d E Z / K W Z d/E' W ZK hZ ^ ~^KW...W r'Ks r ì ò W KEd d^ t/d, hd,KZ/d/ ^ î ò W r'Ks r ì ó W KEd d^ t/d, ^ hZ/dz 'ZKhW^ ^^K / d/KE^ î ó ^^ d D E ' D Ed ~ ^d î ô W r ^d r

STANDARDIZED OPERATING PROCEDURES (SOP)

[Official Company Name]

Cybersecurity Standardized Operating Procedures (CSOP) - 2018.1 Page 2 of 463

TABLE OF CONTENTS

OVERVIEW, INSTRUCTIONS & EXAMPLE 13 KEY TERMINOLOGY 13 OVERVIEW 13

CUSTOMIZATION GUIDANCE 13 VALIDATING NEEDS FOR PROCEDURES / CONTROL ACTIVITIES 13

UNDERSTANDING CONTROL OBJECTIVES & CONTROLS 13 PROCEDURES DOCUMENTATION 14

NIST NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE) CYBERSECURITY WORKFORCE FRAMEWORK 15 EXAMPLE 15 SUPPORTING POLICIES & STANDARDS 18

CYBERSECURITY & PRIVACY FUNCTION OVERVIEW 19 TEAM STRUCTURE 19 MISSION 19 VALUE PROPOSITION 19 KNOWN COMPLIANCE REQUIREMENTS 20

STATUTORY REQUIREMENTS 20 REGULATORY REQUIREMENTS 20 CONTRACTUAL REQUIREMENTS 20

DIGITAL SECURITY GOVERNANCE (GOV) 21 P-GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM 21 P-GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES 21 P-GOV-03: PERIODIC REVIEW & UPDATE OF CYBERSECURITY DOCUMENTATION 22 P-GOV-04: ASSIGNED SECURITY RESPONSIBILITIES 23 P-GOV-05: MEASURES OF PERFORMANCE 24

P-GOV-05(A): MEASURES OF PERFORMANCE | KEY PERFORMANCE INDICATORS (KPIS) 25 P-GOV-05(B): MEASURES OF PERFORMANCE | KEY RISK INDICATORS (KRIS) 25

P-GOV-06: CONTACTS WITH AUTHORITIES 26 P-GOV-07: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONS 27

ASSET MANAGEMENT (AST) 28 P-AST-01: ASSET GOVERNANCE 28 P-AST-02: ASSET INVENTORIES 29

P-AST-02(A): ASSET INVENTORIES | UPDATES DURING INSTALLATIONS / REMOVALS 29 P-AST-02(C): ASSET INVENTORIES | COMPONENT DUPLICATION AVOIDANCE 30 P-AST-02(G): ASSET INVENTORIES | SOFTWARE LICENSING RESTRICTIONS 31

P-AST-03: ASSIGNING OWNERSHIP OF ASSETS 31 P-AST-04: NETWORK DIAGRAMS & DATA FLOW DIAGRAMS (DFDS) 32 P-AST-05: SECURITY OF ASSETS & MEDIA 33 P-AST-06: UNATTENDED END-USER EQUIPMENT 34

P-AST-06(A): UNATTENDED END-USER EQUIPMENT | LAPTOP STORAGE IN AUTOMOBILES 35 P-AST-07: KIOSKS & POINT OF SALE (POS) DEVICES 35 P-AST-08: TAMPER PROTECTION & DETECTION 36 P-AST-09: SECURE DISPOSAL OR RE-USE OF EQUIPMENT 37 P-AST-10: RETURN OF ASSETS 38 P-AST-11: REMOVAL OF ASSETS 38 P-AST-15: TAMPER PROTECTION 39

P-AST-15(A): TAMPER RESISTANCE & DETECTION | INSPECTION OF SYSTEMS, COMPONENTS & DEVICES 41

BUSINESS CONTINUITY & DISASTER RECOVERY (BCD) 42 P-BCD-01: CONTINGENCY PLAN 42

P-BCD-01(A): CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS 43 P-BCD-01(B): CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS 43

P-BCD-04: CONTINGENCY PLAN TESTING & EXERCISES 44 P-BCD-04(A): CONTINGENCY PLAN TESTING | COORDINATED TESTING WITH RELATED PLANS 45

P-BCD-05: CONTINGENCY PLAN ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 46


P-BCD-06: CONTINGENCY PLAN UPDATE 46 P-BCD-08: ALTERNATE STORAGE SITE 47

P-BCD-08(A): ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE 48 P-BCD-08(B): ALTERNATE STORAGE SITE | ACCESSIBILITY 48

P-BCD-09: ALTERNATE PROCESSING SITE 49 P-BCD-09(A): ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE 50 P-BCD-09(B): ALTERNATE PROCESSING SITE | ACCESSIBILITY 51 P-BCD-09(C): ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE 52

P-BCD-11: DATA BACKUPS 52 P-BCD-11(A): DATA BACKUPS | TESTING FOR RELIABILITY & INTEGRITY 53 P-BCD-11(B): DATA BACKUPS | SEPARATE STORAGE FOR CRITICAL INFORMATION 54 P-BCD-11(C): DATA BACKUPS | INFORMATION SYSTEM IMAGING 55 P-BCD-11(D): DATA BACKUPS | CRYPTOGRAPHIC PROTECTION 55

P-BCD-12: INFORMATION SYSTEM RECOVERY & RECONSTITUTION 56 P-BCD-12(A): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | TRANSACTION RECOVERY 57 P-BCD-12(B): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | FAILOVER CAPABILITY 57 P-BCD-12(C): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | ELECTRONIC DISCOVERY (EDISCOVERY) 58

CAPACITY & PERFORMANCE PLANNING (CAP) 59 P-CAP-01: CAPACITY & PERFORMANCE MANAGEMENT 59

CHANGE MANAGEMENT (CHG) 59 P-CHG-01: CHANGE MANAGEMENT PROGRAM 60 P-CHG-02: CONFIGURATION CHANGE CONTROL 61

P-CHG-02(B): CONFIGURATION CHANGE CONTROL | TEST, VALIDATE & DOCUMENT CHANGES 61 P-CHG-02(C): CONFIGURATION CHANGE CONTROL | SECURITY REPRESENTATIVE FOR CHANGE 62

P-CHG-03: SECURITY IMPACT ANALYSIS FOR CHANGES 63 P-CHG-04: ACCESS RESTRICTION FOR CHANGE 64

P-CHG-04(A): ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING 64 P-CHG-04(B): ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS 65 P-CHG-04(C): ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION FOR CHANGE 66 P-CHG-04(D): ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES (INCOMPATIBLE ROLES) 67 P-CHG-04(E): ACCESS RESTRICTIONS FOR CHANGE | LIBRARY PRIVILEGES 67

P-CHG-05: STAKEHOLDER NOTIFICATION OF CHANGES 68

CLOUD SECURITY (CLD) 69 P-CLD-01: CLOUD SERVICES 69

COMPLIANCE (CPL) 70 P-CPL-01: STATUTORY, REGULATORY & CONTRACTUAL COMPLIANCE 70 P-CPL-02: SECURITY CONTROLS OVERSIGHT 71 P-CPL-03: SECURITY ASSESSMENTS 72

P-CPL-03(A): SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 73 P-CPL-03(B): SECURITY ASSESSMENTS | FUNCTIONAL REVIEW OF SECURITY CONTROLS 73

P-CPL-04: AUDIT ACTIVITIES 74

CONFIGURATION MANAGEMENT (CFG) 76 P-CFG-01: CONFIGURATION MANAGEMENT PROGRAM 76 P-CFG-02: SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS 77

P-CFG-02(A): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | REVIEWS & UPDATES 78 P-CFG-02(D): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | DEVELOPMENT & TEST ENVIRONMENTS 79 P-CFG-02(E): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | CONFIGURE SYSTEMS, COMPONENTS OR DEVICES

FOR HIGH-RISK AREAS 80 P-CFG-02(F): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | NETWORK DEVICE CONFIGURATION FILE

SYNCHRONIZATION 81 P-CFG-03: LEAST FUNCTIONALITY 82

P-CFG-03(A): LEAST FUNCTIONALITY | PERIODIC REVIEW 83 P-CFG-03(B): LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION 83 P-CFG-03(C): LEAST FUNCTIONALITY | UNAUTHORIZED OR AUTHORIZED SOFTWARE (BLACKLISTING OR WHITELISTING) 84 P-CFG-03(D): LEAST FUNCTIONALITY | SPLIT TUNNELING 85

P-CFG-05: USER-INSTALLED SOFTWARE 85


P-CFG-05(A): USER-INSTALLED SOFTWARE | UNAUTHORIZED INSTALLATION ALERTS 86 P-CFG-05(B): USER-INSTALLED SOFTWARE | PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 87

CONTINUOUS MONITORING (MON) 88 P-MON-01: CONTINUOUS MONITORING 88

P-MON-01(B): CONTINUOUS MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS 89 P-MON-01(C): CONTINUOUS MONITORING | INBOUND & OUTBOUND COMMUNICATIONS TRAFFIC 90 P-MON-01(D): CONTINUOUS MONITORING | SYSTEM GENERATED ALERTS 91 P-MON-01(E): CONTINUOUS MONITORING | WIRELESS INTRUSION DETECTION SYSTEM (WIDS) 91 P-MON-01(G): CONTINUOUS MONITORING | FILE INTEGRITY MONITORING (FIM) 92 P-MON-01(H): CONTINUOUS MONITORING | REVIEWS & UPDATES 93

