compliance controls are associated with this Policy definition 'Implement security engineering principles of information systems' (df2e9507-169b-4114-3a52-877561ee3198)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
PL-2 |
FedRAMP_High_R4_PL-2 |
FedRAMP High PL-2 |
Planning |
System Security Plan |
Shared |
n/a |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17.
References: NIST Special Publication 800-18. |
link |
6 |
| FedRAMP_High_R4 |
PL-2(3) |
FedRAMP_High_R4_PL-2(3) |
FedRAMP High PL-2 (3) |
Planning |
Plan / Coordinate With Other Organizational Entities |
Shared |
n/a |
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.
Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. |
link |
3 |
| FedRAMP_Moderate_R4 |
PL-2 |
FedRAMP_Moderate_R4_PL-2 |
FedRAMP Moderate PL-2 |
Planning |
System Security Plan |
Shared |
n/a |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17.
References: NIST Special Publication 800-18. |
link |
6 |
| FedRAMP_Moderate_R4 |
PL-2(3) |
FedRAMP_Moderate_R4_PL-2(3) |
FedRAMP Moderate PL-2 (3) |
Planning |
Plan / Coordinate With Other Organizational Entities |
Shared |
n/a |
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.
Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. |
link |
3 |
| hipaa |
0103.00a3Organizational.1234567-00.a |
hipaa-0103.00a3Organizational.1234567-00.a |
0103.00a3Organizational.1234567-00.a |
01 Information Protection Program |
0103.00a3Organizational.1234567-00.a 0.01 Information Security Management Program |
Shared |
n/a |
Independent audits are conducted at least annually to determine whether the information protection program is approved by executive management, communicated to stakeholders, adequately resourced, conforms to relevant legislation or regulations and other business requirements, and adjusted as needed to ensure the program continues to meet defined objectives. |
|
3 |
| hipaa |
0118.05a1Organizational.2-05.a |
hipaa-0118.05a1Organizational.2-05.a |
0118.05a1Organizational.2-05.a |
01 Information Protection Program |
0118.05a1Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program oversight; establish and communicate the organization's priorities for organizational mission, objectives, and activities; review and update of the organization's security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. |
|
8 |
| hipaa |
0119.05a1Organizational.3-05.a |
hipaa-0119.05a1Organizational.3-05.a |
0119.05a1Organizational.3-05.a |
01 Information Protection Program |
0119.05a1Organizational.3-05.a 05.01 Internal Organization |
Shared |
n/a |
Security contacts are appointed by name for each major organizational area or business unit. |
|
6 |
| hipaa |
0162.04b1Organizational.2-04.b |
hipaa-0162.04b1Organizational.2-04.b |
0162.04b1Organizational.2-04.b |
01 Information Protection Program |
0162.04b1Organizational.2-04.b 04.01 Information Security Policy |
Shared |
n/a |
The organization ensures individuals may make complaints concerning the information security policies, procedures, or the organization's compliance with its policies and procedures; documents the complaints and requests for changes; and records their disposition, if applicable. |
|
4 |
| hipaa |
0641.10k2Organizational.11-10.k |
hipaa-0641.10k2Organizational.11-10.k |
0641.10k2Organizational.11-10.k |
06 Configuration Management |
0641.10k2Organizational.11-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization does not use automated updates on critical systems. |
|
13 |
| hipaa |
0863.09m2Organizational.910-09.m |
hipaa-0863.09m2Organizational.910-09.m |
0863.09m2Organizational.910-09.m |
08 Network Protection |
0863.09m2Organizational.910-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. |
|
25 |
| hipaa |
0866.09m3Organizational.1516-09.m |
hipaa-0866.09m3Organizational.1516-09.m |
0866.09m3Organizational.1516-09.m |
08 Network Protection |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. |
|
11 |
| hipaa |
1782.10a1Organizational.4-10.a |
hipaa-1782.10a1Organizational.4-10.a |
1782.10a1Organizational.4-10.a |
17 Risk Management |
1782.10a1Organizational.4-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Security requirements and controls reflect the business value of the information assets involved, and the potential business damage that might result from a failure or absence of security. |
|
6 |
| hipaa |
1793.10a2Organizational.91011-10.a |
hipaa-1793.10a2Organizational.91011-10.a |
1793.10a2Organizational.91011-10.a |
17 Risk Management |
1793.10a2Organizational.91011-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The requirement definition phase includes (i) consideration of system requirements for information security and the processes for implementing security, and (ii) data classification and risk to information assets are assigned and approved (signed-off) by management to ensure appropriate controls are considered and the correct project team members are involved. |
|
6 |
| hipaa |
19134.05j1Organizational.5-05.j |
hipaa-19134.05j1Organizational.5-05.j |
19134.05j1Organizational.5-05.j |
19 Data Protection & Privacy |
