Cobit Sox Hipaa and Glba Mapping Templates

ISO 17799 2005
Se$!i%n& 4 Ris' Assess en! an( Trea! en!

4.1
Assessin* Se$uri!y Ris's
Identif%& '(antif%& and prioriti)e risks a!ainst criteria for risk acceptance relevant to the or!ani)ation " *+, Assess and " "
COBIT 4.1
Plan an( Or*ani+e&
ana!e IT Risks
Sarbanes Oxley COSO

" Risk Assess/ent " +23ective Settin! " -vent Identification
HIPAA Require en!s

Se$uri!y S!an(ar(&
a4 1. Risk Anal%sis 5R4
"#BA
III.B. Assess Risk
-%ni!%r an( 01alua!e&
-. -ns(re Re!(lator% Co/pliance -0 *rovide IT 1overnance ana!e IT Risks " Risk Response " -vent Identification
4.2
Plan an( Or*ani+e&

" *+, Assess and " " -1 -2
Se$uri!y S!an(ar(&
a4 1. Risk
III.C.
ana!e and Control Risk
Trea!in* Se$uri!y Ris's

Deter/ine risk treat/ent options6 Appl% appropriate controls& accept risks& avoid risks or transfer risk to other parties
ana!e/ent 5R4
onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control
Se$!i%n& 5 Se$uri!y P%li$y

5.1
Plan an( Or*ani+e& In,%r a!i%n Se$uri!y P%li$y
An infor/ation sec(rit% polic% doc(/ent sho(ld 2e approved 2% /ana!e/ent& and p(2lished and co//(nicated to all e/plo%ees and relevant e7ternal parties. The infor/ation sec(rit% polic% sho(ld 2e revie8ed at planned intervals " *+1 Define a Strate!ic IT *lan " *+0 Define the IT *rocesses& +r!ani)ation and Relationships " *+9 Co//(nicate ana!e/ent Ai/s and Direction " *+: ana!e IT ;(/an Reso(rces " Internal -nviron/ent " +23ective Settin! " Risk Assess/ent
Se$uri!y S!an(ar(&
a4 1. Sanction *olic% 5R4 a4 2. Assi!ned Sec(rit% Responsi2ilit% 5R4
II.A. Infor/ation Sec(rit% *ro!ra/ II.B. +23ectives III.A. Invoice Board of Directors
Se$!i%n& ) Or*ani+a!i%n %, In,%r a!i%n Se$uri!y

).1
2eli1er an( Su33%r!& In!ernal Or*ani+a!i%n
" DS< -ns(re S%ste/s Sec(rit% A /ana!e/ent fra/e8ork sho(ld 2e esta2lished to initiate and control the i/ple/entation of infor/ation sec(rit% 8ithin the or!ani)ation " Internal -nviron/ent " Control Activities " Infor/ation and Co//(nication
Se$uri!y S!an(ar(&
a4 1. Infor/ation S%ste/ Activit% Revie8 5R4 a4 2. Assi!ned Sec(rit% Responsi2ilit% 5R4
II.A. Infor/ation Sec(rit% *ro!ra/ II.B. +23ectives III.A. Involve Board of Directors III.C. ana!e and Control Risk III.=. Report to the Board
).2
0x!ernal Par!ies
To /aintain the sec(rit% of infor/ation and infor/ation processin! facilities that are accessed& processed& co//(nicated to& or /ana!ed 2% e7ternal parties
Plan an( Or*ani+e&

" *+>
ana!e ?(alit%
2eli1er an( Su33%r!&
" DS1 Define and ana!e Service @evels " DS2 ana!e Third"*art% Services " DS< -ns(re S%ste/s Sec(rit%
" Internal -nviron/ent " Risk Assess/ent " Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
24 1. Aritten Contract or +ther Arran!e/ent 5R4
III.C. ana!e and Control Risk III.D.+versee Service *rovider Arran!e/ents
Se$!i%n& 7 Asse! -ana*e en!

