Page Comparison

Asset inventory and classification; Identification of systems storing and accessing data

Required

Required

Required

III.B

Risk assessments

Required

Recommended

Recommended

III.B.1

Written Information Security Plan

Required

Recommended

Optional

III.C

Formal proprietor authorization for sharing data

Required

Recommended

Optional

III.C, 4th paragraph

Procedures to inform staff of information security responsibilities.

Required

Required

Required

III.C.1.a

Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties

Required

Recommended

Optional

III.C.1

Background checks

Required

Recommended

Optional

III.C.1.b

III.F

Third party agreements with data security language

Required

Recommended

Optional

III.F

Take appropriate personnel/disciplinary action for violations of law or policy

Required

Required

Required

III.C.1.c

Education and security awareness training

Required

Recommended

Recommended

III.E

Operational Controls

Secure and accountable means of authorization and authentication

Required

Required

Optional

III.C.2.a

Prompt modification or termination of access or access levels in response to authorization changes

Required

Required

Optional

III.C.1

Password guidelines and password vulnerability assessment

Required

Required

Required

III.C.2.b.i

Delete, redact or de-identify data whenever possible

Required

Recommended

Optional

III.C

Do not store data on portable devices

Required

Recommended

Optional

III.C.3.e

/wiki/spaces/SEC/pages/20381772 planning and notification procedures

Required

Required

Required

III.D

Access and activity audit and logging procedures, including access attempts and privileged access

Required

Recommended

Optional

III.C.2.b.iii

III.C.2.f

Appendix D)

Application security:
System and application development standards, application vulnerability assessment (test, development, and production)

Required

Required

Recommended

II I.C.2.c.v

Documented change management procedures

Required

Recommended

Optional

III.C.2.e

Backup systems supporting essential activities

Required

Required

Required

III.C.2.c.ii

Technical Controls

Network firewalls and IDS/IPS

Required

Recommended

Optional

III.C.2.d

Encryption:

• stored data

• transmitted data

• backups where physical security is at risk

• protective measures such as encryption for data on portable devices and media

• appropriate encryption key management to ensure the availability of encrypted authoritative information

Required

Recommended

Optional

III.C.2.c.ii
III.C.2.g

III.C.3.e
Appendix E

Ensure proper user authentication and authorization for users and administrators on all systems

Required

Required

Recommended

III.C.2.b

Centralized log management, alerting on improper activity, and log retention

Required

Recommended

Optional

III.C.2.b

Physical Controls

Physical access controls; Facility access controls

Required

Required

Required

III.C.3.b

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed

Required

Required

Recommended

III.C.3.d

Physical security for portable devices and media

Required

Recommended

Optional

III.C.3.e

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks

Required

Recommended

Optional

III.C.3.c

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks

Required

Recommended

Optional

III.C.3.c

Disaster Recovery and Business Continuity Plan

Required

Recommended

Optional

III.C.

3.a