P-MON-02: CENTRALIZED EVENT LOG COLLECTION 94 P-MON-02(A): CENTRALIZED SECURITY EVENT LOG COLLECTION | CORRELATE MONITORING INFORMATION 95

P-MON-03: CONTENT OF AUDIT RECORDS 95 P-MON-03(A): CONTENT OF AUDIT RECORDS | SENSITIVE AUDIT INFORMATION 96 P-MON-03(B): CONTENT OF AUDIT RECORDS | AUDIT TRAILS 97 P-MON-03(C): CONTENT OF AUDIT RECORDS | PRIVILEGED FUNCTIONS LOGGING 98

P-MON-05: RESPONSE TO AUDIT PROCESSING FAILURES 98 P-MON-05(A): RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS 99

P-MON-06: MONITORING REPORTING 100 P-MON-06(A): MONITORING REPORTING | QUERY PARAMETER AUDITS OF PERSONAL INFORMATION (PI) 100

P-MON-07: TIME STAMPS 102 P-MON-07(A): TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE 103

P-MON-08: PROTECTION OF AUDIT INFORMATION 103 P-MON-08(B): PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS 104

P-MON-10: AUDIT RECORD RETENTION 105 P-MON-16: ANOMALOUS BEHAVIOR 106

P-MON-16(A): ANOMALOUS BEHAVIOR | INSIDER THREATS 107 P-MON-16(B): ANOMALOUS BEHAVIOR | THIRD-PARTY THREATS 107 P-MON-16(C): ANOMALOUS BEHAVIOR | UNAUTHORIZED ACTIVITIES 108

CRYPTOGRAPHIC PROTECTIONS (CRY) 109 P-CRY-01: USE OF CRYPTOGRAPHIC CONTROLS 109

P-CRY-01(A): USE OF CRYPTOGRAPHIC CONTROLS | ALTERNATE PHYSICAL PROTECTION 110 P-CRY-01(B): USE OF CRYPTOGRAPHIC CONTROLS | EXPORT-CONTROLLED TECHNOLOGY 110

P-CRY-02: CRYPTOGRAPHIC MODULE AUTHENTICATION 111 P-CRY-03: TRANSMISSION CONFIDENTIALITY 113 P-CRY-04: TRANSMISSION INTEGRITY 114 P-CRY-05: ENCRYPTING DATA AT REST 114

P-CRY-05(A): ENCRYPTING DATA AT REST | STORAGE MEDIA 115 P-CRY-06: NON-CONSOLE ADMINISTRATIVE ACCESS 116 P-CRY-07: WIRELESS ACCESS AUTHENTICATION & ENCRYPTION 117 P-CRY-08: PUBLIC KEY INFRASTRUCTURE (PKI) 117 P-CRY-09: CRYPTOGRAPHIC KEY MANAGEMENT 118

P-CRY-09(C): CRYPTOGRAPHIC KEY MANAGEMENT | CRYPTOGRAPHIC KEY LOSS OR CHANGE 119 P-CRY-09(D): CRYPTOGRAPHIC KEY MANAGEMENT | CONTROL & DISTRIBUTION OF CRYPTOGRAPHIC KEYS 120

DATA CLASSIFICATION & HANDLING (DCH) 121 P-DCH-01: DATA PROTECTION 121

P-DCH-01(A): DATA PROTECTION | DATA STEWARDSHIP 122 P-DCH-02: DATA & ASSET CLASSIFICATION 123 P-DCH-03: MEDIA ACCESS 123

P-DCH-03(B): MEDIA ACCESS | MASKING DISPLAYED DATA 124 P-DCH-04: MEDIA MARKING 125

P-DCH-04(A): MEDIA MARKING | AUTOMATED MARKING 126 P-DCH-06: MEDIA STORAGE 126

P-DCH-06(A): MEDIA STORAGE | PHYSICALLY SECURE ALL MEDIA 127 P-DCH-06(B): MEDIA STORAGE | SENSITIVE DATA INVENTORIES 128 P-DCH-06(D): MEDIA STORAGE | MAKING SENSITIVE DATA UNREADABLE IN STORAGE 129 P-DCH-06(E): MEDIA STORAGE | STORING AUTHENTICATION DATA 130


P-DCH-07: MEDIA TRANSPORTATION 131 P-DCH-07(A): MEDIA TRANSPORTATION | CUSTODIANS 131

P-DCH-08: PHYSICAL MEDIAL DISPOSAL 132 P-DCH-09: DIGITAL MEDIA SANITIZATION 133

P-DCH-09(A): MEDIA SANITIZATION | MEDIA SANITIZATION DOCUMENTATION 134 P-DCH-09(C): MEDIA SANITIZATION | DESTRUCTION OF PERSONAL INFORMATION (PI) 134

P-DCH-10: MEDIA USE 135 P-DCH-10(A): MEDIA USE | LIMITATIONS ON USE 136

P-DCH-12: REMOVABLE MEDIA SECURITY 137 P-DCH-13: USE OF EXTERNAL INFORMATION SYSTEMS 137

P-DCH-13(A): USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS OF AUTHORIZED USE 138 P-DCH-13(B): USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES 139

P-DCH-14: INFORMATION SHARING 140 P-DCH-15: PUBLICLY ACCESSIBLE CONTENT 141 P-DCH-18: MEDIA & DATA RETENTION 142

P-DCH-18(A): MEDIA & DATA RETENTION | LIMIT PERSONAL INFORMATION (PI) ELEMENTS 143 P-DCH-18(B): MEDIA & DATA RETENTION | LIMIT PERSONAL INFORMATION (PI) IN TESTING, TRAINING & RESEARCH 143

P-DCH-24: INFORMATION LOCATION 144 P-DCH-24(A): INFORMATION LOCATION | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION 145

P-DCH-25: TRANSFER OF PERSONAL INFORMATION 146

EMBEDDED TECHNOLOGY (EMB) 147 P-EMB-01: EMBEDDED TECHNOLOGY SECURITY PROGRAM 147

ENDPOINT SECURITY (END) 148 P-END-01: WORKSTATION SECURITY 148 P-END-02: ENDPOINT PROTECTION MEASURES 149 P-END-03: PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 150

P-END-03(B): PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS | ACCESS RESTRICTION FOR CHANGE 150 P-END-04: MALICIOUS CODE PROTECTION (ANTI-MALWARE) 151

P-END-04(A): MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES 152 P-END-04(B): MALICIOUS CODE PROTECTION | DOCUMENTED PROTECTION MEASURES 153 P-END-04(F): MALICIOUS CODE PROTECTION | EVOLVING MALWARE THREATS 153 P-END-04(G): MALICIOUS CODE PROTECTION | ALWAYS ON PROTECTION 154

P-END-05: SOFTWARE FIREWALL 155 P-END-06: FILE INTEGRITY MONITORING (FIM) 156

P-END-06(A): FILE INTEGRITY MONITORING | INTEGRITY CHECKS 157 P-END-06(B): FILE INTEGRITY MONITORING | INTEGRATION OF DETECTION & RESPONSE 158

P-END-10: MOBILE CODE 158 P-END-13: SENSOR CAPABILITY 159

P-END-13(A): SENSOR CAPABILITY | AUTHORIZED USE 160 P-END-13(B): SENSOR CAPABILITY | NOTICE OF COLLECTION 161 P-END-13(C): SENSOR CAPABILITY | COLLECTION MINIMIZATION 161

P-END-14: COLLABORATIVE COMPUTING DEVICES 162 P-END-16: SECURITY FUNCTION ISOLATION 163

P-END-16(A): SECURITY FUNCTION ISOLATION | HOST-BASED SECURITY FUNCTION ISOLATION 164

HUMAN RESOURCES SECURITY (HRS) 166 P-HRS-01: HUMAN RESOURCES SECURITY MANAGEMENT 166 P-HRS-02: POSITION CATEGORIZATION 166

P-HRS-02(A): POSITION CATEGORIZATION | USERS WITH ELEVATED PRIVILEGES 167 P-HRS-03: ROLES & RESPONSIBILITIES 168

P-HRS-03(A): ROLES & RESPONSIBILITIES | USER AWARENESS 169 P-HRS-03(B): ROLES & RESPONSIBILITIES | COMPETENCY REQUIREMENTS FOR SECURITY-RELATED POSITIONS 170

P-HRS-04: PERSONNEL SCREENING 171 P-HRS-04(A): PERSONNEL SCREENING | ROLES WITH SPECIAL PROTECTION MEASURES 172 P-HRS-04(B): PERSONNEL SCREENING | FORMAL INDOCTRINATION 172

P-HRS-05: TERMS OF EMPLOYMENT 173 P-HRS-05(A): TERMS OF EMPLOYMENT | RULES OF BEHAVIOR 173 P-HRS-05(B): TERMS OF EMPLOYMENT | SOCIAL MEDIA & SOCIAL NETWORKING RESTRICTIONS 174


P-HRS-05(D): TERMS OF EMPLOYMENT | USE OF CRITICAL TECHNOLOGIES 175 P-HRS-06: ACCESS AGREEMENTS 176

P-HRS-06(A): ACCESS AGREEMENTS | CONFIDENTIALITY AGREEMENTS 177 P-HRS-07: PERSONNEL SANCTIONS 178

P-HRS-07(A): PERSONNEL SANCTIONS | WORKPLACE INVESTIGATIONS 179 P-HRS-08: PERSONNEL TRANSFER 180 P-HRS-09: PERSONNEL TERMINATION 180