7.1
Res3%nsibili!y ,%r Asse!s
All assets sho(ld 2e acco(nted for and have a no/inated o8ner
Plan an( Or*ani+e&

" *+0 Define the IT *rocesses& +r!ani)ation and Relationships
" Control Activities
P/ysi$al S!an(ar(&
d4 2. Device and
#$A
edia Controls " Acco(nta2ilit% 5A4
7.2 In,%r a!i%n Classi,i$a!i%n
Plan an( Or*ani+e&

" *+2 Define the Infor/ation Architect(re " *+, Assess and ana!e IT Risks
" Risk Assess/ent " -vent Identification
Se$uri!y S!an(ar(&
a4 1. Risk Anal%sis 5R4 a4 1. Risk ana!e/ent 5R4
#$A
Infor/ation sho(ld 2e classified to indicate the need& priorities and e7pected de!ree of protection
" DS< -ns(re S%ste/s Sec(rit%
Se$!i%n& . Hu an Res%ur$es Se$uri!y

..1
Pri%r !% 0 3l%y en!
To ens(re that e/plo%ees& contractors& and third part% (sers (nderstand responsi2ilities& and are s(ita2le for their roles
Plan an( Or*ani+e&

" *+: " DS12 " *+: ana!e IT ;(/an Reso(rces ana!e the *h%sical -nviron/ent ana!e IT ;(/an Reso(rces
" Internal -nviron/ent " Control Activities " Infor/ation and Co//(nication
Se$uri!y S!an(ar(&
III.C.
2eli1er an( Su33%r!& Plan an( Or*ani+e& 2eli1er an( Su33%r!&

" Internal -nviron/ent " Control Activities " Infor/ation and Co//(nication
a4 1. Sanction *olic% 5R4 a4 .. A(thori)ation and$or S(pervision 5A4 a4 .. Aorkforce Clearance *roced(re 5A4 a4 <. Sec(rit% Re/inders 5A4 III.C. ana!e and Control Risk
..2 2urin* 0 3l%y en!
Se$uri!y S!an(ar(&
a4 <. Sec(rit% Re/inders 5A4
To ens(re that e/plo%ees& contractors and third part% (sers are a8are of infor/ation sec(rit% threats and concerns& and are e'(ipped to s(pport sec(rit% polic% in the co(rse of their nor/al 8ork
" DS: -d(cate and Train Bsers
..4 Ter ina!i%n %r C/an*e %, 0 3l%y en!
Plan an( Or*ani+e&

" *+0 Define the IT *rocesses& +r!ani)ation and Relationships " *+: ana!e IT ;(/an Reso(rces
#$A
Se$uri!y S!an(ar(&
#$A
a4 .. Ter/ination *roced(res 5A4
To ens(re that e/plo%ees& contractors and third part% (sers e7it an or!ani)ation or chan!e e/plo%/ent in an orderl% /anner
Se$!i%n& 9 P/ysi$al an( 0n1ir%n en!al Se$uri!y
Todos los Derechos Reservados Valores Corporativos Softtek S.A. de C.V. 2011. Confidencial.
9.1
Se$ure Areas
To prevent (na(thori)ed ph%sical access& da/a!e& and interference to the or!ani)ationCs pre/ises and infor/ation
" DS< -ns(re S%ste/s Sec(rit% " DS11 ana!e Data " DS12 ana!e the *h%sical -nviron/ent
" Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
III.C.
a4 .. A(thori)ation and$or S(pervision 5A4 a4 .. Aorkforce Clearance *roced(re 5A4 a4 1. =acilit% Access Control a4 2. =acilit% Sec(rit% *lan a4 2. Access Control and Validation *roced(res 5A4
P/ysi$al S!an(ar(&
9.2
" DS. ana!e *erfor/ance and Capacit% " DS0 -ns(re Contin(o(s Service To prevent loss& da/a!e& theft or co/pro/ise of assets and interr(ption to the or!ani)ationCs activities
0qui3 en! Se$uri!y
" Control Activities " Infor/ation and Co//(nication
P/ysi$al S!an(ar(&
III.C.
a4 1. =acilit% Access Control 24 Aorkstation Bse 5R4 c4 Aorkstation Sec(rit% d4 1. Device and edia Controls " Disposal 5R4 d4 2. edia Re"(se 5R4 d4 2. Device and edia Controls " Acco(nta2ilit% 5A4
Se$!i%n& 10 C%
10.1
uni$a!i%ns an( O3era!i%ns -ana*e en!

