Page Comparison

Section

Column

width	18%

Include Page

	ARCHIVE - InfoSecPlanNav
	ARCHIVE - InfoSecPlanNav

Column

width	77%

Center
Contents

Table of Contents

outline	true
style	none
type	list

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Reference
Minimum Network Connectivity Requirements
1. Access control measures for controlled electronic information resources	Required	Required	Required	III.C.2.b IV.A
2. Encrypted transmission of restricted data including passwords	Required	Required	Required	III.C.2.b.i III.C.2.g IV.B
3. Software updates / patch management	Required	Required	Required	III.C.2.c.iv IV.C
4. Malicious software protection	Required	Required	Required	III.C.2.c.iii IV.D
5. Removal of unnecessary services	Required	Required	Required	IV.E
6. Host-based firewalls	Required	Required	Required	III.C.2.d IV.F
7. No unauthorized email relays	Required	Required	Required	IV.G
8. No unauthorized, unauthenticated proxy servers	Required	Required	Required	IV.H
9. Physical security and session timeout	Required	Required	Required	III.C.2.b.ii III.C.3.b IV.I
Administrative Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement

...

Required for Insurance

...

Placeholder
Asset inventory and classification; Identification of systems storing and accessing data

...

Required

III.B

...


Risk assessments	Required	Recommended	Recommended	III.B.1
Written Information Security Plan	Required	Recommended	Optional	III.C
Formal proprietor authorization for sharing data

...

Required

Recommended

Optional

III.C, 4th paragraph

...

Recommended

...

Optional

Procedures to inform staff of information security responsibilities.

...

Required

III.C.1.a

...

Required

...

Required

...

Required

...

Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties

...

Required

Recommended

Optional

III.C.1

...


Background checks	Required	Recommended	Optional

...

III.C.1.b

...

III.F

...

Recommended

...

Optional

...

Third party agreements with data security language

...

Required

Recommended

Optional

...

III.F
Take appropriate personnel/disciplinary action for violations of law or policy

...

Required

III.C.1.c

...

Required

...

Required

...

Education and security awareness training

...

Required

Recommended

...

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement
III.E
Operational Controls

...

Placeholder
Secure and accountable means of authorization and authentication

...

Required

Optional

III.C.2.a

...

Required

...

Required

...

Optional

...


Prompt modification or termination of access or access levels in response to authorization changes

...

Required

Optional

...

III.C.1
Password guidelines and password vulnerability assessment

...

Required

III.C.2.b.i

...

Required

...

Required

...

Delete, redact or de-identify data whenever possible

...

Required	Recommended	Optional	III.C
Do not store data on portable devices

...

Required

Recommended

Optional

III.C.3.e

...

Required

...

Recommended

...

Optional

...

/wiki/spaces/SEC/pages/20381772 planning and notification procedures

...

Required

...

III.D
Access and activity audit and logging procedures, including access attempts and privileged access

...

Required

Recommended

Optional

III.C.2.b.iii

...

III.C.2.f

...

Appendix D)

...

Required

...

Required for financial instruments; otherwise recommended

...

Optional

...


Application security: System and application development standards, application vulnerability assessment (test, development, and production)

...

Required

Recommended

II I.C.2.c.v

...


Documented change management procedures	Required	Recommended

...

Optional

III.C.2.e

...

Required

...

Recommended

...

Optional

...


Backup systems supporting essential activities

...

Required

III.C.2.c.ii

...

Technical Controls

...

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement

...

Placeholder
Network firewalls and IDS/IPS

...

Required

Recommended

Optional

III.C.2.d

...

Recommended

...

Optional

Encryption:

stored data

...

transmitted data

...

backups where physical security is at risk

...

protective measures such as encryption for data on portable devices and media

...

appropriate encryption key management to ensure the availability of encrypted authoritative information

...

Required

Recommended

Optional

III.C.2.c.ii
III.C.2.g

...

III.C.3.e
Appendix E

...

Recommended

...

Optional

Ensure proper user authentication and authorization for users and administrators on all systems

...

Required

Recommended

III.C.2.b

...

Required

...

Required

Centralized log management, alerting on improper activity, and log retention

...

Required

Recommended

Optional

III.C.2.b

...

Required

...

Recommended

...

Optional

...

Physical Controls

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Placeholder

Physical Controls
Physical access controls; Facility access controls

...

Required

III.C.3.b

...

Required

...

Required

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed

...

Required

Recommended

III.C.3.d

...

Required

...

Recommended

Physical security for portable devices and media

...

Required

Recommended

Optional

III.C.3.e

...

Recommended

...

Optional

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks

...

Required

Recommended

Optional

III.C.3.c

...

Required

...

Required for financial instruments; otherwise recommended

...


Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks

...

Required

Recommended

Optional

III.C.3.c

...

Required

...

Required for financial instruments; otherwise recommended

...

Optional


Disaster Recovery and Business Continuity Plan

...

Required

Recommended

Optional

III.C.3.a

...

Required

...

Recommended

...

Optional

Minimum Network Connectivity Requirements* (IV):

...

Controls Family

...

High
Restricted Data

...

Medium
Sensitive Data

...

Low
Non-Confidential Data

...

IS-3 Requirement

...

Required for Insurance

...

1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A)

...

Required

...

Required

...

Required

...

2. Encrypted transmission of restricted data including passwords (III.C.2.b.i; III.C.2.g; IV.B)

...

Required

...

Required

...

Required

...

3. Software updates / patch management (III.C.2.c.iv; IV.C)

...

Required

...

Required

...

Required

...

4. Malicious software protection (III.C.2.c.iii; IV.D)

...

Required

...

Required

...

Required

...

5. Removal of unnecessary services (IV.E)

...

Required

...

Required

...

Required

...

6. Host-based firewalls (III.C.2.d; IV.F)

...

Required

...

Required

...

Required

...

7. No unauthorized email relays (IV.G)

...

Required

...

Required

...

Required

...

8. No unauthorized, unauthenticated proxy servers (IV.H)

...

Required

...

Required

...

Required

...

9. Physical security and session timeout (III.C.2.b.ii;
III.C.3.b; IV.I)

...

Required

...

Required

Insurance Requirements

Coverage is dependent upon the existence and adherence to security protocols
outlined in BFB IS-3 or any local procedures not in conflict with BFB IS-3 that have
been implemented for critical system.

Minimum requirements: BUS 80 - Cyber Security Insurance Requirements

Reference

Column

width	5%

Version	Old Version 6	New Version Current
Changes made by	Isaac Straley	Michelle Luttrell
Saved on	Mar 14, 2011	Jul 02, 2019

Versions Compared

Key

Minimum Network Connectivity Requirements

Administrative Controls

Operational Controls

Technical Controls

Physical Controls

Minimum Network Connectivity Requirements* (IV):

Insurance Requirements

Reference