P-HRS-09(A): PERSONNEL TERMINATION | ASSET COLLECTION 181 P-HRS-09(B): PERSONNEL TERMINATION | HIGH-RISK TERMINATIONS 182 P-HRS-09(C): PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS 183

P-HRS-10: THIRD-PARTY PERSONNEL SECURITY 184 P-HRS-11: SEPARATION OF DUTIES 185 P-HRS-12: INCOMPATIBLE ROLES 186

P-HRS-12(A): INCOMPATIBLE ROLES | TWO-PERSON RULE 186

IDENTIFICATION & AUTHENTICATION (IAC) 188 P-IAC-01: IDENTITY & ACCESS MANAGEMENT (IAM) 188 P-IAC-02: IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS 188

P-IAC-02(B): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS | NETWORK ACCESS TO PRIVILEGED

ACCOUNTS - REPLAY RESISTANT 189 P-IAC-04: IDENTIFICATION & AUTHENTICATION FOR DEVICES 190 P-IAC-06: MULTIFACTOR AUTHENTICATION (MFA) 191

P-IAC-06(A): MULTI-FACTOR AUTHENTICATION (MFA) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS 191 P-IAC-06(B): MULTI-FACTOR AUTHENTICATION (MFA) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS 192 P-IAC-06(C): MULTI-FACTOR AUTHENTICATION (MFA) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS 193

P-IAC-07: USER PROVISIONING & DE-PROVISIONING 194 P-IAC-07(A): USER PROVISIONING & DE-PROVISIONING | CHANGE OF ROLES & DUTIES 194 P-IAC-07(B): USER PROVISIONING & DE-PROVISIONING | TERMINATION OF EMPLOYMENT 195

P-IAC-08: ROLE-BASED ACCESS CONTROL (RBAC) 196 P-IAC-09: IDENTIFIER MANAGEMENT (USER NAMES) 198

P-IAC-09(A): IDENTIFIER MANAGEMENT | USER IDENTITY (ID) MANAGEMENT 200 P-IAC-09(F): IDENTIFIER MANAGEMENT | PAIRWISE PSEUDONYMOUS IDENTIFIERS 200

P-IAC-10: AUTHENTICATOR MANAGEMENT (PASSWORDS) 201 P-IAC-10(A): AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION 202 P-IAC-10(H): AUTHENTICATOR MANAGEMENT | VENDOR-SUPPLIED DEFAULTS 203

P-IAC-11: AUTHENTICATOR FEEDBACK 204 P-IAC-12: CRYPTOGRAPHIC MODULE AUTHENTICATION 204 P-IAC-14: RE-AUTHENTICATION 205 P-IAC-15: ACCOUNT MANAGEMENT 206

P-IAC-15(A): ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT 207 P-IAC-15(B): ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS 208 P-IAC-15(C): ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS 209 P-IAC-15(D): ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS 209 P-IAC-15(E): ACCOUNT MANAGEMENT | RESTRICTIONS ON SHARED GROUPS / ACCOUNTS 210 P-IAC-15(F): ACCOUNT MANAGEMENT | ACCOUNT DISABLING FOR HIGH RISK INDIVIDUALS 211 P-IAC-15(G): ACCOUNT MANAGEMENT | SYSTEM ACCOUNTS 211

P-IAC-16: PRIVILEGED ACCOUNT MANAGEMENT (PAM) 212 P-IAC-16(A): PRIVILEGED ACCOUNT MANAGEMENT (PAM) | PRIVILEGED ACCOUNT INVENTORIES 213

P-IAC-18: USER RESPONSIBILITIES FOR ACCOUNT MANAGEMENT 213 P-IAC-19: CREDENTIAL SHARING 214 P-IAC-20: ACCESS ENFORCEMENT 215

P-IAC-20(A): ACCESS ENFORCEMENT | ACCESS TO SENSITIVE DATA 216 P-IAC-20(B): ACCESS ENFORCEMENT | DATABASE ACCESS 217 P-IAC-20(C): ACCESS ENFORCEMENT | USE OF PRIVILEGED UTILITY PROGRAMS 218

P-IAC-21: LEAST PRIVILEGE 218 P-IAC-21(A): LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS 219 P-IAC-21(B): LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NON-SECURITY FUNCTIONS 220 P-IAC-21(C): LEAST PRIVILEGE | PRIVILEGED ACCOUNTS 221 P-IAC-21(D): LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS 222


P-IAC-21(E): LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS 223 P-IAC-22: ACCOUNT LOCKOUT 224 P-IAC-24: SESSION LOCK 224

P-IAC-24(A): SESSION LOCK | PATTERN-HIDING DISPLAYS 225 P-IAC-25: SESSION TERMINATION 226

INCIDENT RESPONSE (IRO) 227 P-IRO-01: INCIDENTS RESPONSE OPERATIONS 227 P-IRO-02: INCIDENT HANDLING 228

P-IRO-02(A): INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES 229 P-IRO-02(B): INCIDENT HANDLING | IDENTITY THEFT PROTECTION PROGRAM (ITPP) 229

P-IRO-03: INDICATORS OF COMPROMISE (IOC) 230 P-IRO-04: INCIDENT RESPONSE PLAN (IRP) 231

P-IRO-04(A): INCIDENT RESPONSE PLAN (IRP) | PERSONAL INFORMATION (PI) PROCESSES 232 P-IRO-04(B): INCIDENT RESPONSE PLAN (IRP) | IRP UPDATE 233

P-IRO-05: INCIDENT RESPONSE TRAINING 234 P-IRO-06: INCIDENT RESPONSE TESTING 234

P-IRO-06(A): INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS 235 P-IRO-07: INTEGRATED SECURITY INCIDENT RESPONSE TEAM (ISIRT) 236 P-IRO-08: CHAIN OF CUSTODY & FORENSICS 237 P-IRO-09: INCIDENT MONITORING & TRACKING 237

P-IRO-09(A): INCIDENT MONITORING & TRACKING | AUTOMATED TRACKING, DATA COLLECTION & ANALYSIS 238 P-IRO-10: INCIDENT REPORTING 239

P-IRO-10(A): INCIDENT REPORTING | AUTOMATED REPORTING 240 P-IRO-10(B): INCIDENT REPORTING | CYBER INCIDENT REPORTING FOR COVERED DEFENSE INFORMATION (CDI) 241 P-IRO-10(C): INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS 242 P-IRO-10(D): INCIDENT REPORTING | SUPPLY CHAIN COORDINATION 242

P-IRO-11: INCIDENT REPORTING ASSISTANCE 243 P-IRO-11(B): INCIDENT REPORTING ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS 244

P-IRO-13: ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 245 P-IRO-14: REGULATORY & LAW ENFORCEMENT CONTACTS 247

INFORMATION ASSURANCE (IAO) 248 P-IAO-01: INFORMATION ASSURANCE (IA) OPERATIONS 248 P-IAO-02: SECURITY ASSESSMENTS 249

P-IAO-02(A): SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 250 P-IAO-03: SYSTEM SECURITY PLANS (SSP) 250

P-IAO-03(A): PL-02(A): SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES 253 P-IAO-04: THREAT ANALYSIS & FLAW REMEDIATION DURING DEVELOPMENT 253 P-IAO-05: PLAN OF ACTION & MILESTONES (POA&M) 255 P-IAO-07: SECURITY AUTHORIZATION 256

MAINTENANCE (MNT) 257 P-MNT-01: MAINTENANCE OPERATIONS 257 P-MNT-02: CONTROLLED MAINTENANCE 257 P-MNT-04: MAINTENANCE TOOLS 258

P-MNT-04(A): MAINTENANCE TOOLS | INSPECT TOOLS 259 P-MNT-04(B): MAINTENANCE TOOLS | INSPECT MEDIA 260

P-MNT-05: NON-LOCAL MAINTENANCE 261 P-MNT-05(B): NON-LOCAL MAINTENANCE | NOTIFICATION OF NON-LOCAL MAINTENANCE 261 P-MNT-05(C): NON-LOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION 262

P-MNT-06: MAINTENANCE PERSONNEL 263 P-MNT-06(A): MAINTENANCE PERSONNEL | MAINTENANCE PERSONNEL WITHOUT APPROPRIATE ACCESS 264

MOBILE DEVICE MANAGEMENT (MDM) 265 P-MDM-02: ACCESS CONTROL FOR MOBILE DEVICES 265 P-MDM-03: FULL DEVICE & CONTAINER-BASED ENCRYPTION 265 P-MDM-04: TAMPER PROTECTION & DETECTION 266 P-MDM-05: REMOTE PURGING 267

NETWORK SECURITY (NET) 268


P-NET-01: NETWORK SECURITY MANAGEMENT 268 P-NET-02: LAYERED DEFENSES 269

P-NET-02(B): LAYERED DEFENSES | GUEST NETWORKS 270 P-NET-03: BOUNDARY PROTECTION 270

P-NET-03(A): BOUNDARY PROTECTION | ACCESS POINTS 272 P-NET-03(B): BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES 272 P-NET-03(C): BOUNDARY PROTECTION | INTERNAL NETWORK ADDRESS SPACE 273

P-NET-04: DATA FLOW ENFORCEMENT – ACCESS CONTROL LISTS (ACLS) 274 P-NET-04(A): DATA FLOW ENFORCEMENT | DENY TRAFFIC BY DEFAULT & ALLOW TRAFFIC BY EXCEPTION 275 P-NET-04(F): DATA FLOW ENFORCEMENT | HUMAN REVIEWS 277