Plan an( Or*ani+e&
" *+0 Define the IT *rocesses& +r!ani)ation and Relationships " Internal -nviron/ent " Risk Response " Control Activities " onitorin!
Se$uri!y S!an(ar(&
III.C.
O3era!i%nal Pr%$e(ures an( Res3%nsibili!ies
To ens(re the correct and sec(re operation of infor/ation processin! facilities incl(din! se!re!ation of d(ties and chan!e /ana!e/ent f(nctions
A$quire an( I 3le en!&

" AI9 ana!e Chan!es
a4 1. Infor/ation S%ste/ Activit% Revie8 5R4 a4 1. Sanction *olic% 5R4 a4 2. Assi!ned Sec(rit% Responsi2ilit% 5R4 24 1. Aritten Contract or +ther Arran!e/ent 5R4 a4 9. Response and Reportin! 5R4 a4 2. Contin!enc% +perations 5R4
P/ysi$al S!an(ar(&
" DS0 -ns(re Contin(o(s Service " DS1. ana!e +perations " Internal -nviron/ent " Control Activities
10.2
T/ir( Par!y Ser1i$e 2eli1ery -ana*e en!
To i/ple/ent and /aintain the appropriate level of infor/ation sec(rit% and service deliver% in line 8ith third part% service deliver% a!ree/ents
Plan an( Or*ani+e&

" *+0 Define the IT *rocesses& +r!ani)ation and Relationships " *+> ana!e ?(alit% " *+10 ana!e *ro3ects
Se$uri!y S!an(ar(&
24 1. Aitten Contract or +ther Arran!e/ent
III.D. +versee Service *rovider Arran!e/ents

" DS1 Define and ana!e Service @evels " DS2 ana!e Third"*art% Services
10.4
Sys!e
To /ini/i)e the risk of s%ste/ fail(res
2eli1er an( Su33%r!& Plannin* an( A$$e3!an$e

" DS. ana!e *erfor/ance and Capacit% " DS0 -ns(re Contin(o(s Service
" Control Activities " onitorin! " Control Activities " -vent Identification " Infor/ation and Co//(nication
#$A
III.C.
10.4
Pr%!e$!i%n A*ains! -ali$i%us an( -%bile C%(e
*reca(tions are re'(ired to prevent and detect the introd(ction of /alicio(s code and (na(thori)ed /o2ile code

" DS< -ns(re S%ste/s Sec(rit% " DS> ana!e Service Desk and Incidents " DS, ana!e the Confi!(ration " DS10 ana!e *ro2le/s
Se$uri!y S!an(ar(&
III.C.
a4 0. Access -sta2lish/ent and odification 5A4 a4 <. *rotection fro/ alicio(s Soft8are
10.5

" DS0 -ns(re Contin(o(s Service " DS11 ana!e Data
Ba$'5u3
Ro(tine proced(res for i/ple/entin! the 2ack"(p polic% and strate!%
" -vent Identification " Control Activities " onitorin!
Se$uri!y S!an(ar(&
III.C.
a4 :. Data Back(p *lan 5R4 a4 :. Disaster Recover% *lan 5R4 a4 :. -/er!enc% ode +peration *lan 5R4 a4 :. Testin! and Revision *roced(re 5A4 a4 2. Contin!enc% +perations 5R4 a4 2. Data Back(p and Stora!e 5A4
P/ysi$al S!an(ar(&
10.)

6e!7%r' Se$uri!y -ana*e en!

