Versions Compared

Version Old Version 5 New Version 6
Changes made by

Isaac Straley

Isaac Straley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B)

Required

Recommended

Recommended

 

 

Formal proprietor authorization for sharing data (III.C, 4th paragraph)

Required

Recommended

Optional

Procedures to inform staff of information security responsibilities. (III.C.1.a)

Required

Required

Required

 

 

Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (III.C.1)

Required

Recommended

Optional

 

 

Background checks (III.C.1.b; III.F)

Required

Recommended

Optional

 

 

Third party agreements with data security language (III.F)

Required

Recommended

Optional

 

 

Take appropriate personnel/disciplinary action for violations of law or policy (III.C.1.c)

Required

Required

Required

 

 

Education and security awareness training (III.E)

Required

Recommended

Recommended

 

 

Operational Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Secure and accountable means of authorization and authentication (III.C.2.a)

Required

Required

Optional

 

 

Prompt modification or termination of access or access levels in response to authorization changes (III.C.1)

Required

Required

Optional

 

 

Password guidelines and password vulnerability assessment (III.C.2.b.i)

Required

Required

Required

 

 

Delete, redact or de-identify data whenever possible (III.C,
third paragraph)

Required

Recommended

Optional

Do not store data on portable devices (III.C.3.e)

Required

Recommended

Optional

 

 

Incident response planning and notification procedures (III.D)

Required

Required

Required

 

 

Access and activity audit and logging procedures, including access attempts and privileged access (III.C.2.b.iii; III.C.2.f; Appendix D)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Application security:
System and application development standards, application vulnerability assessment (test, development, and production)(II I.C.2.c.v)

Required

Required

Recommended

 

 

Authorized, documented change management procedures (III.C.2.e)

Required

Recommended

Optional

 

 

Backup systems supporting essential activities (III.C.2.c.ii)

Required

Required

Required

 

 

Technical Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Network firewalls and IDS/IPS (III.C.2.d)

Required

Recommended

Optional

Encryption:

  • stored data (III.C.2.g; Appendix E)
  • transmitted data (III.C.2.g; Appendix E)
  • backups where physical security is at risk (III.C.2.c.ii;
    Appendix E)
  • protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e)
  • appropriate encryption key management to ensure the availability of encrypted authoritative information (III.C.2.g; Appendix E)

Required

Recommended

Optional

Ensure proper user authentication and authorization for users and administrators on all systems (III.C.2.b)

Required

Required

Recommended

Centralized log management, alerting on improper activity, and log retention (III.C.2.b)

Required

Recommended

Optional

Physical Controls

Physical access controls; Facility access controls (III.C.3.b)

Required

Required

Required

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (III.C.3.d)

Required

Required

Recommended

Physical security for portable devices and media (III.C.3.e)

Required

Recommended

Optional

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

Disaster Recovery and Business Continuity Plan (III.C.3.a)

Required

Recommended

Optional

Minimum Network Connectivity Requirements* (IV):

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A)

Required

Required

Required

2. Encrypted transmission of restricted data including passwords (III.C.2.b.i; III.C.2.g; IV.B)

Required

Required

Required

3. Software updates / patch management (III.C.2.c.iv; IV.C)

Required

Required

Required

4. Malicious software protection (III.C.2.c.iii; IV.D)

Required

Required

Required

5. Removal of unnecessary services (IV.E)

Required

Required

Required

6. Host-based firewalls (III.C.2.d; IV.F)

Required

Required

Required

7. No unauthorized email relays (IV.G)

Required

Required

Required

8. No unauthorized, unauthenticated proxy servers (IV.H)

Required

Required

Required

9. Physical security and session timeout (III.C.2.b.ii;
III.C.3.b; IV.I)

Required

Required

Required