Versions Compared

Version Old Version 6 New Version 7
Changes made by

Isaac Straley

Isaac Straley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Network firewalls and IDS/IPS (III.C.2.d)

Required

Recommended

Optional

 

 

Encryption:

  • stored data (III.C.2.g; Appendix E)
  • transmitted data (III.C.2.g; Appendix E)
  • backups where physical security is at risk (III.C.2.c.ii;
    Appendix E)
  • protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e)
  • appropriate encryption key management to ensure the availability of encrypted authoritative information (III.C.2.g; Appendix E)

Required

Recommended

Optional

 

 

Ensure proper user authentication and authorization for users and administrators on all systems (III.C.2.b)

Required

Required

Recommended

 

 

Centralized log management, alerting on improper activity, and log retention (III.C.2.b)

Required

Recommended

Optional

 

 

Physical Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Physical access controls; Facility access controls (III.C.3.b)

Required

Required

Required

 

 

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (III.C.3.d)

Required

Required

Recommended

 

 

Physical security for portable devices and media (III.C.3.e)

Required

Recommended

Optional

 

 

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Disaster Recovery and Business Continuity Plan (III.C.3.a)

Required

Recommended

Optional

 

 

Minimum Network Connectivity Requirements

...

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A)

Required

Required

Required

 

 

2. Encrypted transmission of restricted data including passwords (III.C.2.b.i; III.C.2.g; IV.B)

Required

Required

Required

 

 

3. Software updates / patch management (III.C.2.c.iv; IV.C)

Required

Required

Required

 

 

4. Malicious software protection (III.C.2.c.iii; IV.D)

Required

Required

Required

 

 

5. Removal of unnecessary services (IV.E)

Required

Required

Required

 

 

6. Host-based firewalls (III.C.2.d; IV.F)

Required

Required

Required

 

 

7. No unauthorized email relays (IV.G)

Required

Required

Required

 

 

8. No unauthorized, unauthenticated proxy servers (IV.H)

Required

Required

Required

 

 

9. Physical security and session timeout (III.C.2.b.ii;
III.C.3.b; IV.I)

Required

Required

Required