Information Security Controls

Unable to render {include} The included page could not be found.

Contents

Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Reference	Placeholder
Minimum Network Connectivity Requirements
1. Access control measures for controlled electronic information resources	Required	Required	Required	III.C.2.b IV.A
2. Encrypted transmission of restricted data including passwords	Required	Required	Required	III.C.2.b.i III.C.2.g IV.B
3. Software updates / patch management	Required	Required	Required	III.C.2.c.iv IV.C
4. Malicious software protection	Required	Required	Required	III.C.2.c.iii IV.D
5. Removal of unnecessary services	Required	Required	Required	IV.E
6. Host-based firewalls	Required	Required	Required	III.C.2.d IV.F
7. No unauthorized email relays	Required	Required	Required	IV.G
8. No unauthorized, unauthenticated proxy servers	Required	Required	Required	IV.H
9. Physical security and session timeout	Required	Required	Required	III.C.2.b.ii III.C.3.b IV.I
Administrative Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Placeholder
Asset inventory and classification; Identification of systems storing and accessing data	Required	Required	Required	III.B
Risk assessments	Required	Recommended	Recommended	III.B.1
Written Information Security Plan	Required	Recommended	Optional	III.C
Formal proprietor authorization for sharing data	Required	Recommended	Optional	III.C, 4th paragraph
Procedures to inform staff of information security responsibilities.	Required	Required	Required	III.C.1.a
Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties	Required	Recommended	Optional	III.C.1
Background checks	Required	Recommended	Optional	III.C.1.b III.F
Third party agreements with data security language	Required	Recommended	Optional	III.F
Take appropriate personnel/disciplinary action for violations of law or policy	Required	Required	Required	III.C.1.c
Education and security awareness training	Required	Recommended	Recommended	III.E
Operational Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Placeholder
Secure and accountable means of authorization and authentication	Required	Required	Optional	III.C.2.a
Prompt modification or termination of access or access levels in response to authorization changes	Required	Required	Optional	III.C.1
Password guidelines and password vulnerability assessment	Required	Required	Required	III.C.2.b.i
Delete, redact or de-identify data whenever possible	Required	Recommended	Optional	III.C
Do not store data on portable devices	Required	Recommended	Optional	III.C.3.e
Incident response planning and notification procedures	Required	Required	Required	III.D
Access and activity audit and logging procedures, including access attempts and privileged access	Required	Recommended	Optional	III.C.2.b.iii III.C.2.f Appendix D)
Application security: System and application development standards, application vulnerability assessment (test, development, and production)	Required	Required	Recommended	II I.C.2.c.v
Documented change management procedures	Required	Recommended	Optional	III.C.2.e
Backup systems supporting essential activities	Required	Required	Required	III.C.2.c.ii
Technical Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Placeholder
Network firewalls and IDS/IPS	Required	Recommended	Optional	III.C.2.d
Encryption: stored data transmitted data backups where physical security is at risk protective measures such as encryption for data on portable devices and media appropriate encryption key management to ensure the availability of encrypted authoritative information	Required	Recommended	Optional	III.C.2.c.ii III.C.2.g III.C.3.e Appendix E
Ensure proper user authentication and authorization for users and administrators on all systems	Required	Required	Recommended	III.C.2.b
Centralized log management, alerting on improper activity, and log retention	Required	Recommended	Optional	III.C.2.b
Physical Controls
Controls Family	High Restricted Data	Medium Sensitive Data	Low Non-Confidential Data	IS-3 Requirement	Placeholder
Physical access controls; Facility access controls	Required	Required	Required	III.C.3.b
Disposal and re-use: Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed	Required	Required	Recommended	III.C.3.d
Physical security for portable devices and media	Required	Recommended	Optional	III.C.3.e
Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks	Required	Recommended	Optional	III.C.3.c
Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks	Required	Recommended	Optional	III.C.3.c
Disaster Recovery and Business Continuity Plan	Required	Recommended	Optional	III.C.3.a

Insurance Requirements

Coverage is dependent upon the existence and adherence to security protocols
outlined in BFB IS-3 or any local procedures not in conflict with BFB IS-3 that have
been implemented for critical system.

Minimum requirements: BUS 80 - Cyber Security Insurance Requirements

Information Security Controls

Minimum Network Connectivity Requirements

Administrative Controls

Operational Controls

Technical Controls

Physical Controls

Insurance Requirements

Reference