P-NET-05: SYSTEM INTERCONNECTIONS 277 P-NET-05(A): SYSTEM INTERCONNECTIONS | EXTERNAL SYSTEM CONNECTIONS 278 P-NET-05(B): SYSTEM INTERCONNECTIONS | INTERNAL SYSTEM CONNECTIONS 279

P-NET-07: NETWORK DISCONNECT 280 P-NET-08: NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) 280

P-NET-08(A): NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) | DMZ NETWORKS 281 P-NET-08(B): NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) | WIRELESS INTRUSION DETECTION

/ PREVENTION SYSTEMS (WIDS / WIPS) 282 P-NET-09: SESSION AUTHENTICITY 283 P-NET-10 DOMAIN NAME SERVICE (DNS) RESOLUTION 283

P-NET-10(A): DOMAIN NAME SERVICE (DNS) RESOLUTION | ARCHITECTURE & PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 284

P-NET-10(B): DOMAIN NAME SERVICE (DNS) RESOLUTION | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR

CACHING RESOLVER) 285 P-NET-12: SAFEGUARDING DATA OVER OPEN NETWORKS 286

P-NET-12(A): SAFEGUARDING DATE OVER OPEN NETWORKS | WIRELESS LINK PROTECTION 287 P-NET-12(B): SAFEGUARDING DATE OVER OPEN NETWORKS | END-USER MESSAGING TECHNOLOGIES 288

P-NET-13: ELECTRONIC MESSAGING 288 P-NET-14: REMOTE ACCESS 289

P-NET-14(A): REMOTE ACCESS | AUTOMATED MONITORING & CONTROL 290 P-NET-14(B): REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION 291 P-NET-14(C): REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS 291 P-NET-14(D): REMOTE ACCESS | PRIVILEGED COMMANDS & ACCESS 292 P-NET-14(E): REMOTE ACCESS | TELECOMMUTING 293 P-NET-14(F): REMOTE ACCESS | THIRD-PARTY REMOTE ACCESS GOVERNANCE 293

P-NET-15: WIRELESS NETWORKING 294 P-NET-15(A): WIRELESS ACCESS | AUTHENTICATION & ENCRYPTION 295 P-NET-15(E): WIRELESS ACCESS | ROGUE WIRELESS DETECTION 296

P-NET-16: INTRANETS 296 P-NET-17: DATA LOSS PREVENTION (DLP) 297 P-NET-18: CONTENT FILTERING 298

P-NET-18(A): CONTENT FILTERING | ROUTE TRAFFIC TO PROXY SERVERS 299

PHYSICAL & ENVIRONMENTAL SECURITY (PES) 301 P-PES-01: PHYSICAL & ENVIRONMENTAL PROTECTIONS 301 P-PES-02: PHYSICAL ACCESS AUTHORIZATIONS 301

P-PES-02(A): PHYSICAL ACCESS AUTHORIZATIONS | ROLE-BASED PHYSICAL ACCESS 302 P-PES-03: PHYSICAL ACCESS CONTROL 303

P-PES-03(A): PHYSICAL ACCESS CONTROL | CONTROLLED INGRESS & EGRESS POINTS 304 P-PES-03(C): PHYSICAL ACCESS CONTROL | PHYSICAL ACCESS LOGS 305

P-PES-04: PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES 306 P-PES-04(A): PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES | WORKING IN SECURE AREAS 306

P-PES-05: MONITORING PHYSICAL ACCESS 307 P-PES-05(A): MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT 308

P-PES-06: VISITOR CONTROL 309 P-PES-06(A): VISITOR CONTROL | DISTINGUISH VISITORS FROM ON-SITE PERSONNEL 310 P-PES-06(B): VISITOR CONTROL | IDENTIFICATION REQUIREMENT 310 P-PES-06(C): VISITOR CONTROL | RESTRICT UNESCORTED ACCESS 311

P-PES-07: SUPPORTING UTILITIES 312


P-PES-07(A): SUPPORTING UTILITIES | AUTOMATIC VOLTAGE CONTROLS 313 P-PES-10: DELIVERY & REMOVAL 313 P-PES-11: ALTERNATE WORK SITE 314 P-PES-12: EQUIPMENT SITING & PROTECTION 315

P-PES-12(A): EQUIPMENT SITING & PROTECTION | ACCESS CONTROL FOR TRANSMISSION MEDIUM 316 P-PES-12(B): EQUIPMENT SITING & PROTECTION | ACCESS CONTROL FOR OUTPUT DEVICES 317

PRIVACY (PRI) 318 P-PRI-01: PRIVACY PROGRAM 318

P-PRI-01(A): PRIVACY PROGRAM | CHIEF PRIVACY OFFICER (CPO) 318 P-PRI-01(D): PRIVACY PROGRAM | DATA PROTECTION OFFICER (DPO) 319

P-PRI-02: NOTICE 320 P-PRI-02(A): NOTICE | PURPOSE SPECIFICATION 321 P-PRI-02(B): NOTICE | AUTOMATION 321

P-PRI-03: CHOICE & CONSENT 322 P-PRI-03(A): CHOICE & CONSENT | ATTRIBUTE MANAGEMENT 323 P-PRI-03(B): CHOICE & CONSENT | JUST-IN-TIME NOTICE & CONSENT 323

P-PRI-04: COLLECTION 324 P-PRI-04(A): COLLECTION | AUTHORITY TO COLLECT 325

P-PRI-05: USE, RETENTION & DISPOSAL 326 P-PRI-05(A): USE, RETENTION & DISPOSAL | INTERNAL USE 326 P-PRI-05(B): USE, RETENTION & DISPOSAL | DATA INTEGRITY 327 P-PRI-05(C): USE, RETENTION & DISPOSAL | DATA MASKING 328 P-PRI-05(D): USE, RETENTION & DISPOSAL | USAGE RESTRICTIONS OF PERSONAL INFORMATION (PI) 328

P-PRI-06: RIGHT OF ACCESS 329 P-PRI-06(A): RIGHT OF ACCESS | REDRESS 330 P-PRI-06(B): RIGHT OF ACCESS | NOTICE OF CORRECTION OF AMENDMENT 331 P-PRI-06(C): RIGHT OF ACCESS | APPEAL 331 P-PRI-06(D): RIGHT OF ACCESS | USER FEEDBACK MANAGEMENT 332 P-PRI-06(E): RIGHT OF ACCESS | RIGHT TO ERASURE 333 P-PRI-06(F): RIGHT OF ACCESS | DATA PORTABILITY 334

P-PRI-07: INFORMATION SHARING WITH THIRD PARTIES 334 P-PRI-07(A): INFORMATION SHARING WITH THIRD PARTIES | PRIVACY REQUIREMENTS FOR CONTRACTORS & SERVICE

PROVIDERS 336 P-PRI-08: TESTING, TRAINING & MONITORING 337 P-PRI-09: SYSTEM OF RECORDS NOTICE (SORN) 337 P-PRI-10: DATA QUALITY MANAGEMENT 338

P-PRI-10(A): DATA QUALITY MANAGEMENT | AUTOMATION 339 P-PRI-12: UPDATING PERSONAL INFORMATION (PI) 340 P-PRI-13: DATA MANAGEMENT BOARD 340 P-PRI-14: PRIVACY REPORTING 341

P-PRI-14(A): PRIVACY REPORTING | ACCOUNTING OF DISCLOSURES 342 P-PRI-15: REGISTER DATABASE 343

PROJECT & RESOURCE MANAGEMENT (PRM) 345 P-PRM-01: SECURITY PORTFOLIO MANAGEMENT 345 P-PRM-03: ALLOCATION OF RESOURCES 345 P-PRM-04: SECURITY IN PROJECT MANAGEMENT 346 P-PRM-05: SECURITY REQUIREMENTS DEFINITION 347 P-PRM-07: SECURE DEVELOPMENT LIFE CYCLE (SDLC) MANAGEMENT 348

RISK MANAGEMENT (RSK) 350 P-RSK-01: RISK MANAGEMENT PROGRAM 350

P-RSK-01(A): RISK MANAGEMENT PROGRAM (RMP) | RISK FRAMING 351 P-RSK-02: RISK-BASED SECURITY CATEGORIZATION 351 P-RSK-03: RISK IDENTIFICATION 352 P-RSK-04: RISK ASSESSMENT 353

P-RSK-04(A): RISK ASSESSMENT | RISK REGISTER 354 P-RSK-05: RISK RANKING 355 P-RSK-06: RISK REMEDIATION 355


P-RSK-06(A): RISK REMEDIATION | RISK RESPONSE 356 P-RSK-07: RISK ASSESSMENT UPDATE 357 P-RSK-08: BUSINESS IMPACT ANALYSIS (BIA) 357 P-RSK-09: SUPPLY CHAIN RISK MANAGEMENT PLAN 358

P-RSK-09(A): SUPPLY CHAIN RISK MANAGEMENT PLAN | SUPPLY CHAIN RISK ASSESSMENT 359 P-RSK-10: DATA PROTECTION IMPACT ASSESSMENT (DPIA) 360

SECURE ENGINEERING & ARCHITECTURE (SEA) 362 P-SEA-01: SECURE ENGINEERING PRINCIPLES 362

P-SEA-01(A): SECURE ENGINEERING PRINCIPLES | CENTRALIZED MANAGEMENT OF CYBERSECURITY & PRIVACY CONTROLS 363 P-SEA-02: ALIGNMENT WITH ENTERPRISE ARCHITECTURE 364

