| Column |
|---|
| |
|---|
| Table of Contents |
|---|
| outline | true |
|---|
| style | none |
|---|
| type | list |
|---|
|
|
|
| Column |
|---|
| | Controls Family | High
Restricted Data | Medium
Sensitive Data | Low
Non-Confidential Data | IS-3 Requirement | Required for Insurance |
|---|
1. Access control measures for controlled electronic information resources | Required | Required | Required | III.C.2.b
IV.A | | 2. Encrypted transmission of restricted data including passwords | Required | Required | Required | III.C.2.b.i
III.C.2.g
IV.B | | 3. Software updates / patch management | Required | Required | Required | III.C.2.c.iv
IV.C | | 4. Malicious software protection | Required | Required | Required | III.C.2.c.iii
IV.D | | 5. Removal of unnecessary services | Required | Required | Required | IV.E | | 6. Host-based firewalls | Required | Required | Required | III.C.2.d
IV.F | | 7. No unauthorized email relays | Required | Required | Required | IV.G | | 8. No unauthorized, unauthenticated proxy servers | Required | Required | Required | IV.H | | 9. Physical security and session timeout | Required | Required | Required | III.C.2.b.ii
III.C.3.b
IV.I | |
Controls Family | High
Restricted Data | Medium
Sensitive Data | Low
Non-Confidential Data | IS-3 Requirement | Required for Insurance |
|---|
Risk assessment, asset inventory and classification; Identification of systems storing and accessing data | Required | Recommended | Recommended | III.B | | Formal proprietor authorization for sharing data | Required | Recommended | Optional | III.C, 4th paragraph | | Procedures to inform staff of information security responsibilities. | Required | Required | Required | III.C.1.a | | Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties | Required | Recommended | Optional | III.C.1 | | Background checks | Required | Recommended | Optional | III.C.1.b
III.F | | Third party agreements with data security language | Required | Recommended | Optional | III.F | | Take appropriate personnel/disciplinary action for violations of law or policy | Required | Required | Required | III.C.1.c | | Education and security awareness training | Required | Recommended | Recommended | III.E | |
Controls Family | High
Restricted Data | Medium
Sensitive Data | Low
Non-Confidential Data | IS-3 Requirement | Required for Insurance |
|---|
Secure and accountable means of authorization and authentication | Required | Required | Optional | III.C.2.a | | Prompt modification or termination of access or access levels in response to authorization changes | Required | Required | Optional | III.C.1 | | Password guidelines and password vulnerability assessment | Required | Required | Required | III.C.2.b.i | | Delete, redact or de-identify data whenever possible | Required | Recommended | Optional | III.C | | Do not store data on portable devices | Required | Recommended | Optional | III.C.3.e | | Incident response planning and notification procedures | Required | Required | Required | III.D | | Access and activity audit and logging procedures, including access attempts and privileged access | Required | Required for financial instruments; otherwise recommended | Optional | III.C.2.b.iii
III.C.2.f
Appendix D) | | Application security:
System and application development standards, application vulnerability assessment (test, development, and production) | Required | Required | Recommended | II I.C.2.c.v | | Authorized, documented change management procedures | Required | Recommended | Optional | III.C.2.e | | Backup systems supporting essential activities | Required | Required | Required | III.C.2.c.ii | |
Controls Family | High
Restricted Data | Medium
Sensitive Data | Low
Non-Confidential Data | IS-3 Requirement | Required for Insurance |
|---|
Network firewalls and IDS/IPS | Required | Recommended | Optional | III.C.2.d | | Encryption: - stored data
- transmitted data
- backups where physical security is at risk
- protective measures such as encryption for data on portable devices and media
- appropriate encryption key management to ensure the availability of encrypted authoritative information
| Required | Recommended | Optional | III.C.2.c.ii
III.C.2.g
III.C.3.e
Appendix E | | Ensure proper user authentication and authorization for users and administrators on all systems | Required | Required | Recommended | III.C.2.b | | Centralized log management, alerting on improper activity, and log retention | Required | Recommended | Optional | III.C.2.b | |
Controls Family | High
Restricted Data | Medium
Sensitive Data | Low
Non-Confidential Data | IS-3 Requirement | Required for Insurance |
|---|
Physical access controls; Facility access controls | Required | Required | Required | III.C.3.b | | Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed | Required | Required | Recommended | III.C.3.d | | Physical security for portable devices and media | Required | Recommended | Optional | III.C.3.e | | Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks | Required | Required for financial instruments; otherwise recommended | Optional | III.C.3.c | | Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks | Required | Required for financial instruments; otherwise recommended | Optional | III.C.3.c | | Disaster Recovery and Business Continuity Plan | Required | Recommended | Optional | III.C.3.a | |
|
|