19134.05j1Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The public has access to information about the organization's security and privacy activities and is able to communicate with its senior security official and senior privacy official. |
|
12 |
| ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
| ISO27001-2013 |
A.14.1.1 |
ISO27001-2013_A.14.1.1 |
ISO 27001:2013 A.14.1.1 |
System Acquisition, Development And Maintenance |
Information security requirements analysis and specification |
Shared |
n/a |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
link |
24 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
C.7.4.a |
ISO27001-2013_C.7.4.a |
ISO 27001:2013 C.7.4.a |
Support |
Communication |
Shared |
n/a |
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
a) on what to communicate. |
link |
4 |
| ISO27001-2013 |
C.7.4.b |
ISO27001-2013_C.7.4.b |
ISO 27001:2013 C.7.4.b |
Support |
Communication |
Shared |
n/a |
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
b) when to communicate. |
link |
4 |
| ISO27001-2013 |
C.7.4.c |
ISO27001-2013_C.7.4.c |
ISO 27001:2013 C.7.4.c |
Support |
Communication |
Shared |
n/a |
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
c) with whom to communicate. |
link |
4 |
| ISO27001-2013 |
C.7.4.d |
ISO27001-2013_C.7.4.d |
ISO 27001:2013 C.7.4.d |
Support |
Communication |
Shared |
n/a |
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
d) who shall communicate. |
link |
4 |
| ISO27001-2013 |
C.7.4.e |
ISO27001-2013_C.7.4.e |
ISO 27001:2013 C.7.4.e |
Support |
Communication |
Shared |
n/a |
The organization shall determine the need for internal and external communications relevant to the
information security management system including:
e) the processes by which communication shall be effected. |
link |
4 |
| ISO27001-2013 |
C.7.5.3.b |
ISO27001-2013_C.7.5.3.b |
ISO 27001:2013 C.7.5.3.b |
Support |
Control of documented information |
Shared |
n/a |
Documented information required by the information security management system and by this
International Standard shall be controlled to ensure:
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). |
link |
3 |
| ISO27001-2013 |
C.7.5.3.d |
ISO27001-2013_C.7.5.3.d |
ISO 27001:2013 C.7.5.3.d |
Support |
Control of documented information |
Shared |
n/a |
For the control of documented information, the organization shall address the following activities,
as applicable:
d) storage and preservation, including the preservation of legibility.
Documented information of external origin, determined by the organization to be necessary for
the planning and operation of the information security management system, shall be identified as
appropriate, and controlled.
NOTE Access implies a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information, etc. |
link |
3 |
| ISO27001-2013 |
C.7.5.3.e |
ISO27001-2013_C.7.5.3.e |
ISO 27001:2013 C.7.5.3.e |
Support |
Control of documented information |
Shared |
n/a |
For the control of documented information, the organization shall address the following activities,
as applicable:
e) control of changes (e.g. version control); and
Documented information of external origin, determined by the organization to be necessary for
the planning and operation of the information security management system, shall be identified as
appropriate, and controlled.
NOTE Access implies a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information, etc. |
link |
3 |
| ISO27001-2013 |
C.7.5.3.f |
ISO27001-2013_C.7.5.3.f |
ISO 27001:2013 C.7.5.3.f |
Support |
Control of documented information |
Shared |
n/a |
For the control of documented information, the organization shall address the following activities,
as applicable:
f) retention and disposition.
Documented information of external origin, determined by the organization to be necessary for
the planning and operation of the information security management system, shall be identified as
appropriate, and controlled.
NOTE Access implies a decision regarding the permission to view the documented information only, or the
permission and authority to view and change the documented information, etc. |
link |
7 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-171_R2_3 |
.12.4 |
NIST_SP_800-171_R2_3.12.4 |
NIST SP 800-171 R2 3.12.4 |
Security Assessment |
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [SP 800-18] provides guidance on developing security plans. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans. |
link |
8 |
| NIST_SP_800-53_R4 |
PL-2 |
NIST_SP_800-53_R4_PL-2 |
NIST SP 800-53 Rev. 4 PL-2 |
Planning |
System Security Plan |
Shared |
n/a |
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization’s enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security categorization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17.
References: NIST Special Publication 800-18. |
link |
6 |
| NIST_SP_800-53_R4 |
PL-2(3) |
NIST_SP_800-53_R4_PL-2(3) |
NIST SP 800-53 Rev. 4 PL-2 (3) |
Planning |
Plan / Coordinate With Other Organizational Entities |
Shared |
n/a |
The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities.
Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. |
link |
3 |
| NIST_SP_800-53_R5 |
PL-2 |
NIST_SP_800-53_R5_PL-2 |
NIST SP 800-53 Rev. 5 PL-2 |
Planning |
System Security and Privacy Plans |
Shared |
n/a |
a. Develop security and privacy plans for the system that:
1. Are consistent with the organization???s enterprise architecture;
2. Explicitly define the constituent system components;
3. Describe the operational context of the system in terms of mission and business processes;
4. Identify the individuals that fulfill system roles and responsibilities;
5. Identify the information types processed, stored, and transmitted by the system;
6. Provide the security categorization of the system, including supporting rationale;
7. Describe any specific threats to the system that are of concern to the organization;
8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;
10. Provide an overview of the security and privacy requirements for the system;
11. Identify any relevant control baselines or overlays, if applicable;
12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;
13. Include risk determinations for security and privacy architecture and design decisions;
14. Include security- and privacy-related activities affecting the system that require planning and coordination with [Assignment: organization-defined individuals or groups]; and
15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-defined personnel or roles];
c. Review the plans [Assignment: organization-defined frequency];
d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and
e. Protect the plans from unauthorized disclosure and modification. |
link |
6 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| SOC_2 |
CC1.2 |
SOC_2_CC1.2 |
SOC 2 Type 2 CC1.2 |
Control Environment |
COSO Principle 2 |
Shared |
The customer is responsible for implementing this recommendation. |
• Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
• Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
• Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. |
|
5 |
| SOC_2 |
CC1.3 |
SOC_2_CC1.3 |
SOC 2 Type 2 CC1.3 |
Control Environment |
COSO Principle 3 |
Shared |
The customer is responsible for implementing this recommendation. |
Considers All Structures of the Entity — Management and the board of directors
consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement
of objectives.
• Establishes Reporting Lines — Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities
and flow of information to manage the activities of the entity.
• Defines, Assigns, and Limits Authorities and Responsibilities — Management and
the board of directors delegate authority, define responsibilities, and use appropriate
processes and technology to assign responsibility and segregate duties as necessary
at the various levels of the organization
• Addresses Specific Requirements When Defining Authorities and Responsibilities —
Management and the board of directors consider requirements relevant to security,
availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities.
• Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities |
|
5 |
| SOC_2 |
CC2.3 |
SOC_2_CC2.3 |
SOC 2 Type 2 CC2.3 |
Communication and Information |
COSO Principle 15 |
Shared |
The customer is responsible for implementing this recommendation. |
Communicates to External Parties — Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners,
owners, regulators, customers, financial analysts, and other external parties.
• Enables Inbound Communications — Open communication channels allow input
from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information.
• Communicates With the Board of Directors — Relevant information resulting from
assessments conducted by external parties is communicated to the board of directors.
• Provides Separate Communication Lines — Separate communication channels,
such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to
enable anonymous or confidential communication when normal channels are inoperative or ineffective.
• Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of the communication and legal, regulatory,
and fiduciary requirements and expectations.
Additional point of focus that applies only to an engagement using the trust services criteria for
confidentiality:
• Communicates Objectives Related to Confidentiality and Changes to Objectives —
The entity communicates, to external users, vendors, business partners, and others
whose products and services are part of the system, objectives and changes to objectives related to confidentiality.Page 20
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
Additional point of focus that applies only to an engagement using the trust services criteria for
privacy:
• Communicates Objectives Related to Privacy and Changes to Objectives — The entity communicates, to external users, vendors, business partners, and others whose
products and services are part of the system, objectives related to privacy and
changes to those objectives.
Additional points of focus that apply only when an engagement using the trust services criteria
is performed at the system level:
• Communicates Information About System Operation and Boundaries — The entity prepares and communicates information about the design and operation of
the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation.
• Communicates System Objectives — The entity communicates its system objectives to appropriate external users.
• Communicates System Responsibilities — External users with responsibility for
designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities.
• Communicates Information on Reporting System Failures, Incidents, Concerns,
and Other Matters — External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate
personnel. |
|
14 |
| SWIFT_CSCF_v2022 |
1.2 |
SWIFT_CSCF_v2022_1.2 |
SWIFT CSCF v2022 1.2 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Restrict and control the allocation and usage of administrator-level operating system accounts. |
Shared |
n/a |
Access to administrator-level operating system accounts is restricted to the maximum extent possible. Usage is controlled, monitored, and only permitted for relevant activities such as software installation and configuration, maintenance, and emergency activities. At all other times, an account with the least privilege access is used. |
link |
22 |