Page Comparison

Minimum Network Connectivity Requirements

1. Access control measures for controlled electronic information resources (

Required

Required

Required

III.C.2.b ;
IV.A)

Required

Required

Required

2. Encrypted transmission of restricted data including passwords (

Required

Required

Required

III.C.2.b.i ;
III.C.2.g ;
IV.B)

Required

Required

Required

3. Software updates / patch management (

Required

Required

Required

III.C.2.c.iv ;
IV.C)

Required

Required

Required

4. Malicious software protection (

Required

Required

Required

III.C.2.c.iii ;
IV.D) Required

Required

Required

5. Removal of unnecessary services (IV.E)

Required

Required

Required 

IV.E

6. Host-based firewalls (

Required

Required

Required

III.C.2.d ;
IV.F)

Required

Required

Required

7. No unauthorized email relays (IV.G)

Required

Required

Required 

IV.G

8. No unauthorized, unauthenticated proxy servers (IV.H)

Required

Required

Required 

IV.H

9. Physical security and session timeout (

Required

Required

Required

III.C.2.b.ii ;
III.C.3.b ;
IV.I)

  Required

Administrative Controls

Required   Required

Asset inventory and classification; Identification of systems storing and accessing data (

Required

Required

Required

III.B)

Risk assessments

Required

Recommended

Recommended

III.B.1

Written Information Security Plan

Required

Recommended

Optional

III.C

Formal proprietor authorization for sharing data (III.C, 4th paragraph)

Required

Recommended

Optional 

III.C, 4th paragraph

Procedures to inform staff of information security responsibilities. (

Required

Required

Required

III.C.1.a)

Required

Required

Required

Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (

Required

Recommended

Optional

III.C.1)

Background checks

Required

Recommended

Optional 

Background checks (III.C.1.b ;
III.F)

Required

Recommended

Optional

Third party agreements with data security language (III.F)

Required

Recommended

Optional 

III.F

Take appropriate personnel/disciplinary action for violations of law or policy (

Required

Required

Required

III.C.1.c)

Required

Required

Required

Education and security awareness training (III.E)

Required

Recommended

Recommended 

III.E

Operational Controls

Secure and accountable means of authorization and authentication (

Required

Required

Optional

III.C.2.a)

Required

Required

Optional

Prompt modification or termination of access or access levels in response to authorization changes (III.C.1)

Required

Required

Optional 

III.C.1

Password guidelines and password vulnerability assessment (

Required

Required

Required

III.C.2.b.i) Required

Required

Required

Delete, redact or de-identify data whenever possible (III.C,
third paragraph)

Required

Recommended

Optional

III.C

Do not store data on portable devices (

Required

Recommended

Optional

III.C.3.e)

Required

Recommended

Optional

Incident response  

/wiki/spaces/SEC/pages/20381772 planning and notification procedures (III.D)

Required

Required

Required 

III.D

Access and activity audit and logging procedures, including access attempts and privileged access (

Required

Recommended

Optional

III.C.2.b.iii ;
III.C.2.f ;
Appendix D) Required

Required for financial instruments; otherwise recommended

Optional

Application security:
System and application development standards, application vulnerability assessment (test, development, and production)(

Required

Required

Recommended

II I.C.2.c.v) Required

Documented change management procedures

Required

Recommended

Authorized, documented change management procedures (Optional

III.C.2.e)

Required

Recommended

Optional

Backup systems supporting essential activities (

Required

Required

Required

III.C.2.c.ii)

  Required

Technical Controls

Required   Required

Network firewalls and IDS/IPS (

Required

Recommended

Optional

III.C.2.d)

Required

Recommended

Optional

Encryption:

• stored data (III.C.2.g; Appendix E)
• transmitted data (III.C.2.g; Appendix E)
• backups where physical security is at risk (III.C.2.c.ii; Appendix E)
• protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e)
• appropriate encryption key management to ensure the availability of encrypted authoritative information (

Required

Recommended

Optional

III.C.2.c.ii
III.C.2.g

III.C.3.e
Appendix E

Required

Recommended

Optional

Ensure proper user authentication and authorization for users and administrators on all systems (

Required

Required

Recommended

III.C.2.b)

Required

Required

Recommended

Centralized log management, alerting on improper activity, and log retention (

Required

Recommended

Optional

III.C.2.b)

  Required

Physical Controls

Recommended  

Optional  

Physical access controls; Facility access controls (

Required

Required

Required

III.C.3.b)

Required

Required

Required

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (

Required

Required

Recommended

III.C.3.d)

Required

Required

Recommended

Physical security for portable devices and media (

Required

Recommended

Optional

III.C.3.e)

Required

Recommended

Optional

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (

Required

Recommended

Optional

III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (

Required

Recommended

Optional

III.C.3.c)

Required

Required for financial instruments; otherwise recommended

Optional

Disaster Recovery and Business Continuity Plan (

Required

Recommended

Optional

III.C.3.a)

Required

Recommended

Optional