To ens(re the protection of infor/ation in net8orks and the protection of the s(pportin! infrastr(ct(re
" Risk Assess/ent " Control Activities " onitorin!
Te$/ni$al S!an(ar(&
a4 2. -ncr%ption and Decr%ption 5A4 e4 1. Trans/ission Sec(rit% e4 2. Inte!rit% Controls 5A4
III.C.
10.7
-e(ia Han(lin*
To prevent (na(thori)ed disclos(re& /odification& re/oval of destr(ction of assets& and interr(ption to 2(siness activities

" Control Activities " Infor/ation and Co//(nication
P/ysi$al S!an(ar(&
III.C.
d4 1. Device and edia Controls " Disposal 5R4 d4 2. edia Re"(se 5R4 d4 2. Device and edia Controls " Acco(nta2ilit% 5A4
10..

0x$/an*e %, In,%r a!i%n

To /aintain the sec(rit% of infor/ation and soft8are e7chan!ed 8ithin an or!ani)ation and 8ith an% e7ternal entit%
" Risk Assess/ent " Risk Response " Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
III.C.
24 1. Aritten Contract or +ther Arran!e/ent 5R4 a4 2. -ncr%ption and Decr%ption 5A4 d4 *erson or -ntit% A(thentication 5R4 e4 1. Trans/ission Sec(rit% e4 2. Inte!rit% Controls 5A4
Te$/ni$al S!an(ar(&
10.9
0le$!r%ni$ C%
To ens(re the sec(rit% of electronic co//erce services& and their sec(re (se
2eli1er an( Su33%r!& er$e Ser1i$es

" -vent Identification " Control Activities
#$A
III.C.
10.10
-%ni!%rin*
To detect (na(thori)ed infor/ation processin! activities incl(din! revie8 of operator lo!s and fa(lt lo!!in!

" Control Activities " onitorin!
Se$uri!y S!an(ar(&
a4 <. @o!"In onitorin! 5A4 a4 1. Infor/ation S%ste/ Activit% Revie8 5R4 24 >. A(dit Controls 5R4
III.C.

" " -1 -2
onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control
Se$!i%n& 11 A$$ess C%n!r%l

11.1
Business Require en! ,%r A$$ess C%n!r%l
-sta2lish& doc(/ent and revie8 access control policies and r(les
" Internal -nviron/ent " Control Activities
Se$uri!y S!an(ar(&
III.C.
a4 0. Access A(thori)ation 5A4
11.2
9ser A$$ess -ana*e en! =or/al proced(res to control the allocation of access ri!hts to infor/ation s%ste/s and services
Se$uri!y S!an(ar(&
III.C.
a4 0. Access A(thori)ation 5A4 a4 0. Access -sta2lish/ent and odification 5A4 a4 <. *ass8ord ana!e/ent 5A4 a4 2. Bni'(e Bser Identification D III.C. ana!e and Control Risk
Te$/ni$al S!an(ar(& 2eli1er an( Su33%r!&

" Internal -nviron/ent " Control Activities
11.4
9ser Res3%nsibili!ies
Bser a8areness& partic(larl% 8ith the (se of pass8ords and the sec(rit% of e'(ip/ent
Se$uri!y S!an(ar(&
a4 <. *ass8ord
ana!e/ent 5A4
P/ysi$al S!an(ar(&
24 Aorkstation Bse 5R4 d4 Aorkstation Sec(rit% III.C. ana!e and Control Risk a4 <. *ass8ord ana!e/ent 5A4
2eli1er an( Su33%r!& " DS< -ns(re S%ste/s Sec(rit% 6e!7%r' A$$ess C%n!r%l -ns(re that appropriate interfaces and a(thentication
11.4
" Internal -nviron/ent " Control Activities " onitorin!
Se$uri!y S!an(ar(&
/echanis/s to net8orked services are in place
Te$/ni$al S!an(ar(&
c4 2. echanis/ to A(thenticate -lectronic *rotected ;ealth Infor/ation 5A4 d4 *erson or -ntit% A(thentication
11.5
O3era!in* Sys!e
To ens(re (na(thori)ed access to operatin! s%ste/s. So/e /ethods incl(de6 ens(re '(alit% pass8ords& (ser a(thentication& and the recordin! of s(ccessf(l and failed s%ste/ accesses
2eli1er an( Su33%r!& A$$ess C%n!r%l
Se$uri!y S!an(ar(&
III.C.
a4 0. Access -sta2lish/ent and odification 5A4 a4 <. *ass8ord ana!e/ent 5A4 a4 2. Bni'(e Bser Identification 5R4 a4 2. A(to/atic @o!off 5A4 d4 *erson or -ntit% A(thentication
Te$/ni$al S!an(ar(&
11.)
A33li$a!i%n an( In,%r a!i%n A$$ess C%n!r%l

