.3-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. |
|
18 |
| hipaa |
1302.02e2Organizational.134-02.e |
hipaa-1302.02e2Organizational.134-02.e |
1302.02e2Organizational.134-02.e |
13 Education, Training and Awareness |
1302.02e2Organizational.134-02.e 02.03 During Employment |
Shared |
n/a |
Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. |
|
19 |
| hipaa |
1306.06e1Organizational.5-06.e |
hipaa-1306.06e1Organizational.5-06.e |
1306.06e1Organizational.5-06.e |
13 Education, Training and Awareness |
1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action. |
|
11 |
| hipaa |
1307.07c1Organizational.124-07.c |
hipaa-1307.07c1Organizational.124-07.c |
1307.07c1Organizational.124-07.c |
13 Education, Training and Awareness |
1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets |
Shared |
n/a |
The organization defines rules to describe user responsibilities and acceptable behavior for information system usage, including at a minimum, rules for email, Internet, mobile devices, social media and facility usage. |
|
9 |
| ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
| ISO27001-2013 |
A.13.2.4 |
ISO27001-2013_A.13.2.4 |
ISO 27001:2013 A.13.2.4 |
Communications Security |
Confidentiality or non-disclosure agreements |
Shared |
n/a |
Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. |
link |
14 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
C.4.3.a |
ISO27001-2013_C.4.3.a |
ISO 27001:2013 C.4.3.a |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
a) the external and internal issues referred to in 4.1;
The scope shall be available as documented information. |
link |
3 |
| ISO27001-2013 |
C.4.3.b |
ISO27001-2013_C.4.3.b |
ISO 27001:2013 C.4.3.b |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
b) the requirements referred to in 4.2.
The scope shall be available as documented information. |
link |
3 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
| ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
| ISO27001-2013 |
C.6.2.e |
ISO27001-2013_C.6.2.e |
ISO 27001:2013 C.6.2.e |
Planning |
Information security objectives and planning to achieve them |
Shared |
n/a |
The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
e) be updated as appropriate.
The organization shall retain documented information on the information security objectives. |
link |
2 |
| ISO27001-2013 |
C.9.2.e |
ISO27001-2013_C.9.2.e |
ISO 27001:2013 C.9.2.e |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. |
link |
5 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.12.4 |
NIST_SP_800-171_R2_3.12.4 |
NIST SP 800-171 R2 3.12.4 |
Security Assessment |
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans. |
link |
8 |
| NIST_SP_800-53_R4 |
AT-1 |
NIST_SP_800-53_R4_AT-1 |
NIST SP 800-53 Rev. 4 AT-1 |
Awareness And Training |
Security Awareness And Training Policy Andprocedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. |
link |
2 |
| NIST_SP_800-53_R4 |
AU-1 |
NIST_SP_800-53_R4_AU-1 |
NIST SP 800-53 Rev. 4 AU-1 |
Audit And Accountability |
Audit And Accountability Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| NIST_SP_800-53_R4 |
PL-4 |
NIST_SP_800-53_R4_PL-4 |
NIST SP 800-53 Rev. 4 PL-4 |
Planning |
Rules Of Behavior |
Shared |
n/a |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.
Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18. |
link |
9 |
| NIST_SP_800-53_R5 |
AT-1 |
NIST_SP_800-53_R5_AT-1 |
NIST SP 800-53 Rev. 5 AT-1 |
Awareness and Training |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] awareness and training policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
2 |
| NIST_SP_800-53_R5 |
AU-1 |
NIST_SP_800-53_R5_AU-1 |
NIST SP 800-53 Rev. 5 AU-1 |
Audit and Accountability |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] audit and accountability policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
c. Review and update the current audit and accountability:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
4 |
| NIST_SP_800-53_R5 |
PL-4 |
NIST_SP_800-53_R5_PL-4 |
NIST SP 800-53 Rev. 5 PL-4 |
Planning |
Rules of Behavior |
Shared |
n/a |
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (OneOrMore): [Assignment: organization-defined frequency] ;when the rules are revised or updated] . |
link |
9 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
10.1.1 |
PCI_DSS_v4.0_10.1.1 |
PCI DSS v4.0 10.1.1 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 10 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
4 |
| PCI_DSS_v4.0 |
12.1.2 |
PCI_DSS_v4.0_12.1.2 |
PCI DSS v4.0 12.1.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current |
Shared |
n/a |
The information security policy is:
• Reviewed at least once every 12 months.
• Updated as needed to reflect changes to business objectives or risks to the environment. |
link |
2 |
| PCI_DSS_v4.0 |
12.5.3 |
PCI_DSS_v4.0_12.5.3 |
PCI DSS v4.0 12.5.3 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS scope is documented and validated |
Shared |
n/a |
Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management. |
link |
2 |