P-SEA-02(A): ALIGNMENT WITH ENTERPRISE ARCHITECTURE | STANDARDIZED TERMINOLOGY 365 P-SEA-03: DEFENSE-IN-DEPTH (DID) ARCHITECTURE 365

P-SEA-03(B): DEFENSE-IN-DEPTH (DID) ARCHITECTURE | APPLICATION PARTITIONING 366 P-SEA-04: PROCESS ISOLATION 367

P-SEA-04(A): PROCESS ISOLATION | SECURITY FUNCTION ISOLATION 368 P-SEA-05: INFORMATION IN SHARED RESOURCES 369 P-SEA-07: PREDICTABLE FAILURE ANALYSIS 369

P-SEA-07(A): PREDICTABLE FAILURE ANALYSIS | TECHNOLOGY LIFECYCLE MANAGEMENT 370 P-SEA-07(B): PREDICTABLE FAILURE ANALYSIS | FAIL SECURE 371

P-SEA-10: MEMORY PROTECTION 371 P-SEA-15: DISTRIBUTED PROCESSING & STORAGE 372 P-SEA-17: SECURE LOG-ON PROCEDURES 373 P-SEA-18: SYSTEM USE NOTIFICATION (LOGON BANNER) 373

P-SEA-18(A): SYSTEM USE NOTIFICATION | STANDARDIZED MICROSOFT WINDOWS BANNER 374 P-SEA-18(B): SYSTEM USE NOTIFICATION | TRUNCATED BANNER 375

P-SEA-20: CLOCK SYNCHRONIZATION 376

SECURITY OPERATIONS (OPS) 378 P-OPS-01: OPERATIONS SECURITY 378

P-OPS-01(A): OPERATIONS SECURITY | STANDARDIZED OPERATING PROCEDURES (SOP) 378 P-OPS-02: SECURITY CONCEPT OF OPERATIONS (CONOPS) 379

SECURITY AWARENESS & TRAINING (SAT) 380 P-SAT-01: SECURITY & PRIVACY-MINDED WORKFORCE 380 P-SAT-02: SECURITY & PRIVACY AWARENESS 381

P-SAT-02(A): SECURITY AWARENESS | PRACTICAL EXERCISES 382 P-SAT-02(B): SECURITY AWARENESS | SOCIAL ENGINEERING & MINING 383

P-SAT-03: SECURITY & PRIVACY TRAINING 384 P-SAT-03(C): SECURITY & PRIVACY TRAINING | SENSITIVE INFORMATION STORAGE, HANDLING & PROCESSING 384 P-SAT-03(E): SECURITY & PRIVACY TRAINING | PRIVILEGED USERS 386

P-SAT-04: TRAINING RECORDS 386

TECHNOLOGY DEVELOPMENT & ACQUISITION (TDA) 388 P-TDA-01: TECHNOLOGY DEVELOPMENT & ACQUISITION 388

P-TDA-01(A): TECHNOLOGY DEVELOPMENT & ACQUISITION | PRODUCT MANAGEMENT 388 P-TDA-01(B): TECHNOLOGY DEVELOPMENT & ACQUISITION | INTEGRITY MECHANISMS FOR SOFTWARE / FIRMWARE

UPDATES 389 P-TDA-01(C): TECHNOLOGY DEVELOPMENT & ACQUISITION | MALWARE TESTING PRIOR TO RELEASE 391

P-TDA-02: SECURITY REQUIREMENTS 392 P-TDA-02(A): SECURITY REQUIREMENTS | PORTS, PROTOCOLS & SERVICES IN USE 392 P-TDA-02(B): SECURITY REQUIREMENTS | USE OF APPROVED PIV PRODUCTS 393

P-TDA-04: DOCUMENTATION REQUIREMENTS 394 P-TDA-04(A): DOCUMENTATION REQUIREMENTS | FUNCTIONAL PROPERTIES 395

P-TDA-06: SECURE CODING 396 P-TDA-06(A): SECURE CODING | CRITICALITY ANALYSIS 397

P-TDA-07: SECURE DEVELOPMENT ENVIRONMENTS 398 P-TDA-08: SEPARATION OF DEVELOPMENT, TESTING & OPERATIONAL ENVIRONMENTS 398 P-TDA-09: SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT 399

P-TDA-09(B): SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT | STATIC CODE ANALYSIS 400


P-TDA-10: USE OF LIVE DATA 401 P-TDA-10(A): USE OF LIVE DATA | TEST DATA INTEGRITY 402

P-TDA-14: DEVELOPER CONFIGURATION MANAGEMENT 402 P-TDA-14(A): DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION 403

P-TDA-15: DEVELOPER THREAT ANALYSIS & FLAW REMEDIATION 404 P-TDA-20: ACCESS TO PROGRAM SOURCE CODE 406

THIRD-PARTY MANAGEMENT (TPM) 407 P-TPM-01: THIRD-PARTY MANAGEMENT 407 P-TPM-02: THIRD-PARTY CRITICALITY ASSESSMENTS 408 P-TPM-03: SUPPLY CHAIN PROTECTION 408

P-TPM-03(A): SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES, TOOLS & METHODS 410 P-TPM-03(B): SUPPLY CHAIN PROTECTION | LIMIT POTENTIAL HARM 411 P-TPM-03(C): SUPPLY CHAIN PROTECTION | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES 411

P-TPM-04: THIRD-PARTY SERVICES 412 P-TPM-04(A): THIRD-PARTY SERVICES | THIRD-PARTY RISK ASSESSMENTS & APPROVALS 413 P-TPM-04(B): THIRD-PARTY SERVICES | IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS & SERVICES 414 P-TPM-04(D): THIRD-PARTY SERVICES | THIRD-PARTY PROCESSING, STORAGE AND SERVICE LOCATIONS 415

P-TPM-05: THIRD-PARTY CONTRACT REQUIREMENTS 417 P-TPM-06: THIRD-PARTY PERSONNEL SECURITY 418 P-TPM-08: REVIEW OF THIRD-PARTY SERVICES 418 P-TPM-10: MANAGING CHANGES TO THIRD-PARTY SERVICES 419 P-TPM-11: THIRD-PARTY INCIDENT RESPONSE & RECOVERY CAPABILITIES 420

THREAT MANAGEMENT (THR) 422 P-THR-01: THREAT AWARENESS PROGRAM 422 P-THR-03: THREAT INTELLIGENCE FEEDS 422 P-THR-05: INSIDER THREAT AWARENESS 423

VULNERABILITY & PATCH MANAGEMENT (VPM) 425 P-VPM-01: VULNERABILITY & PATCH MANAGEMENT PROGRAM 425 P-VPM-03: VULNERABILITY RANKING 425 P-VPM-04: CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES 426

P-VPM-04(B): CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES | FLAW REMEDIATION WITH PERSONAL INFORMATION (PI) 427

P-VPM-05: SOFTWARE PATCHING 428 P-VPM-05(A): SOFTWARE PATCHING | CENTRALIZED MANAGEMENT 429

P-VPM-06: VULNERABILITY SCANNING 430 P-VPM-06(A): VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY 431 P-VPM-06(C): VULNERABILITY SCANNING | PRIVILEGED ACCESS 432 P-VPM-06(F): VULNERABILITY SCANNING | EXTERNAL VULNERABILITY ASSESSMENT SCANS 432 P-VPM-06(G): VULNERABILITY SCANNING | INTERNAL VULNERABILITY ASSESSMENT SCANS 433

P-VPM-07: PENETRATION TESTING 434 P-VPM-07(A): PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM 435

P-VPM-10: RED TEAM EXERCISES 436

WEB SECURITY (WEB) 437 P-WEB-01: WEB SECURITY 437 P-WEB-02: USE OF DEMILITARIZED ZONES (DMZ) 437

CYBERSECURITY OPERATING PROCEDURES (CSOP) APPENDICES 438 APPENDIX A: GUIDE TO WRITING PROCEDURES 438

A-1: NECESSARY COMPONENTS FOR WRITTEN PROCEDURES 439 A-2: PROCEDURE MAPPING – BREAKING OUT THE REQUIREMENTS 440 A-3: EXAMPLE PROCEDURE (HOW IT ALL COMES TOGETHER) 440 A-4: CONSIDERATIONS WHEN SCOPING PROCEDURES 440

APPENDIX B: AVAILABLE TOOLS & SERVICES 442 B-1: TOOL / SERVICE 1 442 B-2: TOOL / SERVICE 2 442 B-3: TOOL / SERVICE 3 442 B-4: TOOL / SERVICE 1 442


B-5: TOOL / SERVICE 2 442 B-6: TOOL / SERVICE 3 442

APPENDIX C: KEY STAKEHOLDERS 443 C-1: CYBERSECURITY 443 C-2: INFORMATION TECHNOLOGY (IT) 443 C-3: RETAIL SUPPORT 443 C-4: VENDORS / SERVICE PROVIDERS 444 C-5: LEGAL 444 C-6: PROCUREMENT 445 C-7: HUMAN RESOURCES 445 C-8: PHYSICAL SECURITY 446

APPENDIX D: CYBERSECURITY ROLES & RESPONSIBILITIES 447 D-1: INFORMATION SECURITY ROLE CATEGORIES 447 D-2: INFORMATION SECURITY SPECIALTY AREAS (ROLES) 448 D-3: INFORMATION SECURITY WORK ROLES & RESPONSIBILITIES 451

APPENDIX E: SYSTEM HARDENING 458 E-1: SERVER-CLASS SYSTEMS 458 E-2: WORKSTATION-CLASS SYSTEMS 458 E-3: NETWORK DEVICES 458 E-4: MOBILE DEVICES 458 E-5: DATABASES 459

APPENDIX F: USER NAME TAX ONOMY (GUIDANCE ON TYPES OF USER NAMES) 460 F-1: INDIVIDUAL USER NAMES 460 F-2: GROUP & SHARED ACCOUNT USER NAMES 461

GLOSSARY: ACRONYMS & DEFINITIONS 462 ACRONYMS 462 DEFINITIONS 462

RECORD OF CHANGES 463


OVERVIEW, INSTRUCTIONS & EXAMPLE

KEY TERMINOLOGY With the Cybersecurity Standardized Operating Procedures (CSOP), it is important to understand a few key terms:

Procedure / Control Activity: Procedures represent an established way of doing something, such as a series of actions conducted in a specified order or manner. Some organizations refer to procedures as “control activities” and the terms essentially synonymous. In the CSOP, the terms procedure or control activity can be used interchangeably.