To prevent (na(thori)ed access to infor/ation held in application s%ste/s
Se$uri!y S!an(ar(&
III.C.
a4 0. Access -sta2lish/ent and odification 5A4 a4 <. *ass8ord ana!e/ent 5A4 a4 2. Bni'(e Bser Identification 5R4 d4 *erson or -ntit% A(thentication III.C. odification 5A4 ana!e and Control Risk
Te$/ni$al S!an(ar(&
11.7
-%bile C% 3u!in* an( Tele7%r'in*
To ens(re infor/ation sec(rit% 8hen (sin! /o2ile co/p(tin! and tele8orkin! facilities
Se$uri!y S!an(ar(&
a4 0. Access -sta2lish/ent and
Se$!i%n& 12 In,%r a!i%n Sys!e s A$quisi!i%n8 2e1el%3 en!8 an( -ain!enan$e

12.1
Se$uri!y Require en!s %, In,%r a!i%n Sys!e s
To ens(re that sec(rit% is 2(ilt into infor/ation s%ste/s& incl(din! infrastr(ct(re& 2(siness applications and (ser"developed applications.

" A12 Ac'(ire and " A1. Ac'(ire and aintain Application Soft8are aintain Technolo!% Infrastr(ct(re
#$A
#$A
12.2

" A12 Ac'(ire and
" Control Activities
C%rre$! Pr%$essin* in A33li$a!i%ns

To prevent errors& loss& (na(thori)ed /odification or /is(se of infor/ation in applications
aintain Application Soft8are
Te$/ni$al S!an(ar(&
III.C.
e4 2. Trans/ission Sec(rit% " Inte!rit% Controls 5A4
12.4
Cry3!%*ra3/i$ C%n!r%ls
To protect the confidentialit%& a(thenticit% or inte!rit% of infor/ation 2% cr%pto!raphic /eans.

Te$/ni$al S!an(ar(&
III.C.
a4 2. -ncr%ption and Decr%ption 5A4 e4 2. Trans/ission Sec(rit% " -ncr%ption 5A4 III.C. ana!e and Control Risk
12.4
A$quire an( I 3le en!& :iles

" AI19 ana!e Chan!es
Se$uri!y %, Sys!e
To ens(re sec(rit% of s%ste/ files
" Control Activities " Infor/ation and Co//(nication " onitorin!
#$A

12.5
Se$uri!y in 2e1el%3 en! an( Su33%r! Pr%$esses
*ro3ect and s(pport environ/ents sho(ld 2e strictl% controlled

" AI19 ana!e Chan!es
#$A
#$A

12.)
Te$/ni$al ;ulnerabili!y -ana*e en!
To red(ce risks res(ltin! fro/ e7ploitation of p(2lished technical v(lnera2ilities
Plan an( Or*ani+e&

" *+, Assess and
#$A
ana!e IT Risks
Se$uri!y S!an(ar(&
III.C.
a4 9. Response and Reportin! 5R4

" DS2 ana!e Third"*art% Services " DS0 -ns(re Contin(o(s Service " DS< -ns(re S%ste/s Sec(rit% " DS, ana!e the Confi!(ration

" -1
onitor and -val(ate IT *erfor/ance
Se$!i%n& 14 In,%r a!i%n Se$uri!y In$i(en! -ana*e en!

14.1
Re3%r!in* in,%r a!i%n Se$uri!y 01en!s an( <ea'nesses 2eli1er an( Su33%r!&
" DS< -ns(re S%ste/s Sec(rit% " DS> ana!e Service Desk and Incidents " DS10 ana!e *ro2le/s
#$A
Se$uri!y S!an(ar(&
III.C.
a4 9. Response and Reportin! 5R4
To ens(re infor/ation sec(rit% events and 8eaknesses associated 8ith infor/ation s%ste/s are co//(nicated in a /anner allo8in! ti/el% corrective -%ni!%r an( 01alua!e& action to 2e taken " -1 onitor and -val(ate IT *erfor/ance " -2 onitor and -val(ate Internal Control
14.2

" DS< -ns(re S%ste/s Sec(rit% " DS> ana!e Service Desk and Incidents " DS10 ana!e *ro2le/s
#$A
#$A
III.C.
-ana*e en! %, In,%r a!i%n Se$uri!y In$i(en!s an( I 3r%1e en!s
To ens(re a consistent and effective approach is applied to the /ana!e/ent of infor/ation sec(rit% incidents.
onitor and -val(ate6

" " -1 -2 onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control
Se$!i%n& 14 Business C%n!inui!y -ana*e en!

14.1
2eli1er an( Su33%r!& In,%r a!i%n Se$uri!y As3e$!s %, Business C%n!inui!y -ana*e en!
" DS0 -ns(re Contin(o(s Service " DS10 ana!e *ro2le/s " DS11 ana!e Data " -vent Identification " Risk Response " Control Activities " Infor/ation and Co//(nication " onitorin!
Se$uri!y S!an(ar(&
III.C.
To co(nteract interr(ptions to 2(siness activities and to protect critical 2(siness processes fro/ the effects of /a3or fail(res or disasters and to ens(re their ti/el% res(/ption
a4 :. Disaster Recover% *lan 5R4 a4 :. Testin! and Revision *roced(res 5A4 a4 :. Applications and Data Criticalit% Anal%sis 5A4
Se$!i%n& 15 C% 3lian$e
15.1
-. -ns(re Re!(lator% Co/pliance -0 *rovide IT 1overnance " To avoid 2reaches of an% la8& stat(tor%& re!(lator% or " contract(al o2li!ations& and of an% sec(rit% re'(ire/ents
C% 3lian$e 7i!/ #e*al Require en!s
" Internal -nviron/ent " -vent Identification " Risk Assess/ent " Control Activities " Infor/ation and Co//(nication " onitorin! " Internal -nviron/ent " Control Activities " onitorin!
Se$uri!y S!an(ar(&
a4 1. Sanction *olic% 5R4 a4 9. Response and Reportin! 5R4 24 1. Aritten Contract or +ther Arran!e/ent 5R4
III.C. ana!e and Control Risk III.=. Report to the Board
15.2
C% 3lian$e 7i!/ Se$uri!y P%li$ies an( S!an(ar(s8 an( Te$/ni$al C% 3lian$e
" AI: Install and Accredit Sol(tions and Chan!es
Se$uri!y S!an(ar(&
a4 >. Technical -val(ation that /eas(res co/pliance 8ith sec(rit% re'(ire/ents 5R4
III.C. ana!e and Control Risk III.-. Ad3(st the *ro!ra/ III.=. Report to the Board
To ens(re co/pliance of s%ste/s 8ith or!ani)ational -%ni!%r an( 01alua!e& sec(rit% policies and standards " -1 onitor and -val(ate IT *erfor/ance " -2 onitor and -val(ate Internal Control " -0 *rovide IT 1overnance
15.4

