Versions Compared

Version Old Version 10 New Version 11
Changes made by

Isaac Straley

Isaac Straley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column
width18%
Center

Contents

Table of Contents
outlinetrue
stylenone
typelist
Column
width77%

Minimum Network Connectivity Requirements

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

1. Access control measures for controlled electronic information resources

Required

Required

Required

III.C.2.b
IV.A

 

2. Encrypted transmission of restricted data including passwords

Required

Required

Required

III.C.2.b.i
III.C.2.g
IV.B

 

3. Software updates / patch management

Required

Required

Required

 

 

4. Malicious software protection ( III.C.2.c.iii; iv
IV.D) C

 

4. Malicious software protection

Required

Required

Required

( III.C.2.c.iv iii
IV.C) D

 

5. Removal of unnecessary services

Required

Required

Required

IV.E

 

6. Host-based firewalls

Required

Required

Required

III.C.2.d
IV.F

 

7. No unauthorized email relays

Required

Required

Required

IV.G

 

8. No unauthorized, unauthenticated proxy servers

Required

Required

Required

IV.H

 

9. Physical security and session timeout

Required

Required

Required

III.C.2.b.ii
III.C.3.b
IV.I

 

Administrative Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B)

Required

Recommended

Recommended  

III.B

 

Formal proprietor authorization for sharing data (III.C, 4th paragraph)

Required

Recommended

Optional  

III.C, 4th paragraph

 

Procedures to inform staff of information security responsibilities. (

Required

Required

Required

III.C.1.a )

Required

Required

Required

 

 

Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (

Required

Recommended

Optional

III.C.1 )

 

Background checks

Required

Recommended

Optional  

 

Background checks ( III.C.1.b ;
III.F )

Required

Recommended

Optional

 

 

Third party agreements with data security language (III.F)

Required

Recommended

Optional  

III.F

 

Take appropriate personnel/disciplinary action for violations of law or policy (

Required

Required

Required

III.C.1.c )

Required

Required

Required

 

 

Education and security awareness training (III.E)

Required

Recommended

Recommended  

III.E

 

Operational Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Secure and accountable means of authorization and authentication (

Required

Required

Optional

III.C.2.a ) Required

Required

Optional

 

 

Prompt modification or termination of access or access levels in response to authorization changes (III.C.1)

Required

Required

Optional  

III.C.1

 

Password guidelines and password vulnerability assessment (

Required

Required

Required

III.C.2.b.i )

Required

Required

Required

 

 

Delete, redact or de-identify data whenever possible (III.C, third paragraph)

Required

Recommended

Optional

III.C

 

Do not store data on portable devices (

Required

Recommended

Optional

III.C.3.e )

Required

Recommended

Optional

 

 

Incident response planning and notification procedures (III.D)

Required

Required

Required  

III.D

 

Access and activity audit and logging procedures, including access attempts and privileged access (

Required

Required for financial instruments; otherwise recommended

Optional

III.C.2.b.iii ;
III.C.2.f ;
Appendix D)

Required

Required for financial instruments; otherwise recommended

Optional

 

 

Application security:
System and application development standards, application vulnerability assessment (test, development, and production) (

Required

Required

Recommended

II I.C.2.c.v ) Required

Required

Recommended

 

 

Authorized, documented change management procedures (

Required

Recommended

Optional

III.C.2.e)

Required

Recommended

Optional

 

 

Backup systems supporting essential activities (

Required

Required

Required

III.C.2.c.ii )

Required

Required

Required

 

 

Technical Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Network firewalls and IDS/IPS (

Required

Recommended

Optional

III.C.2.d )

Required

Recommended

Optional

 

 

Encryption:

  • stored data (III.C.2.g; Appendix E)
  • transmitted data (III.C.2.g; Appendix E)
  • backups where physical security is at risk (III.C.2.c.ii; Appendix E)
  • protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e)
  • appropriate encryption key management to ensure the availability of encrypted authoritative information (

Required

Recommended

Optional

III.C.2.c.ii
III.C.2.g

;


III.C.3.e
Appendix E

)

Required

Recommended

Optional

 

 

Ensure proper user authentication and authorization for users and administrators on all systems (

Required

Required

Recommended

III.C.2.b )

Required

Required

Recommended

 

 

Centralized log management, alerting on improper activity, and log retention (

Required

Recommended

Optional

III.C.2.b )

Required

Recommended

Optional

 

 

Physical Controls

Controls Family

High
Restricted Data

Medium
Sensitive Data

Low
Non-Confidential Data

IS-3 Requirement

Required for Insurance

Physical access controls; Facility access controls (

Required

Required

Required

III.C.3.b )

Required

Required

Required

 

 

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (

Required

Required

Recommended

III.C.3.d )

Required

Required

Recommended

 

 

Physical security for portable devices and media (

Required

Recommended

Optional

III.C.3.e )

Required

Recommended

Optional

 

 

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional  

III.C.3.c

 

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional  

III.C.3.c

 

Disaster Recovery and Business Continuity Plan (

Required

Recommended

Optional

III.C.3.a )

Required

Recommended

Optional

 

 

Column
width5%