STANDARD TEMPLATE OPTIONS sk.com



Table of Contents[control+click for link] TOC \o "1-3" \h \z \u STANDARD TEMPLATE OPTIONS PAGEREF _Toc53350360 \h 2Overview and Purpose PAGEREF _Toc53350361 \h 2Scope PAGEREF _Toc53350362 \h 2Roles and Responsibilities PAGEREF _Toc53350363 \h 2Compliance PAGEREF _Toc53350364 \h 2Exceptions PAGEREF _Toc53350365 \h 2Acceptable Use of Technology PAGEREF _Toc53350366 \h 3Access Management PAGEREF _Toc53350367 \h 6Asset Management PAGEREF _Toc53350368 \h 8Audit and Compliance PAGEREF _Toc53350369 \h 10Backup PAGEREF _Toc53350370 \h 12Business Continuity Plan PAGEREF _Toc53350371 \h 15Change Management PAGEREF _Toc53350372 \h 18Data Classification PAGEREF _Toc53350373 \h 20Encryption PAGEREF _Toc53350374 \h 23Incident Response PAGEREF _Toc53350375 \h 25Information Security PAGEREF _Toc53350376 \h 29Logging PAGEREF _Toc53350377 \h 46Network Security PAGEREF _Toc53350378 \h 50Physical Security PAGEREF _Toc53350379 \h 55Removable Media PAGEREF _Toc53350380 \h 57SDLC PAGEREF _Toc53350381 \h 61Vendor Risk Management PAGEREF _Toc53350382 \h 64Vulnerability Management PAGEREF _Toc53350383 \h 65Wireless Policy PAGEREF _Toc53350384 \h 81STANDARD TEMPLATE OPTIONSOverview and PurposePeople-Process-Purpose ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles and ResponsibilitiesPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the plianceCompliance & EnforcementOn a quarterly [or more frequent basis], <company name> will review the user access to in-scope system for continuous control monitoring and compliance checks.? This policy is a must follow for all AWS production system. If you need an exception approval for this policy, send your request to <insert your contact here>.ExceptionsEmployees must submit an exception request to the security team when any part of this policy can not be followed. An exception must be approved by the appropriate authorized management before implementation can proceed. Exception request detail and approvals must be saved as audit and risk evidence for the record retention period.Acceptable Use of TechnologyOverview and PurposeThis standard outlines the practices that your employees and contractors are required to exercise when using [Company] equipment and ACME information.?This standard also explains the circumstances under which each employee’s actions will be monitored and the actions [Company] will take in respect to breaches of this standard.ScopeThis standard applies to the use of information systems and network resources used to conduct [Company] business, or interact with [Company] internal networks and business systems, whether owned or leased.?The requirements specified herein are to be adhered to regardless of the location from which personnel are using technologies or accessing ACME information, including primary and secondary office sites (e.g. Business Continuity locations), home offices or third party sites.Roles and ResponsibilitiesPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy Statements4.1 User Responsibilities1. All personnel are expected to read, and fully understand, the requirements detailed in this standard.2. Personnel must not maliciously and wilfully manipulate, misuse or omit information.?3. Personnel must pay the highest regard to the confidentiality of??information that is classified as Confidential or Restricted4.?Special Handling - definition and terms of special handling4.2 Intellectual Property1. All Computer systems, facilities and information remain the property of ACME.?2.?This applies during and after employment.3. List of all facilities that apply?4.3 Personal Use1. Describe reasonable use applications. What is/not authorized in terms of use, equipment.?2. Rights of the company to delete non-business related information during or upon termination of employment3. Return of information to personnel4. Interference with security systems (is prohibited)5. Personal gain not permitted4.4 Use of Company Technology1. Login protocols2. Logging of system activity3. Personnel responsibility (employees are responsible for work they product on the systems using company technology)4. Approval of installation of software or hardware on company technology5. Tampering or disabling software or hardware6. Connecting personal equipment to company technology or installing software or hardware7. Personnel must not execute any form of network monitoring which could intercept Confidential or Restricted - Special Handling information. Such activity is strictly prohibited, unless as part of the individuals normal job function.8. Access to customers IT systems (e.g. for support purposes), must only be conducted with approval by relevant senior management.?4.5 Use of Company Information1. All information is treated as confidential unless otherwise specified4.6 Removable Media1. Special handling guidelines for use of removable media and copying internal information2. Encryption of removable media??4.7 Access to Information1. Personnel must only access ACME information which is necessary to perform their job function.?2. Limit the distribution to those users who have an explicit business need to access such information.3. Access rights are commensurate with the user’s job function.4. Access to all ACME information and systems is revoked immediately when employment of an individual within their remit ceases or changes.5. Assets are returned no longer required?6. User access requested are completed in a timely manner?4.8 Passwords1. See Access Control policy?4.9 Email and Instant Messaging1. Email and Instant Messaging use is provided for business use. Personnel are responsible for the content.?2. Email sent by personnel to external parties must contain a disclaimer.3. Where permitted by law, messages will be monitored for regulatory and legal purposes and to ensure compliance with the requirements specified in this standard.4. Personnel must exercise caution when opening unsolicited emails and messages and associated attachments.?4.10 Internet Use1. Use of the Internet should be for business purposes only.??2. Where permitted by law, Internet use may be monitored for regulatory and legal purposes, as well as compliance with this standard and to ensure the security and continued availability of ACME systems.4.11 Clear Desk, Data Confidentiality and Privacy1. Personnel must ensure all company Confidential and Restricted information2. Personnel must ensure that they destroy or remove any Confidential or Restricted - Special Handling information from flipcharts and whiteboards once meetings have concluded.3. Personnel must securely dispose of information classified as Internal, Confidential or Restricted?4. Personnel must ensure that ACME information classified as Internal or above, that is displayed on computer screens or contained in printed documents, are positioned, when practical, to prevent unauthorized people from easily viewing the information.5. Personnel must exercise caution when sharing/displaying computer screens via web meetings or desktop sharing technologies with external parties6. Personnel must ensure that workstation screens are locked when left unattended7. Personnel must ensure that printed output is collected immediately after printing has completed.?8. Personnel must exercise caution when discussing confidential business in public areas9. Personnel must exercise extreme caution if approached (verbally, by telephone, email or by any other media) by unsolicited persons and must not disclose any information??4.12 Access Badges1. Personnel must use their own access badge each time they enter badge access controlled environments.2.?To the extent permitted by local laws and regulations, personnel must display their access badge at all times whilst on premises, ensuring it is clearly visible at all times.?3. Personnel are responsible for securing their ID badge from loss or theft.?4. Line managers must notify HR and ACME Physical Security whenever contingent workers’ relationships with ACME have changed or ended.???5. Personnel??must report unknown persons, or persons without an ID, observed in a facility maintained or contracted by ACME.?4.13 Security Incidents1. Personnel must contact the ACME Service Desk or Global Security Services immediately, if they suspect that a security breach/incident has occurred or may imminently occur. Examples of such incidents include, but are not limited to: [...]2. Personnel must co-operate fully, and to the best of their ability, if requested to assist in the investigation of a security incident.3. Personnel must not discuss details of actual or suspected security incidents.Access ManagementOverview and PurposeThe purpose of this policy is to provide detail standard for the company's user access onboarding, maintenance, and termination.?ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles and ResponsibilitiesPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy StatementsGranting User Access?User onboarding - In order for user to have access to in-scope system, the user must be an employee on the HR Payroll record or is a contractor that have been onboarded appropriately with required personnel security requirements.User access approval - All user must have approval to obtain access to in-scope systems. Track the approval email or ticket for audit evidence. To request for access, do the following steps:<insert your steps to request user access and obtain approval>?Unique Identification - system administrator must assign the user a unique identification and credentials for certain authorized access rights.?Credentials - access should have credential assigned that is not "all access" unless it is a root user.Examples of user or system access - Below are sample policy for granting access according to our policy:IAM Role - for system-to-system access within AWS Account, use IAM role to access system resources within AWS account. Create a unique role for each use so every IAM role is uniquely documented in the Name and Tag. In the Tag, make sure you document the labels for the Contact and Description for how the role is used. The purpose of the tags is to help identify who to contact for changes for your user access review (UAR) compliance checks.IAM User - when you need access for a user or a system in different AWS Accounts, you will need to create IAM users. The username should be unique and should include tags for audit details to note the Owner Contact (if this is a system user or when the username is not clear who the user is [example: ninjawarrior]).Every username or role created must have a unique identification field that uniquely identify the user. If your username cannot easily identify the user according to his HR Payroll records, please add the data as a Tag detail. This will be harder to audit but it works as long as all access can be reconciled against HR Payroll records.?Set IAM Global Policy for Password ?- Every IAM user should have global policies applied for password strength. Setup a global policy to have minimum strong password setting as outline below:have a minimum of 8 characters and a maximum of 128 charactersinclude a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * () <> []?{} | _+-= symbolsnot be identical to your AWS account name or email address. Note: Customer should change this requirement according to their compliance scope. See your CyberOne Platform > Control Activity > Guidance for details.?Require Two-Factor Authentication - User must have multi-factor authentication enabled. If you use a Single Sign On (SSO) application with 2FA and use that for your AWS login, that is ok as well.Require Key rotation for Access Keys - if user do not need an access key, reduce your maintenance and don't create one. If you need an access key to command line into the service, the key must be rotated every 90 days at a minimum. You can do this manually or create a lambda script to rotate keys. Here's the best practice for rotating access keys ()User Provisioning?- User administration to change password and setup 2FA. Create an IAM policy and assign the policy for each user so they can access their security credential tab in IAM to setup manage their own password and 2FA. See detail: Access Termination - when user is terminated from the company, their user access shall be terminated immediately and no later than <X> hours from the HR termination date/time. Access termination for the user shall be verified by the system administrator who sign-off on the termination checklist form for the employee and contractor's employment record.Logging &?Monitoring?- add the above rules from #2-4 in AWS Config as a rule to monitor so it will flag password policy, access key aging, and 2FA issues.Threat Alerts - send all your AWS Config alerts to an alerting system like Cloudwatch. Setup Cloudwatch to notify devops team when rules are violated for security for mitigation.Asset ManagementOverview and PurposeThe purpose of this policy is to provide detail standard for the company's asset management, as its commitment to securing confidential and sensitive data under its control by identifying and managing the equipment on which the data resides. ?ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy Statements1. Asset Management Policy -?Assets shall be inventoried, properly handled for during the acquisition, labeling, transferring, disposing and logging of logical and physical IT assets. 2. Asset Acquisition Approval - All asset acquisitions shall be approved by IT management and follow the acquisition procedure3. Ownership of Assets - Asset owners are identified and maintained in the asset inventory and owner is responsible for the entire asset management lifecycle?4. Inventory of Assets - Identify all logical and physical assets and maintain a current inventory across the organization?5. Inventory Validation - Inventory shall be reviewed and verified as correct annually for status, ownership and location6. Inventory of Sensitive Information - Sensitive information shall be included in the inventory7. Handling of Assets - All employees and third parties shall be made aware of information security requirements associated with company assets and a process documented for how assets are mapped, stored, handled, processed.8. Authorized users - A formal record of authorized recipients and information classification shall be maintained for the handling of assets9. Unauthorized assets - Management shall have a process to discover vulnerabilities in assets, including unauthorized software.10. Acceptable Use of Assets - See Acceptable Use policy11. External Information Systems are categorized - All systems outside of the accreditation boundary are catalogued and subject to the same policies as purchased software12. Labeling of Assets - All assets shall be appropriately labeled in accordance with classification type.13. Return of Assets - All assets must be returned upon termination of employment, contracts or agreements.14. Physical Media Transfer - Media containing information shall be protected against unauthorized access, misuse, or corruption during transportation15. Removable Media - Procedures for managing removable media shall be documented to limit the opportunity for data loss16. Information Asset Retention - Define the time period for for retaining information in accordance with the law17. Disposal of Assets - Appropriate disposal procedures shall be documented and disposal of assets shall be logged for audit purposesAudit and ComplianceOverview and PurposeThe purpose of ?this policy is to establish an auditing and monitoring program to ensure compliance with all Federal and State regulations, and other regulations as may be required.?ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy Statements1. Audit and Accountability Policy and Procedures -??implement a policy to facilitate the implementation of audit and compliance accountability controls. The policy and procedures shall be reviewed and updated annually as appropriate and conduct audits to ensure compliance with federal, state, and other regulatory bodies via an independent internal department or third party, of every aspect of its information security program.2. Compliance with Legal and Contractual Requirements - identify, track and document all adhered by legislative, statutory, regulatory and contractual requirements for security and privacy. The company procedures for meeting these requirements shall be documented, updated and maintained for each information system and the organization as a whole.?3. Independent Testing of Information Security Systems and Programs - document and??implement procedures for independent testing, at planned intervals or when significant changes occur, of its information Security Program and Systems to evaluate the effectiveness of the security process.??4. Technical Compliance Review - document procedures for management to ensure that information processing and procedures within their area of responsibility remain operated in accordance with organizational policies and procedures5. Privacy and Protection of Personal Identifiable Information - ensure the protection of the following from loss, destruction, falsification, unauthorized access and unauthorized release, in adherence with relevant legislation and contractual obligations. Cryptographic tools to protect data shall be used in compliance with relevant agreements legislation and regulations.●?? ?Personal Identifiable Information●?? ?Intellectual Property Rights●?? ?Financial records●?? ?Classified records6. Independent Testing of Personnel -?document policy and procedures for engaging an independent organization to conduct independent testing, and/or ensuring the independence of testing personnel, where independent testers are not responsible for the design, installation, maintenance, and operation of the tested system, or the policies and procedures that guide its operation. The reports generated from the tests should be prepared by individuals who similarly are independent.?7. Appointment of a Chief Privacy Officer - appoint a Chief Privacy Officer accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems.8. Assurance Reporting -?document and implement procedures for the timely, relevant, transparent reporting of self-assessments, penetration tests, vulnerability assessments and audits to individuals with authority and responsibility to act on the reports and to those accountable for the outcomes, as well as those responsible for advising or influencing risk decisions.?BackupOverview and PurposeBackup Policy requires all computer systems and applications maintained by CyberOne to be backed up periodically. Backup frequency must be adequate for day-to-day production activities and to facilitate recovery of processes and applications that require a recovery capability in the event of an incident (hardware or software failure or physical disaster).ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy StatementsBackup PolicyCyberOne shall document and implement procedures for regular backups of documents, information and systems consistent with the frequency outlined in CYBERONE Backup Timing Standard (see section 5.2 in this document) and implement testing procedures to ensure successful restoration and protection against loss of data.References: NIST SP 800-53 Rev 4 CP-09, ISO 27002:2013 12.3.1, AUP v2 G.19, ISO 27001:2013 (12.3), ISO 27002:2013 12.3Backup DestinationCYBERONE shall ensure that all backups have at least non-continuously addressable destination to mitigate the risk of attacks which seek to encrypt or damage date on all addressable data shares.References: CIS v7.0 C10 (10.5), CIS CSC 10.04Backup Storage StandardsThe Company shall identify the means by which information is appropriately protected, stored, classified and inventoried. Inventories should be updated so that stored information in any form is immediately retrievable.?References: FFIEC ITH INFOSEC 9/2016 II (C.13 (a))Backup Timing StandardCYBERONE shall ensure that each system is automatically and continuously backed up to ensure a working process and, in the event of malware infection, restoration of data and systems can be performed using a version that predates the original infection.References: CIS CSC 10.1, CIS CSC 10.2, ISO 27001:2013 (12.3.1)Backup RecoveryCyberOne shall develop, maintain and annually review a formal backup recovery plan for all critical business lines.References: FFIEC CAT 06/2015 D5.IR.Pl.B.5, AUP v2 K.5, AUP v2 K.7, NIST SP 800-53 Rev 4 CP-09 (02) CE, NIST SP 800-53 Rev 4 CP-09 (05) CE? NIST SP 800-53 Rev 4 CP-09 (01) CE, NIST SP 800-53 Rev 4 CP-02 (06) CE, NIST SP 800-53 Rev 4 CP-09 (06) CE, NIST SP 800-53 Rev 4 CP-09 (03) CE, (NIST SP 800-53 Rev 4 CP-10 (06) CE)Backup Protection - Physical SecurityCyberOne shall ensure backup copies in electronic or media form are protected in accordance with the highest sensitivity level of information stored, via physical security or encryption when they are stored or moved across the network. This includes remote backups and cloud services.?Backups must be protected from loss, damage, and unauthorized access – refer to CyberOne Physical Security Policy. The fact that data may be stored electronically does not change the requirement to keep the information confidential and secure. The classification of information is the basis for determining whether the data must be kept confidential and secure regardless of the format (e.g., electronic or hardcopy). Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Refer to the CyberOne Physical Security Policy.References: CIS v7.0 C10 (10.4), FFIEC ITH INFOSEC 9/2016 II (C.13 (d)), AUP v2 G.15, AUP v2 G.14RetentionCYBERONE shall establish a policy for logging and retention of information and incident response related to backup activity. Management shall ensure that audit records are kept on a system separate from the one being audited, that the system is configured to write audit trails to hardware-enforced, write-once media and that Backups shall be retained for periods specified in the CyberOne Document Retention Policy. Activity across the network shall be recorded and sent to a central logging repository in the format of the software that recorded the activity.?CyberOne must retain digital copies of staff email. Email must be available digitally for review for such time as to meet the requirements of government laws, regulatory bodies, and other organizations for retention and review of messages. Archives of digital email are made at the end of every year. Hardcopy printouts of email should also be retained under the requirements outlined above.References: NIST SP 800-53 Rev 4 AU-09 (02 CE), FFIEC ITH INFOSEC 9/2016 II (C.22)Business Continuity PlanOverviewAttached is the business continuity plan for responding to a catastrophic event.?ScopeThis BCP plan covers Product Security continuity plans.RolesSee BCP document under roles & responsibilities.Policy StatementsCritical ActivitiesResearch & Development (R&D)Quality AssuranceTechnical Support (Customer Success)SecurityRisk Assessment<Company> shall evaluate the continuity risk scenarios and document them in the risk register in Cyber one. The risk shall consider natural, man-made, and cyber threats.?Business Impact Analysis<Company> Business Impact Analysis is reviewed annually. The BIA is updated according to the latest team structure and impact to the business is evaluated to prioritize criticality.?Activation Plan<Company> prioritizes people safety first. If there's an emergency that impacts the safety of people, contact 911 immediately. Under no circumstance, before, during, or after a crisis are employees allowed to make media statement on behalf of <Company>.?There are phases of a disaster and <Company> follows an activation plan that aligns with ISO 22301 standards. The incident commander (CEO) is responsible for disaster declaration. When a disaster is declared, the company will activate its Crisis Management Plans (CMP), Emergent Management Plans (EMP), Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).?Normal OperationDuring normal operations, management shall develop internal operating procedures, train employees and also promote cross training for backup coverage. Management shall identify critical business functions, supply chain, and applications and develop resiliency strategies and backup plans.?Respond PlansOnce the IC delares a disaster, <Company> will respond to the disaster by mobilizing employees and contractor to safety. If the office location is shutdown, employee shall work remotely and check in with their managers for next steps. Management will provide internal and external communication as appropriate to the disaster to contain the situation. If the situation requires, the crisis management team will activate the appropriate external infrastructure provider to support it's respond plan to ensure safety of the people, facilities, and assets.?a. People Safety issue, call 911.?b. Facilities and Physical Asset Security & Safety issue, call 911 or the Non-Emergency?Police General?Line?at?<xxx-xxx-xxxx> <xxx-xxx-xxxx> or for the fire department, call?<xxx-xxx-xxxx> .c. Cybersecurity issues, contact the security manager to respond according to the pre-defined incident response plans. Preserve evidence and call insurance providers to obtain additional respond advise and claims information.Recovery PlansOnce the disaster is contained and evidence are documented, proceed to recover the damaged assets for recovery. Employees are to work remotely in a safe place if the office is not available.During recovery, the operation may be operating manually until systems, applications, and impacted assets are restored.?Below is an example of loss type and our recovery strategies:a. Loss of utility - <Company> will wait till utility is back and allow the remote workforce to distribute utility grid availabilityb. Loss of telecommunication - people will work from home on different carrier networksc. Loss of staff - people are cross-trained to work on multiple tasks until resources are replacedd. Loss of transportation - people will work from homee. Loss of critical supply chain - If AWS was down, <Company> marketplace will not be available. <Company> will deploy AMI manually to new customers or hold on new deployment until AWS becomes available.?f. Loss of application - N/ARestoration PlansRefer to your operating procedures to restore your systems, applications, and processes.?Resumption PlansFor people who were impacted by the disaster, determine the appropriate resumption checklist to ensure normal operation level. You may have to hire new staff or set some return to work criteria to ensure workplace safety.Team Contact InformationSee contact tab for detailsTesting/Exercise requirementsEach engineering team shall conduct a walkthrough tested semi-annually to train and improve on its business continuity plans.?Change ManagementOverview and PurposeThe purpose of this policy is to provide detail standard for the company's system change controls for tracking, approval, testing, releasing changes.ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles and ResponsibilitiesPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policPolicy StatementsTracking Changes -?all changes to system or software code shall be tracked for the system/software development lifecycle (SDLC) process. Records should be keep for each release for audit purposes.?Approving Changes - management must document his approval for all changes to production. Management will manage this approval by <insert your procedure>?Testing Changes -?prior to the release of the change to production, all changes must be tested with test data. Testing techniques should include manual and automated testing methods.?Test Data - The data should not include live data with customer confidential information.?Environments -?There must be a seperation of development, test, and production environments. Document the architecture diagram for your change environments and process flow.?Emergency Changes - From time to time, there will be emergency changes that for bug fixes or security patch. Emergency changes should handle according to this policy but the release cycle maybe be off schedule. Make sure all changes and schedule are communicated internally and externally. The process of documenting emergency changes with approval and test notes must be track.Security Scans - prior to the release, the release manager will run security vulnerability scan using Nessus and Sonarqube. The security scan will include policies for PCI, CIS, and OWASP top 10 vulnerabilities. All critical and high issues must be fix before the release can go into production. Medium severity can be release within 20 days in a patch release. Low severity will be address in the product roadmap.Internal Communication for Changes - change approver must communicate release plans and schedule internally and save the documentation for audit purpose. <Insert how you do this- email, feature tracker, Jira, etc...>External Communication for Changes - release schedule and detail shall be communicated to the customer. <Insert how you do this -- website, customer portal, email, etc...>Rollback on Changes?- changes for releases can be easily rollback in production in case there is an issue with the release. <Insert how you would do this...>Audit Records - To adhere to this policy documented records should be saved and retained for auditing. Change ticket records should be saved for the data retention period required according to company's data retention policy. Each change ticket record should have documented approval, test notes, and release version and dates.Data ClassificationOverview and PurposeBy following the policies described in this document, CyberOne ensures the confidentiality and integrity of the data entrusted to it.ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy StatementsInformation Security Classification RequirementAll information acquired, created or maintained by, for, or on behalf of [company] will be assigned one of the following security classifications according to legal requirements, value, criticality, and to unauthorized disclosure or rmation handling requirements directly correlate to the information security classification.[company]’s information owners should review their information annually, at a minimum, to determine if re-classification is necessary.Inventory and Classification of AssetsInventory and Classification of Assets shall be managed according to [COMPANY]’s asset management policy. Data classification shall be tracked throughout the asset life cycle, and wherever the assets are stored, transmitted, or processed.Classification Categories?PublicInternalConfidentialSecret or RestrictedMedia Labeling or MarkingMedia containing [COMPANY] Confidential or [COMPANY] Internal information will be labeled with the information security classification.When the media contains information having different security classification levels, the media shall be labeled with the highest classification level. ?Non-Public Personal Information ProtectionNon-Public Personal Information (NPI) is protected to prevent unauthorized disclosure. "NPI" is defined as confidential information about an individual borrower or employee (e.g., Social Security number, account number, or personal identification number) that could permit access to a customer's account or enable fraud or identify theft. NPI can also be categorized as Personally Identifiable Information (PII).??Labeling Backup Tapes during TransportBackup media storing any confidential or restricted information should not bear marking or labeling that identifies [company] as the owner of the data. ?Removal of sensitive data from the network when unusedRemoval of sensitive data or systems not regularly accessed by the organization shall be disconnected from the company’s network or work with the business to completely virtualize and power off until the data is needed. See also [company] Backup Policy.Encrypting Sensitive Information?[COMPANY] shall perform regular assessment of data to identify sensitive information that requires encryption and integrity controls to be implemented. The assessment shall be performed manually or automatically with a discovery tool.Utilizing Discovery Tool to Identify Sensitive DataConduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in clear text. Utilize a discovery tool to detect sensitive data to maintain information rmation CustodiansCustodians are assigned responsibility for:Maintaining appropriate security measures, i.e., Confidentiality, Integrity, and Availability (CIA).Collecting asset or data classification.Managing user access to data according to the agreed upon data rmation Owners are responsible and accountable for the following:Assigning the appropriate data classification to information under their jurisdiction;Determining to whom and under what conditions access is granted;Making sure that access to the information is based on the "need-to-know" principle;Making sure that all legal requirements for access, disclosure, and retention of information are satisfied;Making sure that whenever any data is transferred to another entity, the entity is informed of the proper handling, storage, disseminating, and disposal of the data;Reviewing annually the centralized data-classification repository for correctness;Reviewing for appropriateness, the actions of those granted access to information of which they are the owner;Acting on security violations against their information assets; andNotifying Information Security (security@) and the Legal department if non-public information is or is suspected of being lost or disclosed to unauthorized parties.Data Classification and Access LevelsThis section covers the varying types of data classification along with examples, impact if divulged, restrictions, labeling and storage methods, and the proper method of disposal.[INSERT TABLE]EncryptionOverview and PurposeThis Encryption Policy sets the direction, gives specific guidance, and defines requirements for encryption related processes and actions across company environments.ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy Statements1. Encryption Policy Requirements -?establish policy and procedures, in compliance with all legislation and agreements, to use encryption, commensurate with the level of sensitivity of the protectable information, as a method to protect its logical and physical assets while at rest and in transit over external networks.2. Authentication Methods - implement authentication mechanisms that apply a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards.3. Transmission, movement, removal -?establish policy and procedures for the encryption of information during transit, movement or removal.4. Encryption of Logical and Physical Assets -?implement policy and procedures to encrypt logical and physical assets that contain non-public data according to its data classification policy [list all assets and encryption procedures]?Website ?Electronic messagingWorkstations and LaptopsMobile DevicesRemovable MediaWireless NetworksNetwork DevicesData at restData in Transit5. Protect from Unauthorized Access -?implement cryptographic mechanisms and configure the information system to detect unauthorized changes to software, firmware, and information6. Decryption Protocol -?implement measures to decrypt all traffic at the boundary proxy prior to analyzing content7. Monitor and Detect -?implement methods to detect any unauthorized use of encryption and implement controls to prevent unauthorized access to cryptographic keys.?8. Key Generation and Protection -?and implement policy and procedures on the use, protection and lifetime of cryptographic keys and shall issue public certificates or obtain public key certificates from an approved service provider.During Key GenerationKey DistributionKey RevocationKey DeletionKey StorageKey UpdatesKey RecoveryKey ArchivingAuto Renewal of KeysIncident Response Overview and PurposeThis document describes how security events are to be handled in order to safely protect the confidentiality, integrity and availability of all files, systems and detailed resources, threat analysis and prevention, monitoring, recovery planning, communication, training, testing, and post-incident evaluation to support a timely recovery and limit impact from a security event.?The purpose of this policy is to support timely reporting, incident handling, recovery and investigation from a security event. This policy covers:Incident response proceduresReporting and monitoring threats & eventsTraining incident respondersMetrics for threat eventsAlerting & notification criteriaCommunication for incidentsPost evidence collection for investigationScope?The scope of this policy includes information technology incidents related to system security events, incidents and cyber threat alerts.?Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy StatementsIncident Response Policy and ProceduresDocument and disseminate an Incident Response Policy and procedures plan for the prompt identification, analysis, communication, response and recovery from a Cybersecurity event or privacy incident that may impact the confidentiality, integrity, availability and functionality of the Company’s information systems or business operations. The incident response plan shall be reviewed annually and address the following areas:Goals and objectivesProcedures for addressing a Cybersecurity incidentResources need to manage the Incident Response PlanMetrics for measuring incident response capabilitiesTesting and evaluation of readiness and resiliencyDefinitions of reportable incidentsRoles and responsibilities of the workforce and external partiesReporting and documentation of incidentsCommunication and information sharingResponse and recovery processesPost event related activitiesIncident Response Management Resources[company] shall document the resources and tools needed to support incident management and additional expertise needed to support and improve incident response.?Training[company] shall establish and implement a plan to conduct routine incident response exercises across the workforce, designed to maintain employee awareness and comfort with responding to real world threats. ??????Security Monitoring[company] shall establish procedures for automated, real time security monitoring of assets to detect incidents and alert incident response teams in real-time. A detailed inventory of all assets to be monitored and measured shall be created, detailing methods for monitoring, measurement and evaluation and the timeframe for conducting the analysis. Adequate support shall be provided to ensure continuous monitoring and the capacity to correlate data from multiple sources, detect and handle anomalous and unauthorized behavior, changes to systems, incidents and sector-wide event information.?Threat Analysis and Prevention ?