Process Owner: This is the name of the individual or team accountable for the procedure being performed. This identifies the accountable party to ensure the procedure is performed. This role is more oversight and managerial.

o Example: The Security Operations Center (SOC) Supervisor is accountable for his/her team to collect log files, perform analysis and escalate potential incidents for further investigation.

Process Operator: This is the name of the individual or team responsible to perform the procedure’s tasks. This identifies the responsible party for actually performing the task. This role is a “doer” and performs tasks.

o Example: The SOC analyst is responsible for performing daily log reviews, evaluating anomalous activities and responding to potential incidents in accordance with the organization’s Incident Response Plan (IRP).

OVERVIEW The Cybersecurity Standardized Operating Procedures (CSOP) is a catalog of procedure/control activity statements. These are templates that require slight modification to suit the specific needs of the organization, CUSTOMIZATION GUIDANCE The content of the CSOP does require a certain level of customization by any organization, since every organization has some difference in available people, processes or technology that can be leveraged to perform these procedures/control activities. Essentially, we’ve done the heavy lifting in developing the template and pre-populating a significant amount of content. Our target is about 80% of the content as part of the template that would leave the remaining 20% for customization with specifics that only the organization would know, such as the organization calls the change management group the Change Advisory Board (CAB) instead of the Change Control Board (CCB). Those little changes in roles, titles, department naming, technologies in use are all content that just needs to be filled into the template to finalize the procedures/control activities. VALIDATING NEEDS FOR PROCEDURES / CONTROL ACTIVITIES Procedures are not meant to be documented for the sake of generating paperwork - procedures are meant to satisfy a specific operational need that are complied with:

If procedures exist and are not tied to a standard, then management should review why the procedure is in place. A procedure that lacks a mapping to a standard may indicate “mission creep” and represent an opportunity to reassign the

work or cease performing the procedure. UNDERSTANDING CONTROL OBJECTIVES & CONTROLS As part of the CSOP, you will see Control Objectives and Controls for each of the CSOP procedures:

The origin of the Control Objective is the NIST 800-171 Information Security Program (NSP) that consolidates multiple statutory, regulatory and contractual requirements into a single control objective.

The origin of the Controls is the Secure Controls Framework (SCF) that is an open source set of cybersecurity and privacy controls.

Note - The footnotes at the bottom of the page and the accompanying Excel spreadsheet provide mapping between the control objectives, controls and leading frameworks, including statutory, regulatory and contractual obligations.


PROCEDURES DOCUMENTATION The objective of the CSOP is to provide management direction and support for cybersecurity in accordance with business requirements, as well as relevant laws, regulations and contractual obligations. Procedures should be both clearly-written and concise.

Procedure documentation is meant to provide evidence of due diligence that standards are complied with. Well-managed procedures are critical to a security program, since procedures represents the specific activities that are

performed to protect systems and data. Procedures service a critical function in cybersecurity. Most other documentation produces evidence of due care considerations, but procedures are unique where procedures generate evidence of due diligence. From a due care and due diligence perspective, it can be thought of this way:

Certain standards require processes to exist (due care – evidence demonstrates standards exist). Performing the activities outlined in a procedure and documenting the work that was performed satisfies the intent of the

standard (due diligence – evidence demonstrates the standard is operating effectively). The diagram shown below helps visualize the linkages in documentation that involve written procedures:

CONTROL OBJECTIVES exist to support POLICIES; STANDARDS are written to support CONTROL OBJECTIVES; PROCEDURES are written to implement the requirements that STANDARDS establish; CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their

capabilities are implemented and/or functioning; and METRICS exist as a way to measure the performance of CONTROLS.

Documentation Flow Example.


NIST NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE) CYBERSECURITY WORKFORCE FRAMEWORK The CSOP leverages the NIST NICE Cybersecurity Workforce Framework.1 The purpose of this framework is that work roles have an impact on an organization’s ability to protect its data, systems and operations. By assigning work roles, it helps direct the work of employees and contractors to minimize assumptions about who is responsible for certain cybersecurity and privacy tasks. The CSOP uses the work roles identified in the NIST NICE Cybersecurity Workforce Framework to help make assigning the tasks associated with procedures/control activities more efficient and manageable. Keep in mind these are merely recommendations and are fully editable for every organization – this is just a helpful point in the right direction!

NIST NICE Cybersecurity Workforce Framework – Work Categories EXAMPLE This example is a configuration procedure P-CFG-02 (System Hardening Through Baseline Configurations)

PLEASE NOTE THE PROCESS CRITERIA SECTION SHOWN BELOW CAN BE DELETED & IS NOT PART OF THE PROCEDURE The process criteria sections exist only to be a useful tool to help build out the procedures by establishing criteria and creating a working space to capture key components that impacts the procedure. Process Criteria:

Process Owner: name of the individual or team accountable for the procedure being performed o Example: The process owner for system hardening at ACME is the cybersecurity director, John Doe.

Process Operator: name of the individual or team responsible to perform the procedure’s tasks. o Example: The process operator for system hardening at ACME is split between several teams:

Network gear is assigned to network admins. Servers are assigned to server admins. Laptops, desktops and mobile devices are assign to the End User Computing (EUC) team.

Occurrence: how often does the procedure need to be conducted? is it something that needs to be performed annually, semi-annually, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed?

o Example: Generally, system hardening is an “as needed” process that happens when new operating systems are released or when new technology is purchased. However, there should still be an annual review to ensure that appropriate baseline configurations exist and are current to what is deployed at ACME.

Scope of Impact: what is the potential impact of the procedure? does it affect a system, application, process, team, department, user, client, vendor, geographic region or the entire company?

o Example: The scope affects the entire company. Any deviations to the secure baselines are handled on an individual basis.

Location of Additional Documentation: if applicable, is there a server, link or other repository where additional documentation is stored or can be found

o Example: Baseline configurations, benchmarks and STIGs are located on server XYZ123 in the folder called “Secure Baselines” and it is available for read-only for all users.

Performance Target: if applicable, is there a Service Level Agreement (SLA) or targeted timeline for the process to be completed?

o Example: There are no SLAs associated with baseline configurations. Technology in Use: if applicable, what is the name of the application/system/service used to perform the procedure?

o Example: The following classes of systems and applications are in scope for this procedure: Server-Class Systems Workstation-Class Systems Network Devices Databases

1 NIST NICE Cybersecurity Workforce Framework - https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework


Control Objective: The organization develops and controls configuration standards for all system components that are consistent with industry-accepted system hardening standards. 2 [the control objective is meant to address the statutory, regulatory and contractual requirements identified in the footnote (see bottom of page in the footer section)] Control: Mechanisms exist to develop, document and maintain secure baseline configurations for technology platform that are consistent with industry-accepted system hardening standards. [control wording comes directly from the Secure Controls Framework (SCF) control #CFG-02. The SCF is a free resource that can be downloaded from https://www.securecontrolsframework.com] Procedure / Control Activity: Systems Security Developer [SP-SYS-001], in conjunction with the Technical Support Specialist [OM-STS-001] and Security Architect [SP-ARC-002]:

(1) Uses vendor-recommended settings and industry-recognized secure practices to ensure baseline system hardening configuration for all ACME-owned or managed assets comply with applicable legal, statutory, and regulatory compliance obligations.

(2) Where technically feasible, technology platforms align with industry-recommended hardening recommendations, including but not limited to:

a. Center for Internet Security (CIS) benchmarks; b. Defense Information Systems Agency (DISA) Secure Technical Implementation Guides (STIGs); or c. Original Equipment Manufacturer (OEM) security configuration guides.