" " "
"
onitorin!
In,%r a!i%n Sys!e s Au(i! C%nsi(era!i%ns

To /a7i/i)e the effectiveness of an to /ini/i)e interference to$fro/ the infor/ation s%ste/s a(dit process
-1 onitor and -val(ate IT *erfor/ance -2 onitor and -val(ate Internal Control -0 *rovide IT 1overnance
Se$uri!y S!an(ar(&
24 >. A(dit Controls 5R4
III.C. ana!e and Control Risk III.=. Report to the Board

Cobit Sox Hipaa and Glba Mapping Templates

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Cobit Sox Hipaa and Glba Mapping Templates

Enviado por

Direitos autorais:

Formatos disponíveis

ISO 17799 2005

Se$!i%n& 4 Ris' Assess en! an( Trea! en!

Sarbanes Oxley COSO

HIPAA Require en!s

-%ni!%r an( 01alua!e&

Plan an( Or*ani+e&

ana!e and Control Risk

Trea!in* Se$uri!y Ris's

-%ni!%r an( 01alua!e&

onitor and -val(ate IT *erfor/ance onitor and -val(ate Internal Control

Se$!i%n& 5 Se$uri!y P%li$y

a4 1. Sanction *olic% 5R4 a4 2. Assi!ned Sec(rit% Responsi2ilit% 5R4

Se$!i%n& ) Or*ani+a!i%n %, In,%r a!i%n Se$uri!y

a4 1. Infor/ation S%ste/ Activit% Revie8 5R4 a4 2. Assi!ned Sec(rit% Responsi2ilit% 5R4

Plan an( Or*ani+e&

2eli1er an( Su33%r!&

24 1. Aritten Contract or +ther Arran!e/ent 5R4

III.C. ana!e and Control Risk III.D.+versee Service *rovider Arran!e/ents

Se$!i%n& 7 Asse! -ana*e en!

Plan an( Or*ani+e&

" Control Activities

edia Controls " Acco(nta2ilit% 5A4

7.2 In,%r a!i%n Classi,i$a!i%n

Plan an( Or*ani+e&

" Risk Assess/ent " -vent Identification

2eli1er an( Su33%r!&

" DS< -ns(re S%ste/s Sec(rit%

Se$!i%n& . Hu an Res%ur$es Se$uri!y

Plan an( Or*ani+e&

ana!e and Control Risk

2eli1er an( Su33%r!& Plan an( Or*ani+e& 2eli1er an( Su33%r!&

..2 2urin* 0 3l%y en!

a4 <. Sec(rit% Re/inders 5A4

" DS: -d(cate and Train Bsers

..4 Ter ina!i%n %r C/an*e %, 0 3l%y en!

Plan an( Or*ani+e&

a4 .. Ter/ination *roced(res 5A4

Se$!i%n& 9 P/ysi$al an( 0n1ir%n en!al Se$uri!y

2eli1er an( Su33%r!&

" Control Activities " Infor/ation and Co//(nication " onitorin!

ana!e and Control Risk

2eli1er an( Su33%r!&

0qui3 en! Se$uri!y

" Control Activities " Infor/ation and Co//(nication

ana!e and Control Risk

uni$a!i%ns an( O3era!i%ns -ana*e en!

ana!e and Control Risk

O3era!i%nal Pr%$e(ures an( Res3%nsibili!ies

A$quire an( I 3le en!&

2eli1er an( Su33%r!&

Plan an( Or*ani+e&

24 1. Aitten Contract or +ther Arran!e/ent

III.D. +versee Service *rovider Arran!e/ents

2eli1er an( Su33%r!&

2eli1er an( Su33%r!& Plannin* an( A$$e3!an$e

ana!e and Control Risk

2eli1er an( Su33%r!&

ana!e and Control Risk

2eli1er an( Su33%r!&

Ro(tine proced(res for i/ple/entin! the 2ack"(p polic% and strate!%

" -vent Identification " Control Activities " onitorin!

ana!e and Control Risk

2eli1er an( Su33%r!&