Administrative Controls
Controls Family |
High |
Medium |
Low |
IS-3 Requirement |
Required for Insurance |
|---|---|---|---|---|---|
Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B) |
Required |
Recommended |
Recommended |
|
|
Formal proprietor authorization for sharing data (III.C, 4th paragraph) |
Required |
Recommended |
Optional |
||
Procedures to inform staff of information security responsibilities. (III.C.1.a) |
Required |
Required |
Required |
|
|
Procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (III.C.1) |
Required |
Recommended |
Optional |
|
|
Background checks (III.C.1.b; III.F) |
Required |
Recommended |
Optional |
|
|
Third party agreements with data security language (III.F) |
Required |
Recommended |
Optional |
|
|
Take appropriate personnel/disciplinary action for violations of law or policy (III.C.1.c) |
Required |
Required |
Required |
|
|
Education and security awareness training (III.E) |
Required |
Recommended |
Recommended |
|
|
Operational Controls |
|||
Secure and accountable means of authorization and authentication (III.C.2.a) |
Required |
Required |
Optional |
Prompt modification or termination of access or access levels in response to authorization changes (III.C.1) |
Required |
Required |
Optional |
Password guidelines and password vulnerability assessment (III.C.2.b.i) |
Required |
Required |
Required |
Delete, redact or de-identify data whenever possible (III.C, |
Required |
Recommended |
Optional |
Do not store data on portable devices (III.C.3.e) |
Required |
Recommended |
Optional |
Incident response planning and notification procedures (III.D) |
Required |
Required |
Required |
Access and activity audit and logging procedures, including access attempts and privileged access (III.C.2.b.iii; III.C.2.f; Appendix D) |
Required |
Required for financial instruments; otherwise recommended |
Optional |
Application security: |
Required |
Required |
Recommended |
Authorized, documented change management procedures (III.C.2.e) |
Required |
Recommended |
Optional |
Backup systems supporting essential activities (III.C.2.c.ii) |
Required |
Required |
Required |
Technical Controls |
|||
Network firewalls and IDS/IPS (III.C.2.d) |
Required |
Recommended |
Optional |
Encryption:
|
Required |
Recommended |
Optional |
Ensure proper user authentication and authorization for users and administrators on all systems (III.C.2.b) |
Required |
Required |
Recommended |
Centralized log management, alerting on improper activity, and log retention (III.C.2.b) |
Required |
Recommended |
Optional |
Physical Controls |
|||
Physical access controls; Facility access controls (III.C.3.b) |
Required |
Required |
Required |
Disposal and re-use: |
Required |
Required |
Recommended |
Physical security for portable devices and media (III.C.3.e) |
Required |
Recommended |
Optional |
Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (III.C.3.c) |
Required |
Required for financial instruments; otherwise recommended |
Optional |
Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c) |
Required |
Required for financial instruments; otherwise recommended |
Optional |
Disaster Recovery and Business Continuity Plan (III.C.3.a) |
Required |
Recommended |
Optional |
Minimum Network Connectivity Requirements (IV): |
|||
1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A) |
Required |
Required |
Required |
2. Encrypted transmission of restricted data including passwords (III.C.2.b.i; III.C.2.g; IV.B) |
Required |
Required |
Required |
3. Software updates / patch management (III.C.2.c.iv; IV.C) |
Required |
Required |
Required |
4. Malicious software protection (III.C.2.c.iii; IV.D) |
Required |
Required |
Required |
5. Removal of unnecessary services (IV.E) |
Required |
Required |
Required |
6. Host-based firewalls (III.C.2.d; IV.F) |
Required |
Required |
Required |
7. No unauthorized email relays (IV.G) |
Required |
Required |
Required |
8. No unauthorized, unauthenticated proxy servers (IV.H) |
Required |
Required |
Required |
9. Physical security and session timeout (III.C.2.b.ii; |
Required |
Required |
Required |