[company] shall establish a process for threat analysis that provides the ability to analyze and respond to vulnerabilities reported from internal and external sources, as well as unanticipated threat scenarios, to understand attack targets and methods. In the event of an incident or intrusion, analysis shall be performed in the early stages to minimize impact on the Company. This process shall be assigned to a specific group or person and engage a network of formal or informal trust relationships. The process shall include the use of automated tools and the analysis of:Geopolitical and widely reported events that could impact threat levels to the businessHigh risk behavior of employees and insider threatsInterdependenciesCyber-attack scenarios used to determine potential impact to the businessPotential conflicts in information received from analysis centers and other sourcesIncident profiles compared with constructed profiles established from baseline profiles of normal operations for systems, networks and applicationsAlerts and NotificationsEstablish alert parameters for detecting information and correlate system alerts across business units to better detect multi-faceted attacks. A process shall also be established for triggering the incident response program when an incident occurs at a third party.?Metrics and Scoring SchemaEstablish quantitative and qualitative risk metrics for the incident response process based on potential impact to the company. ?TestingDocument comprehensive testing procedures to validate that it is able to recover from known incidents and cyber-attacks. Testing shall include the following:Sector specific scenarios.?The use of incident scenarios involving significant financial loss to stress test risk management protocols.?Testing of information backups to verify that they are accessible and readable Coordinated resiliency testing of all critical business functions.The capability to limit interruption to business or loss of productivity by shifting processes or functions between different processing centers or technology systems when cyber incidents occur.?Critical online systems and processes are tested to withstand stresses for extended periods of time.Testing is conducted from an attacker’s perspective.Mitigation[company] shall develop management approved containment and mitigation strategies for multiple incident types and recovery scenarios that include plans to recover from data destruction, alternative plans to continue critical activity, appropriate steps to prevent further unauthorized access, including the automatic disabling of the information system. Recovery ?should result in limited or no disruption in services.?ReportingEstablish an organization-wide standard operating procedure for documenting and reporting identified weaknesses, threats, or incidents and all related incident response activities to the incident response team or designated authority and appropriate management channels. ??Internal and External CommunicationEstablish an internal and external communication plan with formal procedures for communicating of an event to all stakeholders, including employees, the board, customers, regulators, media, law enforcement, third parties and their customers and any other interested parties.Post Incident Evidence CollectionDefine and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence, including the collection and correlation of data, performance of forensics.?Post Incident EvaluationClassify, log and track events for trend analysis and reporting and implement a process for documenting post-incident reporting, which includes a ‘lessons learned’ review to make recommended changes to the existing incident management process and policies.?Post Incident Asset ManagementRestored assets are tested and safe before being placed back into operation, and that assets that are unable to be returned to operational status are quarantined, removed, disposed of and/or replaced. (See also [COMPANY] Asset Management Policy)Information SecurityOverview and PurposeThe purpose of this policy is to define the company’s commitment to information security and to provide the basic requirements regarding the security of information created, maintained, or transmitted. This policy serves as the governing document for the information security policies.ScopeThis policy applies to information systems, technology and data created, accessed, stored, processed, transmitted or acquired by the?company locations, employees, vendors, consultants, contractors, and agents as relevant the [company]?product. Data may be in electronic or hard copy format.??This policy and all dependent standards apply to all international business locations.Roles and ResponsibilitiesPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the rmation Security Policies[company] shall have a set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties. The policies shall meet the requirements stated in this section. ISO 27002:2013 (5.1)Review of policiesPolicies should be reviewed regularly to update planned or interval changes to corporate objectives and regulatory requirements. Policies shall be suitable for [company]’s business, adequate and effective. ?ISO 27002:2013 (5.1)Organization of Information SecurityRoles and ResponsibilitySecurity responsibilities shall be defined and allocated. ISO 27002:2013 (6.1)Segregation of DutiesRoles shall not conflict to avoid unauthorized or unintentional modification or misuse of the organization’s assets. ISO 27002:2013 (6.1)Contact with Authority[company] shall maintain a contact list of internal and external authorities. ISO 27002:2013 (6.1)Contact with Special Interest Groups[company] shall maintain contacts with special interest groups or specialized security forums and professional associations.?ISO 27002:2013 (6.1)Project Management[company] shall address security risk and mitigation regardless of the type of project engagement.?ISO 27002:2013 (6.1)Mobile Devices[company] shall support mobile devices with the latest security measures to mitigate risks introduced by using mobile devices.?ISO 27002:2013 (6.2)Teleworking[company] shall implement protection to protect information access and asset when working remotely. ISO 27002:2013 (6.2)Information Security ResponsibilitiesTo ensure proper segregation of duties and appropriate assignment of responsibility, the [company] must associate all tasks that affect information security to the proper level of management. Specific tasks or responsibilities include, but are not limited to, the following (highest to lowest):- Approve or delegate approval of IS divisional and entity-affecting policies.?- Support information security based on best practices and staff recommendations.?- Establish and maintain information security policies, standards, and guidelines, based on the requirements established by the designated [company] authorities.?- Approve exceptions to divisional and entity-affecting policies, including mitigation plans.??- Approve or delegate approval and maintenance of information security processes, standards and guidelines and verify consistency with approved information security policies.?- Establish and maintain an information security program.?- Establish and maintain functional area specific security policies compliant with information security policies.?- Establish and maintain functional area specific security processes, procedures and standards, and verify their consistency with approved information security policies.?- Execute and communicate information security policies, and policies unique to functional areas to relevant employees, contractors, and vendors.?- Maintain familiarity with information security policies, and appropriate standards, guidelines, and procedures.?- Maintain accountability to information security policies, and appropriate standards, guidelines, and procedures.?- Protect the resources related to job functions (e.g., passwords, and access to physical and electronic forms of data).?- Assess and manage risk either as part of a corporate (ideally) or a departmental effort.?- [company] must maintain a set of policies and standards that must establish, in detail, information security requirements. All information security policies and standards must be reviewed annually by Information Security and Compliance. The following standards define the [company]’s core information security requirements, although additional standards may apply.Personnel SecurityAsset ManagementAccess Control ManagementEncryptionPhysical and Environmental SecurityOperations SecurityCommunication Security (e.g. Network Security)System Acquisition, Development, and Maintenance (e.g. Systems Security)Supplier Relationships (e.g. Third Party Vendors)Incident ManagementBusiness Continuity ManagementComplianceIn addition to the information security policies and standards, other state, federal, international, or industry regulations may apply to specific types of data, the systems that process the data, and the people who have access to the data or systems. It is the [company]’s policy to comply with these regulations.?[company] must use a single, identified process for granting exceptions to specific policy or standard requirements.Requests must be submitted via the Policy Exception Procedure.?Requests must be granted only upon review by Information Security, IS Compliance, and the director of Information Security and IS Compliance.Upon approval, exceptions are valid for the remainder of the calendar year.Every November, IS Compliance must notify the owners of each exception that the exception is about to expire. Requests to renew the exception may be made at this time.ISO 27002:2013 (5.1)StandardsExamples of critical security controls are available from the “The CIS Critical Security Controls for Effective Cyber Defense” (current version v7.0).?ISO 27002:2013 (5.1)Personnel SecurityScreeningBackground verification checks on all candidates for employment shall be administered, maintain and audit trail must be on file for seven years.?ISO 27002:2013 (7.1)Terms and Condition for EmploymentThe contractual agreement with employee or contractor shall state the person’s responsibilities for information security.?ISO 27002:2013 (7.1)Management ResponsibilityManagement shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.?The entity has defined organizational structures, reporting lines, authorities, and responsibilities for the design, development, implementation, operation, maintenance and monitoring of the system enabling it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].?The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].?ISO 27002:2013 (7.1)Security Awareness and TrainingAll employees and contractors shall receive appropriate information security awareness training and education relevant to their job function.?ISO 27002:2013 (7.2)Disciplinary ProcessManagement shall formally communicate disciplinary action taken against employees who have committee an information security breach.?ISO 27002:2013 (7.2)Termination or Change of Employment ResponsibilitiesManagement shall enforce security responsibilities and duties according to the organization’s defined termination requirements.?ISO 27002:2013 (7.3)Asset ManagementInventory of AssetsInternal and external system users are identified and authenticated when accessing the system components (for example, infrastructure, software, and data).?Logical access security software, infrastructure, and architectures have been implemented to support (1) identification and authentication of authorized users; (2) restriction of authorized user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and (3) prevention and detection of unauthorized access.?New internal and external system users are registered and authorized prior to being issued system credentials and granted the ability to access the system. User system credentials are removed when user access is no longer authorized.?ISO 27002:2013 (8.1)Ownership of AssetsThe asset inventoried shall have an asset owner defined.?ISO 27002:2013 (8.1)Acceptable Use of AssetsRules for acceptable use of logical or physical assets shall be defined, documented, and implemented. Refer to [company] Acceptable Use PolicyISO 27002:2013 (8.1)Return of AssetsAll employees and contractors shall return all organizational assets in their possession upon termination of their employment, contract, or agreement.?ISO 27002:2013 (8.1)Classification of InformationInformation shall be classified in terms of legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification.?ISO 27002:2013 (8.2)Labelling of InformationLogical or physical assets must be appropriately labeled according to the information classification tier for [company] business. The classification designates the required controls and it is the asset owner who must provide the classification based on the assessed value, criticality, and sensitivity of the asset.?ISO 27002:2013 (8.2)Handling of Assets[company] shall have procedure developed for handling assets and implement protection according to the classification level.?ISO 27002:2013 (8.2)Removable MediaManagement shall implement protection for removable media in accordance with the classification level.?ISO 27002:2013 (8.3)Disposal of MediaMedia shall be disposed securely when no longer required using formal procedures.?ISO 27002:2013 (8.3)Physical Media TransferMedial containing information asset shall be protected against unauthorized access, misuse or corruption during transportation.?ISO 27002:2013 (8.3)Access Control ManagementInformation Access RestrictionsAccess to information and application system functions shall be restricted in accordance with the access control policy.?The transmission, movement, and removal of information is restricted to authorized users and processes, and is protected ?during transmission, movement, or removal enabling the entity to meet its commitments and requirements as they relate to [insert ?the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].?Internal and external system users have been provided with information on how to report [insert the principle(s) being reported ?on: security, availability, processing integrity, or confidentiality or any combination thereof] failures, incidents, concerns, and other complaints to appropriate personnel.?Access to data, software, functions, and other IT resources is authorized and is modified or removed based on roles, responsibilities, or the system design and changes to them.?ISO 27002:2013 (9.1)Access to Network and Network ServicesUsers shall only be provided with access to the network and network services that they have been specifically authorized to use.ISO 27002:2013 (9.1)User registration and de-registrationA user registration and de-registration process shall be implemented to enable assignment of access rights.ISO 27002:2013 (9.2)User Access ProvisioningA user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.ISO 27002:2013 (9.2)Privileged Access RightsAccess rights to privileged accounts shall be based on least privilege required to perform job responsibilities.ISO 27002:2013 (9.2)Management of Secret User AuthenticationUsers shall be required to sign an acknowledgement statement to keep personal secret authentication information confidential. User identity shall be validated prior to securely receiving a new, temporary, non-guessable password. Default vendor passwords shall be altered after initial installation.ISO 27002:2013 (9.2)Review of User Access RightsAsset owners shall review users’ access rights at regular intervals.ISO 27002:2013 (9.2)Removal or Adjustment of Access RightsUpon termination or change in job responsibilities, user access rights shall be removed or adjusted.ISO 27002:2013 (9.2)Use of Secret AuthenticationUsers shall be required to follow the organization’s practices for the use of secret authentication.?ISO 27002:2013 (9.3)Restricted Access to Information and Application System FunctionsAccess to information and application system functions shall be restricted in accordance with the access control policy.ISO 27002:2013 (9.4)Secure Log-on ProceduresAs required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.ISO 27002:2013 (9.4)Password ManagementPassword systems shall be used and configured to make sure quality passwords are used.ISO 27002:2013 (9.4)Use of Privileged Utility ProgramsUse of utility programs shall be restricted and controlled to prevent possible override of system and application controls.ISO 27002:2013 (9.4)Access to Source CodeAccess to source code and associated documents (e.g. design plans, specifications) shall be strictly controlled, in order to prevent the introduction of unauthorized functionality, to avoid unintentional changes, and to maintain confidentiality of intellectual property.ISO 27002:2013 (9.4)EncryptionPolicy on the Use of Cryptographic Controls[company] shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.?Procedures exist to prevent, detect, and correct processing errors to meet processing integrity commitments and requirements.?System inputs are measured and recorded completely, accurately, and timely in accordance with processing integrity commitments and requirements.?Data is processed completely, accurately, and timely as authorized in accordance with processing integrity commitments and requirements.?Data is stored and maintained completely and accurately for its specified life span in accordance with processing integrity commitments and requirements.?System output is complete, accurate, distributed, and retained in accordance with processing integrity commitments and requirements.?Modification of data is authorized, using authorized procedures in accordance with processing integrity commitments and requirements.?ISO 27002:2013 (10.1)Key Management[company] shall use and protect the crypto keys throughout the complete lifecycle of the key.?ISO 27002:2013 (10.)Physical and Environmental SecurityPerimeter Security[company] shall define and ensure areas containing information asset like office spaces and data centers are protected with sufficient controls relevant to the business.?ISO 27002:2013 (11.1)Physical Entry ControlSecured area shall be protected to ensure only authorized personnel access are allowed access.?ISO 27002:2013 (11.1)Securing Offices, Rooms and FacilitiesSecurity controls shall be designed and applied in corporate operational areas.ISO 27002:2013 (11.1)Protecting Against External and Environmental Threats[company] shall physically protect against catastrophic disasters, malicious attacks, or accidents.?ISO 27002:2013 (11.1)Working in Secured Areas[company] shall apply a secure working area for personnel and contractors when working on site. Crime reports and adequate security shall be implemented to protect individuals.?ISO 27002:2013 (11.1)Delivery and Loading AreaBuildings with delivery and loading area shall be secured from unauthorized access and shall be isolated from information processing facilities.?ISO 27002:2013 (11.1)Equipment Protection[company] shall protect and reduce risk from environmental threats and hazards, and opportunities for unauthorized access to business critical and regulated information assets.?ISO 27002:2013 (11.2)Security of Equipment Offsite[company] shall apply off-site assets to mitigate risks when local equipment is unavailable.?ISO 27002:2013 (11.2)Secure Disposal or Re-Use of Equipment[company] shall ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.?ISO 27002:2013 (11.2)Unattended User EquipmentUser shall ensure unattended equipment are locked and protected from unauthorized access.?ISO 27002:2013 (11.2)Clear Desk and Clear Screen Policy[company] shall remove all electronic and papers from facility, desk, and computer screen when unattended.ISO 27002:2013 (11.2)?Operations SecurityDocumented Operating Procedures[company] shall document and provide procedures to all users who needs them.?ISO 27002:2013 (12.1)Change ManagementIncludes major, minor and patch releases. Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.?System changes that affect internal and external system user responsibilities or the entity's commitments and requirements ?relevant to [insert the principle(s) being reported on: security, ?availability, processing integrity, or confidentiality or any combination thereof] are communicated to those users in a timely manner.?[Insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, are addressed, during the system development lifecycle including design, acquisition, implementation, configuration, testing, modification, and maintenance of system components.?Infrastructure, data, software, and procedures are updated as necessary to remain consistent with the system commitments and requirements as they relate to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof].?Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and monitoring.?Changes to system components are authorized, designed, developed, configured, documented, tested, approved, and implemented in accordance with [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements.?Information regarding the design and operation of the system and its boundaries has been prepared and communicated to authorized internal and external system users to permit users to understand their role in the system and the results of system operation.?The entity's [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments are communicated to external users, as appropriate, and those commitments and the associated system requirements are communicated to internal system users to enable them to carry out their responsibilities.?The entity communicates the responsibilities of internal and external users and others whose roles affect system operation.?Internal and external personnel with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any ?combination thereof] of the system, have the information necessary to carry out those responsibilities.ISO 27002:2013 (12.1)Capacity ManagementThe use of resources should be monitored, tuned and managed for future capacity requirements to ensure minimal system performance baselines.?ISO 27002:2013 (12.1)Separate Development, Testing, and Operating EnvironmentManagement shall have separate environment for development and system deployment to reduce the risks of unauthorized access or changes to the production environment.?ISO 27002:2013 (12.1)Controls Against MalwareAll employees and contractors must have malware protection implemented to protect against known threats.?ISO 27002:2013 (12.2)Information Backup[company] shall protect against loss of data with backup and recovery of its critical data to protect its business operations and customers.Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements.Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements.ISO 27002:2013 (12.3)Event Logging & Monitoring[company] shall record events and generate evidence from critical systems.Vulnerabilities of system components to [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] breaches and incidents due to malicious acts, natural disasters, or errors are monitored and evaluated and countermeasures are implemented to compensate for known and new vulnerabilities.[Insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] incidents, including logical and physical security breaches, failures, concerns, and other complaints, are identified, reported to appropriate personnel, and acted on in accordance with established incident response procedures.The design and operating effectiveness of controls are periodically evaluated against [insert the principle(s) being reported on security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, corrections and other necessary actions relating to identified deficiencies are taken in a timely manner.ISO 27002:2013 (12.4)Protection from Log InformationLogging facilities and log information shall be protected against tampering and unauthorized access.ISO 27002:2013 (12.4)Administrator and Operator LogsPrivileges account access shall be logged. The logs shall be protected and regularly reviewed.?ISO 27002:2013 (12.4)Clock Synchronization[company] shall synchronize all employee and contractor’s clock to a single reference time source.?ISO 27002:2013 (12.4)Installation of Software[company] shall implement controls to limit the installation of software on operating systems (e.g. production systems, staff desktop and laptop computers). [company] shall adopt a secured baseline for operating systems.?ISO 27002:2013 (12.5)Management of Technical VulnerabilitiesInformation about technical vulnerabilities of information system being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.?The entity (1) identifies potential threats that would impair system[insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] commitments and requirements, (2) analyzes the significance of risks associated with the identified threats, and (3) determines mitigation strategies for those risks (including controls and other mitigation strategies).?The entity designs, develops, and implements controls, including policies and procedures, to implement its risk mitigation strategy.?The entity (1) identifies and assesses changes (for example, environmental, regulatory, and technological changes) that could significantly affect the system of internal control for [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] and reassesses risks and mitigation strategies based on the changes and (2) reassesses the suitability of the design and deployment of control activities based on the operation and monitoring of those activities, and updates them as necessary.?ISO 27002:2013 (12.6)Restriction on Software Installation[company] shall have rules governing the installation of software by users.?ISO 27002:2013 (12.6)Information System Audit[company] shall require audits of activities involving verification of operating systems disruptions to the business.?ISO 27002:2013 (12.7)Communication SecurityNetwork Controls[company]’s network shall be managed and protect information in systems and applications.?ISO 27002:2013 (13.1)Security of Network Services[company] shall have security implementations for service levels and management requirements for all network services.?ISO 27002:2013 (13.1)Segregation in NetworksGroups of information services, users, and information systems shall be segregated on the networks.?ISO 27002:2013 (13.1)Information transfer policies and procedures[company] shall formally transfer policies, procedures and controls in place to protect the transfer of information. Encryption protocol shall be used for data in transmission.?ISO 27002:2013 (13.2)Agreement on Information Transfer[company] shall agree and address secure transfer of business information between the organization and with external parties.?ISO 27002:2013 (13.2)Electronic Messaging[company] shall protect email messages in transmission.?ISO 27002:2013 (13.2)Confidentiality or Non-Disclosure AgreementsRequirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.?Confidential information is protected during the system design, development, testing, implementation, and change processes in accordance with confidentiality commitments and requirements.?Confidential information within the boundaries of the system is protected against unauthorized access, use, and disclosure during input, processing, retention, output, and disposition in accordance with confidentiality commitments and requirements.?Access to confidential information from outside the boundaries of the system and disclosure of confidential information is restricted to authorized parties in accordance with confidentiality commitments and requirements.?The entity obtains confidentiality commitments that are consistent with the entity's confidentiality requirements from vendors and other third parties whose products and services comprise part of the system and have access to confidential information.?Compliance with confidentiality commitments and requirements by vendors and others third parties whose products and services comprise part of the system is assessed on a periodic and as-needed basis and corrective action is taken, if necessary.?Changes to confidentiality commitments and requirements are communicated to internal and external users, vendors, and other third parties whose products and services are included in the system.?ISO 27002:2013 (13.2)System Acquisition, Development, and Maintenance?Information Security Requirements Analysis and Specification[company] shall include requirements for new information system or enhancements to existing systems.?ISO 27002:2013 (14.1)Securing Application Services on Public NetworkInformation passing over public network shall be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modifications.?ISO 27002:2013 (14.1)Protecting Application Services Transaction[company] shall protect and prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or reply.?ISO 27002:2013 (14.1)Secure Development PolicyRules for the development of software and systems shall be established and applied to developments within the organization. Responsibility and accountability for designing, developing, implementing, operating, maintaining, monitoring, and approving the entity's system controls are assigned to individuals within the entity with authority to ensure policies and other system requirements are effectively promulgated and placed in operation. Personnel responsible for designing, developing, implementing, operating, maintaining and monitoring the system affecting [insert the principle(s) being reported on: security, availability, processing integrity, or confidentiality or any combination thereof] have the qualifications and resources to fulfill their responsibilities.?ISO 27002:2013 (14.2)Restrictions on Changes to Software PackageModification to Software package shall be discourages in production and shall be strictly controlled.?ISO 27002:2013 (14.2)Secured System Engineering Principles[company] shall adopt principles for engineering secure systems implementation.?ISO 27002:2013 (14.2)Secure Development Environment[company] shall establish an appropriate secured development environment to protect the development information asset through the entire development lifecycle.?ISO 27002:2013 (14.2)Outsourced DevelopmentThe [company] shall supervise and monitor the activity of outsourced system development.?ISO 27002:2013 (14.2)System Security TestingTesting of security functionality should be carried out during development.?ISO 27002:2013 (14.2)System Acceptance TestingAcceptance testing programs and related criteria should be established for new information systems, upgrades and new versions.?ISO 27002:2013 (14.2)Protecting Test Data[company] shall not use production data in the test data environment. Test data shall be selected carefully.?ISO 27002:2013 (14.3)Supplier RelationshipsVendor Management Policy[company] shall have information security requirements for access to the organization’s assets. The supplier shall agree to the requirements and [company] shall maintain the agreement documentation.?ISO 27002:2013 (15.1)Addressing Security Within Supplier AgreementsAll relevant information security requirements shall be established and agreed with each supplier that may have access, process, store, communicate, or provide business relevant or regulated information asset.?ISO 27002:2013 (15.2)Information and Communication Technology for the Supply ChainAgreements with suppliers shall include information security risks and requirements associated to the technologies used.?ISO 27002:2013 (15.2)Monitoring and Review of Supplier Services[company] shall regularly monitor, review, and audit supplier service delivery.?ISO 27002:2013 (15.2)Managing Changes to Supplier ServicesChanges to the provision of services by external parties shall be managed, tracked, and maintain a current risk assessment for risk mitigation.?ISO 27002:2013 (15.2)Incident ManagementIncident Responsibilities and ProceduresInformation security incidents shall be responded to in accordance with the documented procedures.?Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet availability commitments and requirements.?Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements.?Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.?ISO 27002:2013 (16.1)Reporting Information Security Events[company] shall report according to the corporate procedure channel as quickly as possible.?ISO 27002:2013 (16.1)Reporting Control WeaknessesAll employees and contractors shall be required to report any suspected information security weaknesses in systems or services the Security Officer.?ISO 27002:2013 (16.1)Assessment on Security EventsInformation security events shall be assessed and determine the classification of the security incidents for reporting.?ISO 27002:2013 (16.1)Response to Incidents[company] shall respond to incidents in accordance with documented procedures.?ISO 27002:2013 (16.1)Learning from Past Security IncidentsManagement shall provide a root cause analysis for resolving security incidents and implement mitigation to reduce future incidents.?ISO 27002:2013 (16.1)Collection of Evidence[company] shall define and apply procedure for the identification, collection, acquisition and reservation of information which can serve as evidence.?ISO 27002:2013 (16.1)Business Continuity ManagementPlanning for Continuity[company] shall be embedded in the organization’s business continuity management plans to include the business impact analysis, recovery plans, testing and exercises, and continuous improvement to ensure business resiliency.?The plan shall include current people and processing and usage capacity are maintained, monitored, and evaluated to manage demand.?Environmental protections, software, data backup processes, and recovery infrastructure are designed, developed, implemented, operated, maintained, and monitored to meet availability commitments and requirements.?Procedures supporting system recovery in accordance with recovery plans are periodically tested to help meet availability commitments and requirements.ISO 27002:2013 (17.1)Implementing Continuity Management[company] shall establish, document, implement, and maintain a process and procedure to ensure continuity of services at a minimum required service level in the event of a catastrophic event.?ISO 27002:2013 (17.1)ComplianceIdentify Applicable Legislation and Contractual Requirements[company] shall identify relevant legislative, regulatory, and contractual requirements and the organization’s approach to meet them.?ISO 27002:2013 (18.1)Protection of Records[company] shall protect records from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements.?ISO 27002:2013 (18.1)Privacy and Protection of Personal Identifiable Information[company] must provide privacy and protection for personal identifiable information relevant to legislation and regulation where applicable.?ISO 27002:2013 (18.1)Independent review of Information SecurityThe organization’s approach to managing information security and implementation of controls shall be reviewed independently against assets in-scope for business, legislation, and regulatory scope.?ISO 27002:2013 (18.2)Compliance with Security Policies and StandardsManagers shall regularly review the compliance of information processing in their area of security to ensure security requirements are appropriately implemented.?ISO 27002:2013 (18.2)Technical Compliance ReviewInformation systems shall be regularly reviewed for compliance with the organization’s information security policies and standards. Controls shall be implemented to prevent or detect deviation from requirements.ISO 27002:2013 (18.2)Policy ComplianceEmployees, contractors, vendors, guests and agents within the scope of this policy who have access to company's facility, technology, information systems, or data shall be familiar with and abide by this and other appropriate policies. The functional area responsible for the relationship management of the contractor, vendor, or agent is responsible for communicating applicable policies to the contractor, vendor, or agent.Policy ViolationsFailure to report known violations of this policy is considered to be a policy violation. Report policy violations in accordance with the Policy Violation Escalation Procedure.Policy EnforcementFailure to comply with these information security policies, standards, guidelines and procedures must result in management intervention and may result in disciplinary action as outlined in the Employee Agreement, or sanctions up to and including termination of contracts for contractors, vendors, or agents.? Legal actions may also be taken for violations of applicable laws and regulations.LoggingOverview and PurposeLog collection and review ensures the confidentiality, integrity, and availability of information systems in the environment.ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.?Policy StatementsAudit LoggingAll computing systems are configured to capture security audit log data. The following data elements are captured per force:Identity of person or process accessing system.All login attempts, whether successful and unsuccessful.System and application logins.Login and logoff timestamps.Unsuccessful loginsAdditions, deletions, and modifications of user accounts and privileges.Attempts to perform unauthorized functions or access data the user is not authorized to access.Date and time of the occurrence of the logged activity.Time zone information, if available.Source of connection (e.g., IP address, terminal name, machine name), if available.?Ensure that all accounts have an expiration date that is monitored and enforced.Configure monitoring systems to record network packets passing through the boundary at each of the organization’s network boundaries.?Include at least two synchronized time sources for consistent timestampsPrivileged Account LoggingIn addition to the basic security audit logs required of all computing systems, the following types of actions performed by privileged accounts on servers (e.g., UNIX, Windows, Mainframe, etc.), network devices, databases, applications, etc. are captured and recorded in security audit logs:?Modification of any security rules or parameters.Attempted or actual violation of security rules.Changing of system date, time, or any other activity affecting audit trail recording.Capture sudo logs.Direct modification of audit logs.Changes or upgrades to the operating system, parameter settings, and configuration files.Session initiation and termination (successful, failed, or both).Object affected (e.g., file, database, user, etc.).Results of action taken (e.g., read, change, delete, change attributes or properties, etc.).Accountability LoggingTo support accountability, applications should have the capability to log all modifications to records and programs or modules, including process initiations and terminations, and capture all security events that are necessary to trace an action or transactions performed via the application back to the individual user or process.Automated Audit TrailsWhenever possible, use automated tool to detect changes. Data owners, in conjunction with asset custodians, are required to implement automated audit trails for all system components to reconstruct the following events:1.?? ?Individual user access to sensitive data;2.?? ?Actions taken by any individual with root or administrative privileges;3.?? ?Access to audit trails;4.?? ?Invalid logical access attempts;5.?? ?Use of and changes to identification and authentication mechanisms, including but not limited to:a.?? ?Creation of new accounts and elevation of privileges; andb.?? ?Changes, additions, or deletions to accounts with root or administrative privileges;6.?? ?Initialization, stopping, or pausing of the audit logs; and7.?? ?Creation and deletion of system-level objects.Logging of the above events enables an organization to identify and trace potentially malicious activities.Account and Access DisablementAdministrators shall disable accounts (including voice mail box accounts) upon notification of employee separations, terminations, or transfers. Activity LogsThere shall be key real time monitoring and detection for network and user log-on attributes and the logs are maintained with accountability for reporting system logs. ?Review of LogsWhen possible log review and correlation should be carried out as needed. IT will review logs based on identifiable events. IT is also responsible for developing and implementing a process to review logs and security events for system components to identify anomalies or suspicious activity. This process includes the following:1.?? ?Implementing a process, tool, or application that collects and identifies the following items:a.?? ?All security events;b.?? ?Logs of all system components that store, process, or transmit sensitive data;c.?? ?Logs of all critical system components; andd.?? ?Logs of all servers and system components that perform security functions. This includes, but is not limited to:i.?? ?Firewallsii.?? ?Intrusion Detection Systems (IDS)iii.?? ?Intrusion Prevention Systems (IPS)iv.?? ?Authentication servers (e.g., Active Directory domain controllers); andv.?? ?E-commerce redirection servers;vi.?? ?Physical and/or logical access system logs2.?? ?Periodically reviewing logs of other system components based on CyberOne's policies and risk management strategy, as determined by CyberOne's annual risk assessment; and3.?? ?Following up on exceptions and anomalies identified during the review process.Manual discovery and correlation is required for logs outside of the SIEM environment. ?Enforce Detail Logging for Access or Change to Sensitive DataEnforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).?Server Operating System LogsSystem performance reports shall contain information that can be used as a risk indicator to detect information security incidents. ?Database LogsThe following Database Events are to be logged for review:Any failed user access attempts.Any login that has been added or removed as a database user to the database.Any login that has been added or removed from a role.Any database role that has been added or removed from a database.Any password that has been changed for an application role.Any database that has been created, altered, or dropped.Any database object, such as a schema, to which users connected.Changes made by any individual with DBA work and Firewall LogsA there shall be a process implemented for logging network connections as well as an audit log process for firewalls, and the log files that are retained. Configure monitoring systems to record network packets passing through the boundary at each of the organization’s network boundaries.The following Firewall Events are to be logged for review:ACL violations.Invalid user authentication attempts.Logon and actions taken by any individual using privileged accounts.Configuration changes made to the firewall (e.g. policies disabled, added, deleted, or modified).Deploy automated tool on network perimeters that monitors for unauthorized transfer of sensitive informationMonitor all traffic leaving the organization and detect any unauthorized use of encryption.Enable DNS query loggingDeploy NetFlow collection and analysis to DMZ network flows to detect anomalous activityConfigure built-in firewall session tracking mechanismsUse a network based Data Loss Prevention (DLP) solutions to monitor and control the flow of data within the networkControl and monitor any accounts performing penetration testingIntrusion Detection System LogsThe following Intrusion Detection System (IDS) Events are to be logged for review:Any vulnerability listed in the Common Vulnerability Entry (CVE) database.Any generic attack(s) not listed in CVE.Any known Denial of Service (DoS) attack(s).Any traffic patterns that indicate pre-attack reconnaissance occurred.Any attempts to exploit security-related configuration errors.Any traffic to or from a back-door program.Any traffic typical of known stealth attacks.Anti-Virus LogsThe following Anti-Virus Events are to be logged for review:Excessive infections on a single machine.Outbreaks that affect more than 5 machines.Infection attempts.Infection remediation.Limit use of external devices to those with an approved, documented business needIdentify Log AnomaliesRun at least bi-weekly reports to review for anomalies, documenting their findings. Alert when users deviate from normal login behavior, such as time-of-day, workstation location and duration. The company shall deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. The system shall discover and block unauthorized attempts to exfiltrate data.Logs are Monitored & ReportedMonitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans. Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. ?Reports shall be generated that indicating abnormalizes activities, timeframe, and user’s credentials.??Retention, Backup, Archive, and Adequate StorageCyberOne shall retain system and network logs for the organization’s specified events and in accordance with the organization’s stated policy. ?Access to critical systems by third parties is monitoredAccess to critical systems by third parties is monitored for unauthorized or unusual activity.?Network SecurityOverview & PurposeMaintaining confidentiality, integrity, and accessibility of corporate data and resources. Network security infrastructure encompasses but is not limited to routers, switches, firewalls, and wireless security.ScopeThis policy applies to all contractors, vendors, and agents with a [company] or personally-owned computer, laptop, or workstation used to connect to the network. This policy also applies to remote access connections used for performing work including sending email, accessing network resources, viewing Internet or Intranet web resources, or any other act that constitutes implicit or explicit use of or access.Roles and ResponsibilitiesPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy Statements?Access to the Network - control and monitor any user or system access used to perform penetration testing to the network to make sure they are only being used for legitimate purposes, and are removed or restored to normal functions after testing is over.-prohibit ports, functions, protocols and services if no longer needed for business purposes.-dedicated machine for all administrative tasks or tasks requiring elevated access that is isolated from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.?-implement multi factor authentication -implement replay-resistant authentication mechanisms for network access to non-privileged accounts.??-invalidate session identifiers upon user logout or other session termination.?-use of Interconnection Security Agreements; Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and Reviews and updates Interconnection Security Agreements regularly.?Network Configurations?- communication of sensitive information over less-trusted networks shall be encrypted. -uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications. ??-IPS devices shall be deployed to complement IDS by blocking known bad signatures or the behavior of potential attacks. ??-document all new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices.?-disable feedback to senders on protocol format validation failure.Domain Name System Security Extensions (DNSSEC) - deploy Domain Name System Security Extensions (DNSSEC) across the enterprise.?Network Boundaries and Connections - apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.?- configure network boundary devices- maintain an up-to-date inventory of all of the organization’s network boundaries.- design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. ?- verify any server that is visible from the Internet or an untrusted network, and if it is not required for business purposes, move it to an internal VLAN and give it a private address.- separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices. Internet access from this VLAN should go through at least the same border as corporate traffic. Enterprise access from this VLAN should be treated as untrusted and filtered and audited accordingly.- ensure that only ports, protocols, and services with validated business needs are running on each system.- implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher work Diagram & Documentation - update the network diagram when connections with third parties change or at least annually.- identify all external connections in the network diagram. - validate and document the security architecture before network connection infrastructure changes. - Network and systems diagrams are stored in a secure manner with proper restrictions on access. - The network diagram documentation shall compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. -Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. -Document all configuration rules that allow traffic to flow through network devices in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the work Segmentation - segment the network based on the label or classification level of the information stored on the servers. ?DMZ - configure Network environments and virtual instances to restrict and monitor traffic between trusted and untrusted zones. ?Network Encryption[Company] shall encrypt Confidential data in transit across private connections (e.g., frame relay and T1) and within the institution’s trusted zones. Data in transmission shall also be encrypted with the latest encryption standards set approved by the latest NIST standards. Cryptography keys used to encrypt confidential data shall be managed to make sure it is available in the event the key is loss by users.[Company] shall decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, [Company] may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.[Company] shall manage all network devices using multi-factor authentication and encrypted sessions.Routers and Switches - A secure configuration standard must be defined for all routers and switches and all other devices connecting to a production network or used in a production capacity.Firewalls - A robust, secure configuration must be defined for all firewalls or other packet filtering devices that connect to a production network or used in a production capacity.-At least annually, [Company] will review ACL or firewall rules.Wireless - Wireless infrastructure devices must comply with all security requirements to connect to the network. Only those wireless infrastructure devices that meet the requirements specified or are granted an exception by InfoSec are approved for connectivity to a [Company] work devices including, but not limited to, hubs, routers, switches, firewalls, remote access devices, modems, or wireless access points, must be installed, supported, and maintained by an Information Security (InfoSec) approved support organization. Lab network devices must comply with any existing policies.This standard applies to wireless devices that make a physical or wireless connection to the network, and all wireless infrastructure devices that provide wireless connectivity to the network. Refer to the [Company] Wireless Policy for additional rmation Security must approve exceptions to this standard in advance. Any changes to these standards or policies must go through a change management process and be approved by IT management. Any exceptions must be approved at a manager level.Refer to the [Company] Wireless Policy for additional information.Wireless Connectivity - each wireless device connected to the network shall match an authorized configuration and security profile, with a documented owner of the connection and a defined business need. ?- Isolated wireless device requirements must adhere to the following [insert requirements]:- wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication.- ?leverage at least Advanced Encryption Standard (AES) encryption with at least Wi-Fi Protected Access 2 (WPA2) protection, for all wireless traffic.?- ?use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by WIDS as traffic passes into the wired network.?- use network vulnerability scanning tools to detect wireless access points connected to the wired network. Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be work Services Agreements - security mechanisms, service levels and management requirements of all network services and include in network services agreements, whether these services are provided in-house or outsourced.?Mobile Technologies - acceptable and unacceptable mobile code and mobile code technologies:?Network Logs & Monitoring - system and network monitoring process implemented and maintained. A process is implemented for logging network connections, as well as an audit log process, and the log files are retained.?Network Testing, Compliance & Auditing - perform external and internal penetration tests and perform regular vulnerability scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary and monitor threat for possible exploit to enterprise work Communication Exceptions - protect the authenticity of all communications work Processing with External Parties - limit the number of external network connections to the information system and establish agreements that address the secure transfer of business information between the organization and external parties.Attack Surface Reviews - perform attack surface reviews.?Network Equipment & Cabling Protection - protect power equipment and power cabling for the information system from damage and destruction.Physical SecurityOverview and PurposeThe purpose of this policy is to protect information technology assets from physical and environmental threats.ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employees - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy. Policy Statements1. Corporate Headquarters Security Controls -?ensure that all facilities and physical areas containing sensitive or critical information assets are defined, documented, and access points are controlled, protected and secured against physical and environmental threats, and unauthorized access. 2. Employee Access - implement the use of keys or access cards employees, contractors, visitors, consultants and any other personnel requiring access3. Visitor Access -?implement the use of keys or access cards employees, contractors, visitors, consultants and any other personnel requiring access 4. Secure Work Areas -?implement security controls in all corporate operational areas, including offices, areas housing critical IT systems, scoped data, target systems, and systems which store, process, or transmit sensitive data.?Areas housing critical IT systems, including systems which store, process, or transmit sensitive data will be subject to additional security. Access to these areas will be restricted based on job function.5. Environmental Controls -?protect facilities and equipment to safeguard against environmental threats and hazards including malicious attacks, accidents and natural disasters. Procedures shall be in compliance with local and state government requirements and inspections standards, and may include cooling measures, humidity control, fire suppression and primary, and emergency power supplies. 6. Auditing Workspace Environments - periodic compliance audits of the secure workspace environment are conducted.7. Equipment Protection and Maintenance -?implement ongoing maintenance of equipment to ensure its availability, integrity and measures to protect equipment from loss, damage, theft, compromise or interruption to the Company’s operations, including:Power failures and other disruptions caused internally or from supporting utility services.Protection of all power and telecommunications cabling carrying data or supporting information services from interception, interference or damage. 8. Unattended User Equipment - Clear Desk/Screen Policy -?employees, contractors, visitors, consultants and any other personnel shall be responsible for ensuring the appropriate protection of unattended equipment, including the adoption of a clear desk policy. All papers and removable media shall be stored securely, and any open computer screens shall be cleared and powered down when not in use.Removable MediaOverview and PurposeThe purpose of this policy is to provide detail standard for the company's system change controls for tracking, approval, testing, releasing changes.ScopeThis policy applies to all staff, contractors, consultants, temporaries, and other workers. These users are tasked with ensuring the safety of information assets, systems, and business processes that support those assets via Removable Mass Storage Devices.Roles and ResponsibilitiesAll employees are responsible for complying with corporate policies and reporting policy violations to information security.IT Operations is responsible for ensuring the implementation of [Company]’s Removable Media Policy.Management is responsible for enforcement and allocating resources to implement the policy.References: ISO 27001:2013 (08.1), ISO 27001:2013 (08.1.2)Policy StatementsCyberOne’s Removable Media policy protects confidential and sensitive data contained on movable media from being accessed by unauthorized individuals, infected, hijacked or corrupted.ResponsibilityCyberOne shall document and implement procedures to manage removable media (for example USB key, external hard drive, Internet of Things, and other devices) where necessary and when no longer required. Employees shall include the business justification and authorization documentation for audit trail, appropriate levels of protection of media, and the creation of multiple copies of data stored on separate media to limit the opportunity for data loss.Each CyberOne user is responsible for the appropriate use and security of data and for not allowing removable media devices, and the information stored on these devices, to be compromised in any way while in their care or under their control.?IT department is responsible that USB storage devices are prohibited from write access. Users are allowed read access. All pluggable devices are scanned by anti-malware software. Users should still take all precautions to keep their systems free of any malicious software. CD/DVD Rom write access is restricted. Any write access to removable media shall be scanned for data loss prevention periodically.References: ISO 27001:2013 (8.3.1), ISO 27002: 2013 (8.3.1), CIS v7.0 C13 (13.7), NIST SP 800-53 Rev 4 MP-01Inventory of Removable MediaCyberOne shall document and maintain a current inventory of removable media across the organization. See also Asset Management Policy.References: AUP v2 D.1, CIS v7.0 C13 (13.7)Labeling of Removable MediaCyberOne shall develop procedures for the appropriate labeling of assets in accordance with the classification type of the asset, guidelines for where and how labels are attached and exceptions to the need to label assets.References: ISO 27001:2013 (8.2.2), ISO 27002:2013 08.2.2, NIST SP 800-53 Rev 4 MP-03Removable Media UseCyberOne shall ensure that all removable media/portable devices have an identifiable, authorized owner prior to use and develop policy and procedures for security safeguards, and to define and restrict the type of use of