Page Comparison

Section

Column

width	18%

Include Page

	ARCHIVE - InfoSecPlanNav
	ARCHIVE - InfoSecPlanNav

77%

Column

width	77%

Center
Contents

Table of Contents

outline	true
style	none
type	list

Column

width

Risk assessment, asset

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement Reference	Required for Insurance Placeholder
Minimum Network Connectivity Requirements
1. Access control measures for controlled electronic information resources	Required	Required	Required	III.C.2.b IV.A
2. Encrypted transmission of restricted data including passwords	Required	Required	Required	III.C.2.b.i III.C.2.g IV.B
3. Software updates / patch management	Required	Required	Required			4. Malicious software protection (III.C.2.c.iii; iv IV.D) C
4. Malicious software protection	Required	Required	Required	(III.C.2.c.iv iii IV.C) D
5. Removal of unnecessary services	Required	Required	Required	IV.E
6. Host-based firewalls	Required	Required	Required	III.C.2.d IV.F
7. No unauthorized email relays	Required	Required	Required	IV.G
8. No unauthorized, unauthenticated proxy servers	Required	Required	Required	IV.H
9. Physical security and session timeout	Required	Required	Required	III.C.2.b.ii III.C.3.b IV.I
Administrative Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Required for Insurance	Placeholder
Asset inventory and classification; Identification of systems storing and accessing data (	Required	Required	Required	III.B)
Risk assessments	Required	Recommended	Recommended	III.B.1
Written Information Security Plan	Required	Recommended	Optional	III.C
Formal proprietor authorization for sharing data (III.C, 4th paragraph)	Required	Recommended	Optional	III.C, 4th paragraph
Procedures to inform staff of information security responsibilities. (	Required	Required	Required	III.C.1.a)	Required	Required	Required
Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (	Required	Recommended	Optional	III.C.1)
Background checks	Required	Recommended	Optional			Background checks (III.C.1.b ; III.F)	Required	Recommended	Optional
Third party agreements with data security language (III.F)	Required	Recommended	Optional	III.F
Take appropriate personnel/disciplinary action for violations of law or policy (	Required	Required	Required	III.C.1.c)	Required	Required	Required
Education and security awareness training (III.E)	Required	Recommended	Recommended	III.E
Operational Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Required for Insurance Placeholder
Secure and accountable means of authorization and authentication (	Required	Required	Optional	III.C.2.a)	Required	Required	Optional
Prompt modification or termination of access or access levels in response to authorization changes (III.C.1)	Required	Required	Optional	III.C.1
Password guidelines and password vulnerability assessment (	Required	Required	Required	III.C.2.b.i)	Required	Required	Required
Delete, redact or de-identify data whenever possible (III.C, third paragraph)	Required	Recommended	Optional	III.C
Do not store data on portable devices (	Required	Recommended	Optional	III.C.3.e)	Required	Recommended	Optional
Incident response /wiki/spaces/SEC/pages/20381772 planning and notification procedures (III.D)	Required	Required	Required	III.D
Access and activity audit and logging procedures, including access attempts and privileged access (	Required	Recommended	Optional	III.C.2.b.iii ; III.C.2.f ; Appendix D)	Required	Required for financial instruments; otherwise recommended	Optional
Application security: System and application development standards, application vulnerability assessment (test, development, and production)(	Required	Required	Recommended	II I.C.2.c.v) Required
Documented change management procedures	Required	Recommended			Authorized, documented change management procedures (Optional	III.C.2.e)	Required	Recommended	Optional
Backup systems supporting essential activities (	Required	Required	Required	III.C.2.c.ii)	Required
Technical Controls	Required Required

Technical Controls

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Required for Insurance Placeholder

Network firewalls and IDS/IPS (	Required	Recommended	Optional	III.C.2.d)	Required	Recommended	Optional
Encryption: stored data (III.C.2.g; Appendix E) transmitted data (III.C.2.g; Appendix E) backups where physical security is at risk (III.C.2.c.ii; Appendix E) protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e) appropriate encryption key management to ensure the availability of encrypted authoritative information (	Required	Recommended	Optional	III.C.2.c.ii III.C.2.g ; Appendix E)	Required	Recommended	Optional	III.C.3.e Appendix E
Ensure proper user authentication and authorization for users and administrators on all systems (	Required	Required	Recommended	III.C.2.b)	Required	Required	Recommended
Centralized log management, alerting on improper activity, and log retention (	Required	Recommended	Optional	III.C.2.b)	Required
Physical Controls	Recommended	Optional

Physical Controls

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Required for Insurance Placeholder

Physical access controls; Facility access controls (	Required	Required	Required	III.C.3.b)	Required	Required	Required
Disposal and re-use: Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (	Required	Required	Recommended	III.C.3.d)	Required	Required	Recommended
Physical security for portable devices and media (	Required	Recommended	Optional	III.C.3.e)	Required	Recommended	Optional
Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (	Required	Recommended	Optional	III.C.3.c) Required	Required for financial instruments; otherwise recommended	Optional
Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (	Required	Recommended	Optional	III.C.3.c)	Required	Required for financial instruments; otherwise recommended	Optional
Disaster Recovery and Business Continuity Plan (	Required	Recommended	Optional	III.C.3.a)	Required	Recommended	Optional

Insurance Requirements

Coverage is dependent upon the existence and adherence to security protocols
outlined in BFB IS-3 or any local procedures not in conflict with BFB IS-3 that have
been implemented for critical system.

Minimum requirements: BUS 80 - Cyber Security Insurance Requirements

Reference

Column

width	5%

Version	Old Version 10	New Version Current
Changes made by	Isaac Straley	Michelle Luttrell
Saved on	Mar 14, 2011	Jul 02, 2019

Versions Compared

Key

Minimum Network Connectivity Requirements

Administrative Controls

Operational Controls

Technical Controls

Physical Controls

Insurance Requirements

Reference