(3) Ensures that system hardening includes, but is not limited to: a. Technology platforms that include, but are not limited to:

i. Server-Class Systems 1. Microsoft Server 2003 2. Microsoft Server 2008 3. Microsoft Server 2012 4. Microsoft Server 2016 5. Red Hat Enterprise Linux (RHEL) 6. Unix 7. Solaris

ii. Workstation-Class Systems 1. Microsoft XP 2. Microsoft 7 3. Microsoft 8 4. Microsoft 10 5. Apple 6. Fedora (Linux) 7. Ubuntu (Linux) 8. SuSe (Linux)

iii. Network Devices 1. Firewalls 2. Routers 3. Load balancers 4. Virtual Private Network (VPN) concentrators 5. Wireless Access Points (WAPs) 6. Wireless controllers 7. Printers 8. Multi-Function Devices (MFDs)

iv. Mobile Devices 1. Tablets 2. Mobile phones 3. Other portable electronic devices

v. Databases 1. MySQL 2. Windows SQL Server 3. Windows SQL Express

2 NIST 800-53 rev4 CM-2 & CM-6 | FedRAMP | NIST 800-171 3.4.1 & 3.4.2 | PCI DSS 1.1 & 1.1.1 | NIST CSF PR.IP-1 | DFARS 252.204-7008 | CSC 3.1 | CCM GRM-01 & IVS-07 | COBIT5 BAI10.02 | NISPOM 8-202, 8-311 & 8-610


4. Oracle 5. DB2

b. Enforcing least functionality, which includes but is not limited to: i. Allowing only necessary and secure services, protocols, and daemons;

ii. Removing all unnecessary functionality, which includes but is not limited to: 1. Scripts; 2. Drivers; 3. Features; 4. Subsystems; 5. File systems; and 6. Unnecessary web servers.

c. Configuring and documenting only the necessary ports, protocols, and services to meet business needs; d. Implementing security features for any required services, protocols or daemons that are considered to be

insecure, which includes but is not limited to using secured technologies such as Secure Shell (SSH), Secure File Transfer Protocol (S-FTP), Transport Layer Security (TLS), or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, and FTP;

e. Installing and configuring appropriate technical controls, such as: i. Antimalware;

ii. Software firewall; iii. Event logging; and iv. File Integrity Monitoring (FIM), as required; and

f. As applicable, implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server (e.g., web servers, database servers, and DNS should be implemented on separate servers).

(4) Documents and validates security parameters are configured to prevent misuse. (5) Authorizes deviations from standard baseline configurations in accordance with ACME’s change management processes,

prior to deployment, provisioning, or use. (6) Validates and refreshes configurations on a regular basis to update their security configuration in light of recent

vulnerabilities and attack vectors. Unless a technical or business reason exists, standardized images are used to represent hardened versions of the underlying operating system and the applications installed on the system.

(7) On at least an annual basis, during the 2nd quarter of the calendar year, reviews the process for non-conforming instances. As needed, revises processes to address necessary changes and evolving conditions. Whenever the process is updated:

a. Distributes copies of the change to key personnel; and b. Communicates the changes and updates to key personnel.

(8) If necessary, requests corrective action to address identified deficiencies. (9) If necessary, validates corrective action occurred to appropriately remediate deficiencies. (10) If necessary, documents the results of corrective action and notes findings. (11) If necessary, requests additional corrective action to address unremediated deficiencies.


SUPPORTING POLICIES & STANDARDS While there are no policies and standards included in the CSOP, the CSOP is designed to provide a 1-1 relationship with NIST 800-171 Information Security Program (NSP) that contains policies, control objectives, standards and guidelines. It also directly maps to the Secure Controls Framework (SCF) for cybersecurity and privacy controls. Cybersecurity documentation is comprised of six (6) main parts:

(1) Core policy that establishes management’s intent; (2) Control objective that identifies leading practices; (3) Standards that provides quantifiable requirements; (4) Controls identify desired conditions that are expected to be met; (5) Procedures / Control Activities establish how tasks are performed to meet the requirements established in standards and

to meet controls; and (6) Guidelines are recommended, but not mandatory.

Cybersecurity Documentation Hierarchy


CYBERSECURITY & PRIVACY FUNCTION OVERVIEW

TEAM STRUCTURE The [Company Name]’s cybersecurity department is made up of [insert #] distinct teams. Each team focuses on a specific area of cybersecurity:

Team X o [insert a description of what team x does (e.g., Governance, Risk & Compliance (GRC) team)] o [insert headcount and geographical breakdown of team x] o [insert who is the team lead / supervisor / manager of team x] o [insert any other pertinent facts about team x that would be relevant to this document]

Team Y o [insert a description of what team y does (e.g., Security Operations Center (SOC) team] o [insert headcount and geographical breakdown of team y] o [insert who is the team lead / supervisor / manager of team y] o [insert any other pertinent facts about team y that would be relevant to this document]

Team Z o [insert a description of what team z does (e.g., engineering & architecture team] o [insert headcount and geographical breakdown of team z] o [insert who is the team lead / supervisor / manager of team z] o [insert any other pertinent facts about team z that would be relevant to this document]

MISSION To … [insert mission statement here] Example mission statements:

To deliver high-quality, innovative information security services and solutions that reduce risk across [Company Name]. To ensure technical risk management functions are implemented as part of an ISO 27001-based Information Security

Management System (ISMS) in a scalable manner that supports expanding business requirements. To provide information security engineering and architectural expertise that ensures secure engineering principles exist to

allow for secure, scalable solutions throughout [Company Name]. To provide 24x 7 monitoring, threat intelligence, incident response, and technical support capabilities that are focused on

achieving a high level of situational awareness to prevent, detect, respond to and recover from information security incidents with minimal impact to [Company Name].

To provide information security engineering support for [Company Name]’s business initiatives that ensure secure engineering principles exist to allow for secure and scalable solutions throughout [Company Name].

VALUE PROPOSITION Our value to [Company Name] is based on… [insert value proposition here] Example value propositions:

… proactively reducing risk to [Company Name] by managing internal and external threats to [Company Name]’s data and systems.

… maintaining evidence of compliance with [Company Name]’s statutory, regulatory and contractual obligations. … how cybersecurity protects the [Company Name] brand through ensuring the confidentiality, integrity, availability and

safety of assets.


KNOWN COMPLIANCE REQUIREMENTS [Company Name] has certain compliance requirements that all team members need to be aware of: STATUTORY REQUIREMENTS [fill-in applicable statutory requirements] Example statutory requirements include:

Health Insurance Portability and Accountability Act (HIPAA) Fair & Accurate Credit Transactions Act (FACTA) Sarbanes Ox ley Act (SOX) Gramm Leach Bliley Act (GLBA) Children's Online Privacy Protection Act (COPPA) Family Educational Rights and Privacy Act (FERPA) Massachusetts 201 CMR 17.00 Oregon Identity Theft Protection Act (ORS 646A) United Kingdom Data Protection Act (UK DPA)

REGULATORY REQUIREMENTS [fill-in applicable regulatory requirements] Example regulatory requirements include:

Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012) – NIST 800-171 Federal Acquisition Regulation (FAR 52.204-21) European Union General Data Protection Regulation (EU GDPR) Financial Industry Regulatory Authority (FINRA) National Industrial Security Program Operating Manual (NISPOM) Department of Defense Information Assurance Risk Management Framework (DIARMF) (DoDI 8510.01) Federal Risk and Authorization Management Program (FedRAMP) New York Department of Financial Services (NY DFS) 23 NYCCRR 500 North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

CONTRACTUAL REQUIREMENTS [fill-in applicable contractual requirements] Example contractual requirements include:

Payment Card Industry Data Security Standard (PCI DSS) Generally Accepted Privacy Principles (GAPP) American Institute of CPAs Service Organization Control (AICPA SOC2) Center for Internet Security Critical Security Controls (CIS CSC) Cloud Security Alliance Cloud Controls Matrix (CSA CCM)


DIGITAL SECURITY GOVERNANCE (GOV)

Management Intent: The purpose of the Digital Security Governance (GOV) procedures / control activities is to specify the development, proactive management and ongoing review of [Company Name]’s security and privacy program. P-GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM Process Criteria: (this process criteria section (yellow text field) can be deleted, but it will be useful in populating a System Security Plan (SSP) or other system-related documentation – it is meant to be a useful tool to help build the procedure by establishing criteria and creating a working space to capture key components that impacts the procedure)

Process Owner: name of the individual or team accountable for the procedure being performed Process Operator: name of the individual or team responsible to perform the procedure’s tasks Occurrence: how often does the procedure need to be conducted? is it something that needs to be performed annually,

semi-annually, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed? Scope of Impact: what is the potential impact of the procedure? does it affect a system, application, process, team,

department, user, client, vendor, geographic region or the entire company? Location of Additional Documentation: if applicable, is there a server, link or other repository where additional

documentation is stored or can be found Performance Target: if applicable, is there a Service Level Agreement (SLA) or targeted timeline for the process to be

completed? Technology in Use: if applicable, what is the name of the application/system/service used to perform the procedure?

Control Objective: The organization develops, implements and governs processes and documentation to facilitate the implementation of an enterprise-wide digital security policy, as well as associated standards, controls and procedures. 3 Control: Mechanisms exist to facilitate the implementation of cybersecurity and privacy governance controls. Procedure / Control Activity: Systems Security Manager [OV-MGT-001], in conjunction with Security Architect [SP-ARC-002] and Executive Cyber Leadership [OV-EXL-001]:

(1) Develops an organization-wide digital security governance program to provide complete coverage for all cybersecurity and privacy-related controls needed to address statutory, regulatory and contractual obligations, as well as to address possible threats to data and or assets.

(2) Documents the [Company Name] digital security governance program in a single document, the NIST 800-171 Information Security Program (NSP).