removable devices, based on the organization’s classification scheme on defined information systems. All requests for access shall be automatically tracked and documented and audited for access granted.?References: NIST SP 800-53 Rev 4 MP-07 (01) CE, NIST SP 800-53 Rev 4 MP-07, CIS v7.0 C13 (13.4), NIST SP 800-53 Rev 4 MP-02, CIS v7.0 C13 (13.4), ISO 27001:2013 (08.3.1), NIST SP 800-53 Rev 4 MP-04 (02) CEEncryption of Removable MediaCyberOne shall ensure that all removable media devices and all non-public data stored on removable media devices is encrypted.References: CIS v7.0 C13 (13.9), CIS v7.0 C13 (13.6), CIS v7.0 C13 (13.6), FFIEC CAT 06/2015 D3.PC.Am.B.14, NIST SP 800-53 Rev 4 MP-05 (04) CEConfigurationCyberOne shall ensure that enterprise software is used to configure systems to allow the use of authorized removable media, to not write data to external removable media, if there is no business need for supporting such devices, or configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices.References: CIS CSC 13.5, CIS v7.0 C13 (13.7), CIS v7.0 C13 (13.8)Storage of Removable MediaCyberOne shall document and implement policies to govern the secure storage of all types of sensitive information on removable media.References: FFIEC ITH INFOSEC 9/2016 II (C.13 (a)), NIST SP 800-53 Rev 4 MP-04, NIST SP 800-53 Rev 4 MP-04 (02) CE, NIST SP 800-53 Rev 4 AC-20 (2) CEData Backup of Removable MediaCyberOne shall establish policy and procedures for back up of removable media, including remote backups and cloud services, and ensure proper protection via physical security or encryption when stored or moved across the network. Backups shall have at least one destination that is not continuously addressable through operating system calls. CyberOne shall document and implement a backup process for all removable media, including procedures for testing to ensure the successful restoration of media.?References: CIS v7.0 C10 (10.4), CIS v7.0 C10 (10.5), References: AUP v2 G.19TransportationCyberOne shall establish policies and procedures for the secure transportation of removable media outside of controlled areas to protect against unauthorized access, misuse or corruption during transportation. A custodian shall be identified during transport, including the identification of a verified custodian during transportation and use of packaging that is secure and sufficient to protect the asset during transit (in accordance with the manufacturer’s specifications). (See also Asset Management Policy).When transporting electronic removable media outside CyberOne-controlled facilities, all confidential information on the media must be approved by CyberOne Information Security Management and encrypted before leaving CyberOne premises. When confidential data is written to removable media for the purpose of transferring data to an external business partner, vendor, or customer, only brand new or unused media can be used. Media that has been previously used and then wiped so that confidential data should not be recovered. When transporting confidential data on removable media offsite, no external labeling or marking may identify the owner of the data or the information’s classification.References: NIST SP 800-53 Rev 4 MP-05 (03) CE, NIST SP 800-53 Rev 4 MP-05 (03) CE, AUP v2 G.14, AUP v2 G.15, FFIEC ITH INFOSEC 9/2016 II (C.13 (d))? ISO 27001:2013 (08.3.3)Sanitization of Removable MediaCyberOne shall prohibit the use of sanitization-resistant media and shall apply non-destructive sanitization techniques, commensurate with the security category or classification of the information, prior to connecting such devices to the information system, or prior to disposal, release out of organizational control, release for reuse. CyberOne shall enforce dual authorization for the sanitization of removable media.CyberOne shall provide the capability to purge or wipe information remotely or under defined conditions. Sanitized equipment shall be documented, tracked, inventoried and tested to verify sanitization prior to use.References: NIST SP 800-53 Rev 4 MP-06, NIST SP 800-53 Rev 4 MP-06 (07) CE, NIST SP 800-53 Rev 4 MP-06 (07) CE, NIST SP 800-53 Rev 4 MP-06 (08) CE, NIST SP 800-53 Rev 4 MP-06 (02) CE, NIST SP 800-53 Rev 4 MP-06 (03) CE, NIST SP 800-53 Rev 4 MP-07 (02) CE, NIST SP 800-53 Rev 4 MP-06 (01) CEMedia Protection and Downgrading of Removable MediaCyberOne shall document and implement downgrades for information system media containing classified information and ensure that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and tests to verify correct performance.References: NIST SP 800-53 Rev 4 MP-08 (03) CE, NIST SP 800-53 Rev 4 MP-08, NIST SP 800-53 Rev 4 MP-08 (04) CE, NIST SP 800-53 Rev 4 MP-08 (02) CE, NIST SP 800-53 Rev 4 MP-08 (01) CEDisposal and Destruction of Removable MediaCyberOne shall implement policies and procedures for the destruction of removable media that is missing, stolen or no longer needed. CyberOne shall ensure data from removable media is wiped or destroyed.References: AUP v2 D.2, FFIEC CAT 06/2015 .Re.E.1Incident Management Reporting for Removable Media HandlingCyberOne shall prevent the unauthorized disclosure, modification, removal or destruction of information.All users must immediately report any actual or suspected loss or theft of removable media to the Information Security Team (security@) or Helpdesk (helpdesk@).References: ISO 27001:2013 (08.3)SDLCOverview and PurposeThe purpose of this policy is to provide detail standard for the company's system change controls for tracking, approval, testing, releasing changes.ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles and ResponsibilitiesLine of Business (LoB)This includes the end-user or clients, the people from whom requirements are drawn. This role has input on the design and reaps the benefits of the completed project.Product Manager or Acceptance Owner or Product OwnerThis role is the IT Sponsored manager who has ownership of the application from an IT perspective and partners with the PM and Program Manager on product direction. This role is responsible for working with the LoB to plan new applications or enhancements to existing applications.?Program ManagerThis role is responsible for estimating the development effort and coordinating the activities in the design and development phases.Project Manager (PM)?This role is responsible for organizing and monitoring the process of the project and confirming completion of all tasks and deliverables within each phase.Project TeamThis group is responsible for completing all tasks and deliverables within the project. The team is composed of development managers, technical architects, business analysts, developers, and testers.Policy StatementsInformation SecurityInformation Security policies are integrated into the project from its inception onward and they make certain adequate consideration is given throughout the SDLC. The CyberOne senior management developed rules for software and system development. The rules require internal and external system services to define processes and approach to secure coding including: architecture review, code review, scanning, and secure coding control testing.System Acquisition, Development and Maintenance Program GovernanceCyberOne shall implement formal application security risk governance which review the risks to the transmission, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay of information. There shall be a principle for engineering secure system, documentation, and maintenance applied to implementation efforts. System shall be designed and resource shall be allocated according to technical and process standards, business needs, and product capabilities to achieve trustworthiness.?Release ManagementRelease PlanningRelease Planning occurs as part of the annual budgeting process at CyberOne. At the end of the budgeting process, the number of major releases of each application is known and tentative release dates established.At a minimum, release planning must produce a schedule that includes:Release milestonesSecurity reviews at key milestones including feature and non-functional requirement reviewsRequirements milestones (both development and testing)Development deliverablesTesting milestonesProject SizingCyberOne uses the Agile Methodology and maintains a backlog of User Stories for each application. Prior to the initiation of a project, Product Management and the Project Team groom the backlog by selecting User Stories for a release based on the priority set by the LoB. The Project Team working with Product Management seeks to understand the User Story so they can estimate the Story Points for each of the User Stories.The size of a release is "capped" based on the number of Story Points allocated during the annual Release Planning exercise. The Story Points estimates are then reviewed by Product Management and the Release content is finalized and approved. User Stories are then assigned to a Sprint.Deployment Planning MeetingThis meeting is the primary vehicle for organizing and coordinating releases, and includes the Release Manager, Project Manager, and IT Ops Manager. The meeting focuses on project timelines, dependencies, development and test environments, and any hardware or software needs.?Production SupportWhen a minor or patch release is required to meet business needs or resolve an issue in production, Product Management identifies the changes needed and the Development team analyzes and estimates the effort. Upon approval of the estimates, a minor or patch release is designated and follows the established release process.Change ManagementThe designated Change Coordinator is responsible for analyzing the risk and impact of a release with the assistance of the Project Team and getting approval per the CyberOne Change Management Policy.Vendor Risk ManagementOverview and PurposeThe purpose of this policy is to provide policies for the company's vendor risk management for identifying, onboarding, monitoring and mitigating risks for critical vendors.ScopeAll/Critical vendors in the supplyRoles and ResponsibilitiesContact your manager when you have to purchase critical supplies or services from a third party?Policy Statements-Define critical vendors and conducting due diligenceOn an annual schedule, security will pull a vendor master list from the accounting/finance system from . Each vendor [in-scope] goes through a business impact analysis to tier the criticality of the vendors. The tier 1 and 2 vendors will go through a risk review process during onboarding or during an annual review cycle for existing vendors. Document?what the product or services provided by the vendor. Document the relationship contacts for the tier 1 and 2 vendors.?Onboarding/Risk Assessment for vendorsAnalyzing the risk of your vendor by conducting a risk assessment for each tier 1 and 2 vendor or request for the vendor's SOC2 Type 2 report to verify the vendor's control environment. Identify gaps that may be a risk to the company and will need to be reporting to management, BOD, or assign to the vendor for mitigation.?Mitigate vendor risksMonitor the issue for resolution.?Monitor vendor risksUse threat intelligence services to monitor supply chain threats for new risks.?Vulnerability ManagementPurposeThe standard defines the processes by which system defects, which pose a threat to security, are detected and the timeframes in which those defects must be remediated.1.2 ObjectiveThis standard is to ensure the defects that pose the greatest risk to the security of the ACME enterprise environment are identified and addressed first, and that vulnerabilities are remediated to reduce the overall attack surface risk.?1.3 OwnerThis standard is owned by the Chief Security Officer and authored by the Attack Surface Management team. Any material changes require prior approval from the Chief Security Officer and the Security Governance Committee. The Owner is responsible for ensuring the policy is reviewed on at least an annual basis, or whenever significant change occurs int eh information security program or its processes.?2. ScopeThis standard provides a minimum level of security controls required for the management of system defects with potential security impact on ACME assets, whether hosted within ACME data centres or within cloud-based implementations. The scope of this document includes all ACME assets, including third party and commercial off the shelf (COTS) solutions, and any associated vulnerabilities.This standard covers:System defect identification – Specifies the standards to which identification methods for system defects must adhere.Severity rating and timeframe — Information necessary to determine defect severity and the resultant remediation timeframe required.Intended AudienceThis policy applies to all ACME colleagues that have IT operational and IT service management responsibilities, along with those whom have IT deployment responsibilities.In addition, it may be necessary to share the content of this document with external parties such as business partners, customers, auditors and regulators. Such sharing shall be done in a controlled manner and after signing a Non-Disclosure Agreement.NotationThroughout this standard the following words have specific meanings:?‘must’ is used where a provision is mandatory‘could’ or ‘can’ is used where alternatives are acceptable‘should’ or ‘may’ is used where best practice is recommended but not mandated3. Roles and ResponsibilitiesAttack Surface Management[company]Attack Surface Management ([BUSINESS UNIT]) is responsible for oversight of the configuration, maintenance, patching and use of security defect identification tools.References:?NIST ID.RA-1; PCI DSS 6.1; ISO 27001 A.12.6; CIS CSC 4.1; FFIEC II.A.2[BUSINESS UNIT] is authorized to utilize any tools and techniques deemed necessary by the ACME Chief Security Officer (CSO), for identifying system security defects, including, but are not limited to; automated vulnerability scans, automated system configuration scans, infrastructure configuration analysis, penetration testing, dynamic and static application security testing, threat intelligence reports, and validated reports by users and customers.References:?NIST ID.RA-1, DE.CM-8; PCI DSS 11.2; ISO 27001 A.12.6; CIS CSC 4.1; FFIEC II.A.2[BUSINESS UNIT] are responsible for tracking types of assets employed by ACME against defect identification methods and coordinating with asset owners to address defects within the remediation timeline.References:?NIST ID.RA-1; PCI DSS 11.2.1; ISO 27001 A.12.6; CIS CSC 4.1; FFIEC II.A.2Policy StatementsImplement an incident response plan to prepare for breachesImplement an incident response plan to prepare for breaches- Implement an incident response plan. Be prepared to respond immediately to a system breach. PCI DSS v3.2 12.10Perform penetration tests at least annuallyPerform penetration tests at least annually- Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections. PCI DSS v3.2 11.3.3Internal penetration testing at least annuallyInternal penetration testing at least annually- Implement a methodology for penetration testing that includes the following: * Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) * Includes coverage for the entire CDE perimeter and critical systems * Includes testing from both inside and outside the network * Includes testing to validate any segmentation and scope-reduction controls * Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 * Defines network-layer penetration tests to include components that support network functions as well as operating systems * Includes review and consideration of threats and vulnerabilities experienced in the last 12 months * Specifies retention of penetration testing results and remediation activities results. PCI DSS v3.2 11.3Penetration testing methodPenetration testing method- Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc. PCI DSS v3.2 11.2.2Internal and external scans after any significant changeInternal and external scans after any significant change- Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel. PCI DSS v3.2 11.2.1Quarterly external vulnerability scansQuarterly external vulnerability scans- Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred. PCI DSS v3.2 11.2Address new threats and vulnerabilities on an ongoing basisAddress new threats and vulnerabilities on an ongoing basis- For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: * Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2. * Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. PCI DSS v3.2 06.6Review custom code prior to release to productionReview custom code prior to release to production- Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: * Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices. * Code reviews ensure code is developed according to secure coding guidelines * Appropriate corrections are implemented prior to release. * Code-review results are reviewed and approved by management prior to release. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6. PCI DSS v3.2 06.3.2Protected from known vulnerabilitiesProtected from known vulnerabilities- Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. PCI DSS v3.2 06.2Process to identify security vulnerabilitiesProcess to identify security vulnerabilities- Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk-assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data. PCI DSS v3.2 06.1Manage defaults and security parametersManage defaults and security parameters- Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. PCI DSS v3.2 02.5Asset inventoryAsset inventory- Maintain an inventory of system components that are in scope for PCI DSS. PCI DSS v3.2 02.4Develop configuration standards for all system componentsDevelop configuration standards for all system components- Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. PCI DSS v3.2 02.2Change vendor defaults settings and accountsChange vendor defaults settings and accounts- Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.). PCI DSS v3.2 02.1Technical compliance reviewInformation systems shall be regularly reviewed for compliance with the organization’s information security policies and standards. ISO 27001:2013 (18.2.3)System acceptance testingAcceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. ISO 27001:2013 (14.2.9)System acceptance testingAcceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. ISO 27001:2013 (14.2.9)System security testingTesting of security functionality shall be carried out during development. ISO 27001:2013 (14.2.8)System security testingTesting of security functionality shall be carried out during development. ISO 27001:2013 (14.2.8)Technical vulnerability managementObjective: To prevent exploitation of technical vulnerabilities. ISO 27001:2013 (12.6)Technical vulnerability managementObjective: To prevent exploitation of technical vulnerabilities. ISO 27001:2013 (12.6)Management of technical vulnerabilitiesInformation about technical vulnerabilities of information system being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. ISO 27001:2013 (12.6.1)Operational procedures and responsibilitiesObjective: To ensure correct and secure operations of information processing facilities. ISO 27001:2013 (12.1)Responsibility for assetsObjective: To identify organizational assets and define appropriate protection responsibilities. ISO 27001:2013 (08.1)Incident ResponseIII.D Incident Response- Management should have an incident response program. The goal of incident response is to minimize damage to the institution and its customers. The institutions program should have defined protocols to declare and respond to an identified incident. More specifically, the incident response program should include, as appropriate, containing the incident, coordinating with law enforcement and third parties, restoring systems, preserving data and evidence, providing assistance to customers, and otherwise facilitating operational resilience of the institution. The response involves a combination of people and technologies. The quality of incident response is attributable to the institutions culture, policies, procedures, and training. Incident response is also a function of the relationships the institution formed before the incident with law enforcement, incident response consultants and attorneys, information-sharing entities (e.g., FSISAC), and others. Management should prepare for potential incidents by developing an incident response plan that is comprehensive, coordinated, and integrated with existing institution policies, procedures, and training. To validate the effectiveness of the institutions incident response program, management should periodically test it through different test types, including scenario planning and tabletop testing, and perform the tests with appropriate internal and external parties. Preparation determines the success of any intrusion response. Such preparation involves defining the policies and procedures that guide the response; assigning responsibilities to individuals; providing appropriate training; formalizing information flows; and selecting, installing, and understanding the tools used in the response effort. Additionally, management should define thresholds for reporting significant security incidents, and consider developing processes for when the institution should notify its regulators of incidents that may affect the institutions operations, reputation, or sensitive customer information. These incidents may include those that could affect the financial system. Primary considerations for incident response include the following: How to balance concerns regarding confidentiality, integrity, and availability for devices and data. This consideration is a key driver for a containment strategy and may involve legal and liability considerations. Management may decide that some systems must be disconnected or shut down at the first sign of intrusion, while others must be left on line. When and under what circumstances to invoke the incident response activities, and how to ensure that the proper personnel are notified and available. When to involve outside experts and how to ensure the proper expertise will be available when needed. This consideration addresses both containment and restoration. Protocols to define when and under what circumstances to notify and involve regulators, customers, and law enforcement, including names and contact information for each group. Which personnel have authority to perform specific actions in the containment of the intrusion and restoration of the system. This consideration affects the internal communications strategy, the commitment of personnel, and procedures that escalate involvement and decisions within the organization. How, when, and what to communicate outside of the institution, whether to law enforcement, regulatory agencies, information-sharing organizations, customers, third-party service providers, potential victims, or others. How to document and maintain the evidence, the decisions made, and the actions taken. What criteria must be met before compromised services, equipment, and software are returned to the network. How to learn from the intrusion and use lessons learned to improve the institutions security. How and when to prepare and file a Suspicious Activities Report. Successful implementation of any response policy or procedure requires the assignment of responsibilities, training, and testing. Some institutions formalize the response program with the creation of a security incident response team (SIRT). The SIRT typically is tasked with performing, coordinating, and supporting responses to security incidents and intrusions. Because of the wide range of technical and nontechnical issues posed by an intrusion, typical SIRT membership includes individuals with a wide range of backgrounds and expertise from different areas within the institution. Those areas include management, legal, and public relations, as well as IT staff. Other organizations may outsource some of the SIRT functions (e.g., forensic examinations). When SIRT functions are outsourced, management should require the third-party service provider to follow the institutions policies and maintain the confidentiality of data. Institutions should assess the adequacy of their preparation through testing. There are a variety of testing methods; therefore, management should consider the most applicable tests for its IT environment. Institutions can also participate with outside entities that provide testing activities (e.g., FS-ISAC). While containment strategies between institutions can vary, they typically include the following broad elements: Isolation of compromised systems or enhanced monitoring of intruder activities. Search for additional compromised systems. Collection and preservation of evidence. Communication with affected parties and often the primary regulator, information-sharing organizations (e.g., FS-ISAC), or law enforcement. Restoration and follow-up strategies should address the following: Elimination of an intruders means of access. Restoration of systems, programs, and data to a known good state. Initiation of customer notification and assistance activities consistent with laws, regulations, and interagency guidance. Monitoring to detect similar or further incidents. Management should periodically review the actions taken in response to intrusions to identify improvements and implement those improvements through changes in policy, standards, procedures, training, and practices. FFIEC IT EH 9/2016 III (III.D)Threat Identification and AssessmentIII.A. Threat Identification and Assessment- Management should do the following: Identify and assess threats. Use threat knowledge to drive risk assessment and response. Design policies to allow immediate and consequential threats to be dealt with expeditiously. Threat identification and assessment involves discovering knowledge about threat sources and vulnerabilities and analyzing the potential for exploitation. This is much more focused than the risk identification process described in the Risk Identification section of this booklet. Information gained from threat identification and assessment should be used in risk assessment and response to drive protective and detective strategies and tactics. Strategies involve the information security programs policies, standards, and procedures, and the implementing technologies. Examples of tactics include threat signatures used for incident identification and management of threat behaviors. NIST notes that types of threat sources include the following: Hostile cyber or physical attacks. Human errors of omission or commission. Structural failures of organization-controlled resources (e.g., hardware, software, and environmental controls). Natural and man-made disasters, accidents, and failures beyond the control of the organization. Management should develop procedures for obtaining, monitoring, assessing, and responding to evolving threat and vulnerability information. The identification of threats involves the sources of threats, their capabilities, and their objectives. Information about threats generally comes from government (e.g., US-CERT), information-sharing organizations (e.g., FS-ISAC), industry sources, the institution, and third parties. Third-party information may be from organizations that specifically track and report on threats or from third-party reports of past activity. Some of those reports compile knowledge from incidents reported by many organizations worldwide. Different types of information supporting an assessment may be available through the following: Incident data from reports published by security providers and others. Attack data from sources including FS-ISAC and managed security service providers. Threat data through reports available either free or for a fee. The availability of threat information is often ad hoc, although some providers present threat information within a defined framework that readily lends itself to analytical operations. By using a threat taxonomy, the institution may greatly reduce the complexity of threat assessment and enable efficient understanding of reasonable risk mitigations. Specific factors in the threat assessment may include a description, context for operation, capabilities and intent, and, from the threat-source perspectives, benefits and negative consequences associated with an attack. Knowledge of threat sources is especially important to help identify vulnerabilities. Vulnerabilities can occur in many areas, such as the system design, the system operation, security procedures, business line controls, and the implementation of the system and controls. Self-assessments, audits, scans, penetration tests, and reviews of SIEM reports can identify vulnerabilities. Additionally, external individuals or groups can identify vulnerabilities. Tools for analyzing vulnerabilities in a layered security environment include attack trees, event trees, and kill chains. These tools attempt to model an attacker’s actions to enable identification of the most effective and efficient remediation options. Once a threat is identified and potential vulnerabilities are assessed, the significance of the threat should trigger a response. The response should be commensurate with the risk posed by the threat and should include remediation options. Management should design policies to allow for immediate and consequential threats to be dealt with expeditiously, while less significant threats are addressed as part of a broader risk management process. When management receives vulnerability information from external individuals or groups, management should have appropriate processes and procedures to evaluate the credibility of the information to appropriately address it. FFIEC IT EH 9/2016 III (III.A)Inventory and Classification of AssetsII.C.5 Inventory and Classification of Assets- Management should inventory and classify assets, including hardware, software, information, and connections. Management should maintain and keep updated an inventory of technology assets that classifies the sensitivity and criticality of those assets, including hardware, software, information, and connections. Management should have policies to govern the inventory and classification of assets both at inception and throughout their life cycle, and wherever the assets are stored, transmitted, or processed. Inventories enable management and staff to identify assets and their functions. Classification enables the institution to determine the sensitivity and criticality of assets. Management should use this classification to implement controls required to safeguard the institutions physical and information assets. Additionally, management can use the inventory to discover specific vulnerabilities, such as unauthorized software. Inventories are important for management to identify assets that require additional protection, such as those that store, transmit, or process sensitive customer information, trade secrets, or other information or assets that could be a target of cyber criminals. Knowing what information assets the institution has and where they are stored, transmitted, or processed helps management comply with federal and state laws and regulations regarding privacy and security of sensitive customer information. After inventorying the assets, management should classify the information according to the appropriate level of protection needed. For example, systems containing sensitive customer information may require access controls based on job responsibilities. These systems should have stronger controls than systems containing information meant for the general public. Some institutions classify information as public, non-public, or institution-confidential, while others use the classifications high, moderate, and low. Additional classifications, such as critical and noncritical, may be helpful to certain types of institutions. FFIEC IT EH 9/2016 II (II.C.5)Application SecurityII.C.17 Application Security- Management should use applications that have been developed following secure development practices and that meet a prudent level of security. Management should develop security control requirements for all applications, whether the institution acquires or develops them. Information security personnel should be involved in monitoring the application development process to verify that secure development practices are followed, security controls are implemented, and information security needs are met. Institutions and their customers use a wide variety of applications. Such applications include core banking applications, web applications, and installable applications (e.g., downloadable mobile applications). A secure software development life cycle ensures that Internet- and client-facing applications have the necessary security controls. The institution should ensure that all applications are securely developed. To verify the controls have been developed and implemented appropriately, management should perform appropriate tests (e.g., penetration tests, vulnerability assessments, and application security tests) before launching or making significant changes to external-facing applications. Issues noted from tests should be remediated before launching applications or moving changes into production. At institutions that employ third parties to develop applications, management should ensure that the third parties meet the same controls. Applications should provide the ability for management to do the following: Implement a prudent set of security controls (e.g., password and audit policies), audit trails of security and access changes, and user activity logs for all applications. Establish user and group profiles for applications if not part of a centralized identity access management system Change and disable default application accounts upon installation. Review and install patches for applications in a timely manner. Implement validation controls for data entry and data processing. Integrate additional authentication and encryption controls, as necessary, to ensure integrity and confidentiality of data and non-repudiation of transactions. Protect web or Internet-facing applications through additional controls, including web application firewalls, regular scanning for new or recurring vulnerabilities, mitigation or remediation of common security weaknesses, and network segregation to limit inappropriate access or connections to the application or other areas of the network. Mitigate risks from potential flaws in applications allowing remote access by customers and others through network, host, and application layer architecture considerations. Obtain attestation or evidence from third-party developers that the application acquired by the institution meets the necessary security requirements and that noted vulnerabilities or flaws are remediated in a timely manner. Perform ongoing risk assessments to consider the adequacy of application-level controls in light of changing threat, network, and host environments. Implement minimum controls recommended by the third-party service provider and consider supplemental controls as appropriate. Review available audit reports, and consider and implement appropriate control recommendations Collect data to build metrics and reporting of configuration management compliance, vulnerability management, and other measurable items as determined by management. Whether the institution acquires or develops applications, management should establish security control requirements for new systems, system revisions, or new system acquisitions. Management should define the security control requirements based on its risk assessment process and evaluate the value of the information at risk and the potential impact of unauthorized access or damage within existing software development and acquisition processes. Management should have a process to determine risks posed by the system and necessary security requirements. Management may also refer to published, widely recognized industry standards as a starting point for establishing the institutions security requirements. Information security personnel should be involved from the outset in the application development process to determine whether security controls are designed, tested, and implemented and information security needs are being met. Monitoring the development environment can help ensure that the implemented controls are functioning properly. Institutions that purchase applications typically rely on third-party service providers to develop applications with appropriate security built-in; management, however, should perform its own verification to determine whether the application meets the institutions security requirements. Management should analyze the environment where the application will reside. As the environment changes, the security requirements and assurance needs for the application may also change. Management should leverage available resources to assist in risk identification and improve the institutions application security practices. FFIEC IT EH 9/2016 II (II.C.17)Patch ManagementII.C.10(d) Patch Management- Frequently, security vulnerabilities are discovered in operating systems and other software after deployment. Hackers often will attempt to exploit these known vulnerabilities to try to gain access to the institutions systems. Third parties issue patches to address vulnerabilities found on institution systems and applications. Management should implement automated patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) are appropriately updated. In addition, management should use vulnerability scanners periodically to identify vulnerabilities in a timely manner. As part of the institutions patch management process, management should establish and implement the following: A monitoring process that identifies the availability of software patches. A process to evaluate the patches against the threat and network environment. A prioritization process to determine which patches to apply across classes of computers and applications. A process for obtaining, testing, and securely installing patches, including in the institutions virtual environments. An exception process, with appropriate documentation, for patches that management decides to delay or not apply. A process to ensure that all patches installed in the production environment are also installed in the disaster recovery environment in a timely manner. A documentation process to ensure the institutions information assets and technology inventory and disaster recovery plans are updated as appropriate when patches are applied. The institution should have procedures that include how to implement patches to mitigate risks of changing systems and address systems with unique configurations. Before applying a patch, management should back up the production system. Additionally, management should define appropriate patch windows and, whenever possible, restrict the implementation of patches to defined time frames to minimize business impact or potential down time. Patches make direct changes to the software and configuration of each system to which they are applied. While patches are necessary and useful, they may have unintended negative consequences, such as introducing new vulnerabilities, reintroducing old vulnerabilities, or degrading system performance. The following actions can help ensure patches do not compromise the security of the institutions systems: Obtain the patch from a known, trusted source. Verify the integrity of the patch through comparisons of cryptographic hashes to ensure the patch obtained is correct and unaltered. Protect and monitor the systems used to distribute patches to ensure only authorized patches are distributed. Apply the patch to an isolated test system before installing on the production system to ensure the patch is compatible with other software used on systems, does not alter the systems security posture in unexpected ways (such as altering log settings), and corrects the pertinent vulnerability. Test the resulting system to validate the effectiveness of the applied patch. FFIEC IT EH 9/2016 II (II.C.10(d))Standard BuildsII.C.10(c) Standard Builds- Consistency in system configuration makes security easier to implement and maintain. The institution should use standard builds, which allow one documented configuration to be applied to multiple computers in a controlled manner. Some institutions, depending on their size and complexity, may have many standard builds for the different system configurations needed to address various business functions. Through standard builds, an institution simplifies the following activities: Creating hardware and software inventories. Updating and patching systems. Restoring systems in the event of a disaster or outage. Investigating anomalous activity. Auditing configurations for conformance with the approved configuration. The institution may not be able to meet all of its requirements from its standard builds. The use of nonstandard builds should be documented and approved by management, with appropriate changes made to patch management and disaster recovery plans. FFIEC IT EH 9/2016 II (II.C.10(c))HardeningII.C.10(b) Hardening- Institutions typically use commercial off-the-shelf (COTS) software for operating systems and applications, on such diverse platforms as network infrastructure, servers, desktops, laptops, and mobile devices. COTS systems generally provide more functions than are required for the specific purposes for which they are employed. A default installation of a server operating system may include mail, web, and file-sharing services on a system that does not require those functions. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as they would operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system. Management should consult operating system and software vendor-recommended security controls. When deploying COTS applications and systems, management should harden the resulting applications and systems. Hardening can include the following actions: Determining the purpose of the applications and systems and documenting minimum software and hardware requirements and services to be included. Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure. Installing necessary patches. Installing the most secure and up-to-date versions of applications. Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user (i.e., enforcing the principle of least privilege). Configuring security settings as appropriate, enabling allowed activity, and prohibiting non-approved activities. Enabling logging. Creating cryptographic hashes of key files. Archiving the configuration and checksums in secure storage before system deployment. Using secure replication procedures for additional, identically configured systems and making configuration changes on a case-by-case basis. Changing all default passwords. Testing the system to ensure a secure configuration. Additionally, the systems should be audited periodically to ensure that the hardware, software,and services are authorized and properly configured. FFIEC IT EH 9/2016 II (II.C.10(b))Configuration ManagementII.C.10(a) Configuration Management- Configuration management is a process to securely maintain the institutions technology by developing expected baselines for tracking, controlling, and managing systems settings. To mitigate information security risk, management should control configurations of systems, applications, and other technology. Effective configuration management relies on policies and procedures to ensure compliance with minimally acceptable system configuration requirements. When information systems change, management should update baselines; confirm security settings; and track, verify, and report configuration items. Configurations should be monitored for unauthorized changes, and misconfigurations should be identified. Management can use automated solutions to help track, manage, and identify necessary corrections. FFIEC IT EH 9/2016 II (II.C.10(a))Change Management Within the IT EnvironmentII.C.10 Change Management Within the IT Environment- Management should have a process to introduce changes to the environment in a controlled manner. Changes to the IT environment include the following: Configuration management of IT systems and applications. Hardening of systems and applications. Use of standard builds. Patch management The IT environment consists of operating systems, middleware, applications, file systems, and communications protocols. The institution should have an effective process to introduce application and system changes, including hardware, software, and network devices, into the IT environment. The process for introducing software should encompass securely developing, implementing, and testing changes to both internally developed and acquired software. Application and system control considerations for introducing changes to the IT environment before implementation should include the following: Developing procedures to guide the process of introducing changes to the environment. Clearly defining requirements for changes. Restricting changes to authorized users. Reviewing the impact that changes have on security controls. Identifying all system components affected by the changes. Developing test scripts and implementation plans. Performing necessary tests of all changes to the environment (e.g., systems testing, integration testing, functional testing, user acceptance testing, and security testing). Defining rollback procedures in the event of unintended or negative consequences with the introduced changes. Ensuring the application or system owner has authorized changes in advance. Maintaining strict version control of all software updates. Validating that new hardware complies with institution policies. Ensuring network devices are properly configured and function appropriately within the environment. Maintaining an audit trail of all changes. Refer to the IT Handbook’s Development and Acquisition booklet for more information. FFIEC IT EH 9/2016 II (II.C.10)VulnerabilitiesII.A.2 Vulnerabilities- A vulnerability is a weakness in an information system, system security procedure, internal control, or implementation that could be exploited by a threat source. A technical vulnerability can be a flaw in hardware, firmware, or software that leaves an information system open to potential exploitation. These flaws provide opportunities for hackers to gain access to a computer system, execute commands as another user, or access data contrary to specified access restrictions. Institutions can use automated vulnerability scanners to scan their computer systems for known security exposures, as well as services available from third parties, such as the Mitre Corporations Common Vulnerability and Exposures (CVE), to track vulnerabilities. In addition to technology-based vulnerabilities, weaknesses in business operational processes can create security vulnerabilities, exposing financial institutions to unwarranted risk. These vulnerabilities can include weaknesses in security procedures, administrative controls, physical layout, or internal controls that could be exploited to gain unauthorized access to information or to disrupt critical services. For example, an institutions systems architecture may be designed based on managements assumption that manual validation of wire transfers takes place before execution, when in practice the business process does not perform that validation until after transfers have taken place. In addition to the vulnerabilities within a financial institutions system, vulnerabilities may also arise from interdependent and interconnected systems. Financial institutions connect their systems through mergers and acquisitions and through relationships with third parties. Over time, as these systems become increasingly interdependent and complex, new vulnerabilities may be introduced. Moreover, financial institutions are dependent on a vast array of hardware and services that may result in vulnerabilities from their supply chains, including those found in hardware and software products. Management should assess whether the institution has processes and procedures in place to identify and maintain a catalog of relevant vulnerabilities, determine which pose a significant risk to the institution, and effectively mitigate and monitor the risks posed by those vulnerabilities. When management cannot or chooses not to mitigate a vulnerability, management should document the decision to accept the risk, the level of risk associated with the vulnerability, and the person accountable for accepting the risk. Refer to the Security Operations section of this booklet for more information. FFIEC IT EH 9/2016 II (II.A.2)Newly identified vulnerabilities are mitigated or documented...Newly identified vulnerabilities are mitigated or documented as accepted risks CSFv1.1-RS.MI-3Personnel know their roles and order of operations when a response is neededPersonnel know their roles and order of operations when a response is needed CSFv1.1-RS.CO-1Configuration change control processes are in placeConfiguration change control processes are in place CSFv1.1-PR.IP-3A System Development Life Cycle to manage systems is implementedA System Development Life Cycle to manage systems is implemented CSFv1.1-PR.IP-2A vulnerability management plan is developed and implementedA vulnerability management plan is developed and implemented CSFv1.1-PR.IP-12A baseline configuration of information technology/industrial control...A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) CSFv1.1-PR.IP-1Physical and cybersecurity personnel understand their roles...Physical and cybersecurity personnel understand their roles and responsibilities CSFv1.1-PR.AT-5Threats, vulnerabilities, likelihoods, and impacts are used to determine riskThreats, vulnerabilities, likelihoods, and impacts are used to determine risk CSFv1.1-ID.RA-5Cyber threat intelligence is received from information sharing forum...Cyber threat intelligence is received from information sharing forums and sources CSFv1.1-ID.RA-2Asset vulnerabilities are identified and documentedAsset vulnerabilities are identified and documented CSFv1.1-ID.RA-1Cybersecurity roles and responsibilities are coordinated and aligned with...Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners CSFv1.1-ID.GV-2Vulnerability scans are performedVulnerability scans are performed CSFv1.1-DE.CM-8Establish a process to risk-rate vulnerabilitiesEstablish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops). Apply patches for the riskiest vulnerabilities first. A phased rollout can be used to minimize the impact to the organization. Establish expected patching timelines based on the risk rating level. CIS CSC 4.8Deploy automated patch management and software update toolsDeploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe. Patches should be applied to all systems, even systems that are properly air gapped. CIS CSC 4.5Regularly update vulnerability intelligence services and scanning toolsSubscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization’s vulnerability scanning activities on at least a monthly basis. Alternatively, ensure that the vulnerability scanning tools you use are regularly updated with all relevant important security vulnerabilities. CIS CSC 4.4Perform vulnerability scanning in authenticated modePerform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested. Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. Ensure that only authorized employees have access to the vulnerability management user interface and that roles are applied to each user. CIS CSC 4.3Regularly use an automated, SCAP-validated vulnerability scannerRun automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk. Use a SCAP-validated vulnerability scanner that looks for both code-based vulnerabilities (such as those described by Common Vulnerabilities and Exposures entries) and configuration-based vulnerabilities (as enumerated by the Common Configuration Enumeration Project). CIS CSC 4.1Control and monitor any accounts performing penetration testingAny user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. CIS CSC 20.2Conduct external and internal penetration testsConduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks. CIS CSC 20.1Test web applications for common security weaknessesTest in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on a regular recurring basis. In particular, input validation and output encoding routines of application software should be reviewed and tested. CIS CSC 18.4Perform and document explicit error checking for all inputFor in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. CIS CSC 18.3Verify device configurations and detect changesUse automated tools to verify standard device configurations and detect changes. All alterations to such files should be logged and automatically reported to security personnel. CIS CSC 11.3Verify device configurations and detect changesUse automated tools to verify standard device configurations and detect changes. All alterations to such files should be logged and automatically reported to security personnel. CIS CSC 11.3Document and record new configuration rules in a management systemAll new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. CIS CSC 11.2Document security configuration for all network pare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. CIS CSC 11.1Maintain an asset inventoryMaintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network. CIS CSC 1.4Wireless PolicyOverview and PurposeThe purpose of this policy is to provide detail standard for the company's wireless applications.?ScopeThis policy shall be followed for [all or certain] systems in-scope.Roles & ResponsibilityPolicy Author - the person/team responsible for maintaining updates of this policyPolicy Approver - the person who will approve the policy annually and the exception requests related to any deviation for this policyAll Employee - must follow this policy or file an exception request when situation need to deviate from the policy. Must acknowledge the policy for audit record and must take security awareness training annually.Security Officer - enable the security program for employee to adhere and implement solutions to meet the policy. Manage overall risks to the policy.Policy StatementsWireless Connectivity - each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. ?All wireless infrastructure devices that reside at a [Company] site and connect to a [Company] network, or provide access to information classified as [Company] Confidential, or above must:?Abide by the standards specified in the Wireless Policy.Be installed, supported, and maintained by an approved support team.Use approved authentication protocols and infrastructure.Use approved encryption protocols.Maintain a hardware address (MAC address) that can be registered and tracked.Not interfere with wireless access deployments maintained by other support organizations.All wireless infrastructure devices that connect to a network or provide access to Confidential, Secret, or Restricted information must use secure cryptology protocols.?Isolated wireless device requirements must adhere to the following:Lab device Service Set Identifier (SSID) must be different from the [Company] production device SSID.Broadcast of lab device SSIDs must be disabled.Perimeter firewalls are implemented and configured to restrict unauthorized trafficGuess wireless network are fully segregated from the internal networkWireless networks use strong encryption with encryption keys that are changed regularlyWireless network environments require security settings with strong encryption for authentication and transmissionThe broadcast range of the wireless network(s) is confined to within controlled boundariesGuest wireless access must comply with the following:Access to the [Company] wireless guest network is designed for guest use, and as such may not include the same restrictions as the corporate [Company] wireless network.Guest Network must not be able to access Corporate Network.The guest wireless network may also include logging and monitoring of Internet use. Abuse of this privilege may result in loss of access. Refer to the [Company] Information Security Policy for additional information.Content filtering must be implemented to protect [Company] from malicious activity, and includes the filtering at the port, protocol or service level.Guests must be presented with a portal page listing acceptable use criteria which they must accept in order to access the guest wireless network.All home wireless infrastructure devices that provide direct access to a [Company] network, such as those behind Enterprise Class Teleworker (ECT) or hardware VPN, should adhere to the following:?Enable Wi-Fi Protected Access Pre-shared Key (WPA-PSK), EAP-FAST, PEAP, or EAP-TLS.When enabling WPA-PSK, users should configure a complex shared secret key on the wireless client and the wireless access point.Disable broadcast of SSID.Change the default SSID name.Change the default login and password.[Company] shall disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is required for a documented business need. [Company] shall disable peer-to-peer wireless network capabilities on wireless clients.[Company] shall ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which provide credential protection and mutual authentication.[Company] shall leverage at least Advanced Encryption Standard (AES) encryption with at least Wi-Fi Protected Access 2 (WPA2) protection, for all wireless traffic.[Company] shall use Wireless Intrusion Detection Systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by WIDS as traffic passes into the wired network.[Company] shall configure network vulnerability scanning tools to detect wireless access points connected to the wired network. Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.Reference: FFIEC CAT 06/2015 D3.PC.Im.Int.3, 06/2015 D3.PC.Im.E.5, 06/2015 D3.PC.Im.Int.4, 06/2015 D3.PC.Im.B.10, 06/2015 D3.PC.Im.Int.5, NIST SP 800-53 Rev 4 SC-40 (03) CE, CIS CSC 15.1, CIS CSC 15.8, CIS CSC 15.7. CIS v7.0 C15 (15.6), CIS v7.0 C15 (15.9), CIS CSC 15.3, CIS CSC 15.2, CIS v7.0 C15 (15.1), CIS CSC 15.6, CIS v7.0 C15 (15.8), CIS CSC 15.5, NIST SP 800-53 Rev 4 SI-04 (14) CELogging, Monitoring and MaintenanceWireless activity logs will be monitored by Information Security.Monitoring will include regular testing for rogue access points.Device management will utilize secure protocols such as HTTPS and SSL.Wireless networking equipment are to be kept up to date – refer to the [Company] Vulnerability Management Policy and to the [Company] Logging Policy for additional information. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download