(3) On at least an annual basis, during the [1st, 2nd, 3rd, 4th] quarter of the calendar year, reviews the process for non-conforming instances. As needed, revises processes to address necessary changes and evolving conditions. Whenever the process is updated:



P-GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES Process Criteria: (this process criteria section (yellow text field) can be deleted, but it will be useful in populating a System Security Plan (SSP) or other system-related documentation – it is meant to be a useful tool to help build the procedure by establishing criteria and creating a working space to capture key components that impacts the procedure)

Process Owner: name of the individual or team accountable for the procedure being performed Process Operator: name of the individual or team responsible to perform the procedure’s tasks Occurrence: how often does the procedure need to be conducted? is it something that needs to be performed annually,

semi-annually, quarterly, monthly, bi-weekly, weekly, daily, continuous or as needed? 3 NIST 800-53 rev4 PM-1 | ISO 27002 5.1.1 | GAPP 8.2.1 | GLBA 6801(b)(1) | PCI DSS 12.1 & 12.1.1 | MA201CMR17 17.03(1), 17.04 & 17.03(2)(b)(2) | DFARS 252.204-7008 | CCM AIS-04 & GRM-05 | COBIT5 APO13.01, APO13.02 | FINRA S-P (17 CFR §248.30) | NY DFS 500.2 | NISPOM 8-100


Scope of Impact: what is the potential impact of the procedure? does it affect a system, application, process, team, department, user, client, vendor, geographic region or the entire company?

Location of Additional Documentation: if applicable, is there a server, link or other repository where additional documentation is stored or can be found

Performance Target: if applicable, is there a Service Level Agreement (SLA) or targeted timeline for the process to be completed?

Technology in Use: if applicable, what is the name of the application/system/service used to perform the procedure? Control Objective: The organization employs Demilitarized Zones (DMZs) to restrict inbound traffic to authorized devices on certain services, protocols and ports. 455 Control: Mechanisms exist to utilize a Demilitarized Zone (DMZ) to restrict inbound traffic to authorized devices on certain services, protocols and ports. Procedure / Control Activity: Systems Security Developer [SP-SYS-001], in conjunction with System Administrator [OM-ADM-001] and Security Architect [SP-ARC-002]:

(1) Uses vendor-recommended settings and industry-recognized secure practices to implement and configure Demilitarized Zones (DMZs).

(2) On at least an annual basis, during the [1st, 2nd, 3rd, 4th] quarter of the calendar year, reviews the process for non-conforming instances. As needed, revises processes to address necessary changes and evolving conditions. Whenever the process is updated:



CYBERSECURITY OPERATING PROCEDURES (CSOP) APPENDICES

APPENDIX A: GUIDE TO WRITING PROCEDURES The example below shows a good amount of detail that can serve as a handy reference for writing cybersecurity procedures.

455 ISO 27002 13.1.3 | PCI DSS 1.3.1, 1.3.2 & 1.3.4


When you write procedures, focus on getting the job done – it should clearly establish the steps and concisely provide guidance to successfully complete the requirement. A-1: NECESSARY COMPONENTS FOR WRITTEN PROCEDURES Good procedure documentation is concise and clear in describing the main elements that are pertinent to address the control objective. When documenting procedures:

Strive to show how completely the activities of the procedure meets the control objective that it is intended to address. Include at least the following elements:

o Why the procedure exists (what requirement compels the work to be performed?) o Who operates the procedure (who is actually going to do the work?) o What the assigned operator does (what is the activity intended to do?) o How the assigned operator does it (what are the actual steps being performed?) o When the procedure occurs (what is the event trigger or frequency?)

Procedures documentation needs to “stand alone” in describing how the process works: o It should not describe surrounding processes. o It should not reference other processes or documentation.

Use descriptive language in “present tense” grammar, as if writing a newspaper article about something occurring right now:

o Use verbs like “is,” “does,” “tests,” “reviews,” and “approves.” o Avoid verbs in “future tense” like “will do” or “will review” since the reader needs to know about “now.” o Make use of simple grammar and sentence construction: o Assigned operator first (person doing the work), followed by action verb, followed by object. o Avoid “passive voice” grammar (e.g., object before verb, “actor” missing, etc.)

Example passive voice sentence: “The test plan is approved.” o There’s no “do-er” (assigned operator) identified; and o The verb is the last two words of the sentence. o Describe the team’s actions, not organizational structures or assertions about other teams. o Example to avoid: “XYZ is some-other-team’s responsibility.”


A-2: PROCEDURE MAPPING – BREAKING OUT THE REQUIREMENTS

Control Objective: Only personnel who have a valid business reason are permitted access to applications, systems and resources.

Standard: At the start of each quarter, managers review the list of team member access rights and documents issues that are not appropriate for corrective action.

Validation of needed elements to develop the procedure: o Why: Addresses a quarterly requirement from the Access Control Policy to review access rights.

• Policy #2: Access Control Policy • Standard #2.6.2: Periodic Review

o Who: The team manager operates the procedure / control activity. o What: A periodic review is performed to ensure proper access rights are granted. o How: Managers review the access permissions within the XYZ application specific to his/her team members. o When: At the start of each quarter.

A-3: EXAMPLE PROCEDURE (HOW IT ALL COMES TOGETHER)

During the first week of each quarter, ABC Team Manager shall: 1. Review ABC team member access rights during the first week of the FY quarter and document issues that are not

appropriate for corrective action. 2. Using [company name]’s Governance, Risk & Compliance (GRC) tool, document the review occurred and note findings. 3. If necessary, requests corrective action to address inappropriate ABC team member access to XYZ application. 4. If necessary, validates corrective action occurred to appropriately modify ABC team member access rights to XYZ

application. 5. If necessary, documents the results of corrective action in [company name] GRC tool and notes findings. If necessary,

requests additional corrective action to address inappropriate ABC team member access to XYZ application. A-4: CONSIDERATIONS WHEN SCOPING PROCEDURES

Considerations for internal reviews: Describe checks that are carried out to validate the data produced by measurement equipment. Describe checks that are carried out to confirm that the information technology system is working correctly. Describe how maintenance and calibration records are reviewed. Describe how training records are reviewed. Describe how the measurement and reporting procedures are reviewed. Describe how records of corrective actions are reviewed.

Considerations for records keeping and documentation:

Identify all documents and records related to performing operations. This might include management procedures, operating procedures, equipment specifications, equipment manuals, calibration and maintenance certificates and records, responsibilities and training records of personnel, contracts for out-sourced services, data reports and logs, fault reports.

Describe how different versions of the documents are identified. Describe how current versions of documents are identified and access to outdated documents is restricted. Describe how documents are reviewed and updated and how new versions are authorized before use.


Considerations for segregation of duties: Describe the responsibilities and required competencies of all personnel involved in data flow activities. Describe how it is ensured that only personnel with the necessary competencies carry out the relevant responsibilities

for data flow activities. Describe how process responsibilities are segregated from control responsibilities (duties devolved to different persons). Describe how personnel changes are managed.

Considerations for information technology systems:

Describe the measures undertaken to ensure that equipment is correctly installed and operated, in accordance with the manufacturer’s recommendations so that it can achieve the necessary recording frequency, data storage quantity and data processing requirements.

Describe how individual equipment items (components) are identified and recorded so that they are traceable. Describe measures such as backup power supplies installed to ensure security of operation. Describe measures such as data back up and off-site storage to ensure data security. Describe the arrangements for maintenance, including how maintenance is scheduled and recorded and how it is ensured

that scheduled maintenance activities are carried out. Describe backup data recording and processing arrangements that can be used if the information technology system

malfunctions.


APPENDIX B: AVAILABLE TOOLS & SERVICES Note: The section below is purposely blank. It requires [Company Name] personnel to document the tools & services that are available to operationalize the CSOP. Consider this section a “living document” where it is expected to change, as business processes and technologies change. Think of it as a cheat sheet to bring staff members up to speed quickly on what is available. The XXXX team has the following tool(s) available to it: B-1: TOOL / SERVICE 1 Tool/service description B-2: TOOL / SERVICE 2 Tool/service description B-3: TOOL / SERVICE 3 Tool/service description B-4: TOOL / SERVICE 1 Tool/service description B-5: TOOL / SERVICE 2 Tool/service description B-6: TOOL / SERVICE 3 Tool/service description


APPENDIX C: KEY STAKEHOLDERS Note: The section below is purposely blank. It requires [Company Name] personnel to document who the key stakeholders for the CSOP are – including departments and individuals. Consider this section a “living document” where it is expected to change, as business processes change. Think of it as a cheat sheet to bring staff members up to speed quickly on who the key players are for cybersecurity and privacy at [Company Name]. C-1: CYBERSECURITY C-1.1: Vulnerability Management The primary contacts within this team are:

Name o Title o Description of interaction.


C-2: INFORMATION TECHNOLOGY (IT) C-2.1: End User Devices The primary contacts within this team are:



C-2.2: Infrastructure Support The primary contacts within this team are:



C-2.3: Application Support The primary contacts within this team are:



C-3: RETAIL SUPPORT C-3.1: eCommerce The primary contacts within this team are:

Name


o Title o Description of interaction.


C-3.2: Retail The primary contacts within this team are:



C-3.3: Business To Business (B2B) The primary contacts within this team are:



C-3.4: Business To Suppliers (B2S) The primary contacts within this team are:



C-4: VENDORS / SERVICE PROVIDERS C-4.1: Vendor 1 The primary contacts within this team are:



C-4.2: Vendor 2 The primary contacts within this team are:



C-5: LEGAL C-5.1: Contract Review The primary contacts within this team are:




C-5.2: Privacy The primary contacts within this team are:



C-6: PROCUREMENT C-6.1: Contracts The primary contacts within this team are:



C-6.2: Vendor Management The primary contacts within this team are:



C-7: HUMAN RESOURCES C-7.1: Employee Relations The primary contacts within this team are:



C-7.2: Awareness & Training The primary contacts within this team are:




C-8: PHYSICAL SECURITY C-8.1: Facilities Management The primary contacts within this team are:



C-8.2: Security Office The primary contacts within this team are:

