Escolar Documentos
Profissional Documentos
Cultura Documentos
Compliance - Audit
Planning
Compliance Independent
Audits
Compliance - Third
Party Audits
CO-04 Liaisons and points of contact with local authorities shall be NIST SP800-53 R3 AT-5
maintained in accordance with business and customer
NIST SP800-53 R3 IR-6
requirements and compliance with legislative, regulatory, NIST SP800-53 R3 SI-5
and contractual requirements. Data, objects, applications,
infrastructure and hardware may be assigned legislative
domain and jurisdiction to facilitate proper compliance
points of contact.
Compliance Information
System Regulatory
Mapping
CO-05 Statutory, regulatory, and contractual requirements shall be NIST SP800-53 R3 AU-11
defined for all elements of the information system. The
NIST SP800-53 R3 AC-4
organization's approach to meet known requirements, and
adapt to new mandates shall be explicitly defined,
documented, and kept up to date for each information
system element in the organization. Information system
elements may include data, objects, applications,
infrastructure and hardware. Each element may be
assigned a legislative domain and jurisdiction to facilitate
proper compliance mapping.
Compliance Intellectual
Property
DG-01 All data shall be designated with stewardship with assigned NIST SP800-53 R3 PS-2
responsibilities defined, documented and communicated. NIST SP800-53 R3 RA-2
NIST SP800-53 R3 SA-2
Data Governance - DG-03 Polices and procedures shall be established for labeling,
Handling / Labeling
handling and security of data and objects which contain
/ Security Policy
data. Mechanisms for label inheritance shall be
implemented for objects that acts as aggregate containers
for data.
02/12/2015
1 of 18
Control Area
02/12/2015
DG-07 Security mechanisms shall be implemented to prevent data NIST SP800-53 R3 AU-13
leakage.
NIST SP800-53 R3 PE-19
NIST SP800-53 R3 SA-8
NIST SP800-53 R3 SI-7
FS-01
FS-02
FS-04
FS-05
Ingress and egress points such as service areas and other NIST SP800-53 R3 PE-16
points where unauthorized personnel may enter the
premises shall be monitored, controlled and, if possible,
isolated from data storage and processing facilities to
percent unauthorized data corruption, compromise and
loss.
FS-06
FS-03
2 of 18
Control Area
02/12/2015
FS-07
Policies and procedures shall be established for securing NIST SP800-53 R3 AC-17
and asset management for the use and secure disposal of NIST SP800-53 R3 PE-1
equipment maintained and used outside the organization's
premise.
FS-08
Human Resources
Security Background
Screening
HR-01
Pursuant to local laws, regulations, ethics and contractual NIST SP800-53 R3 PS-2
constraints all employment candidates, contractors and
NIST SP800-53 R3 PS-3
third parties will be subject to background verification
proportional to the data classification to be accessed, the
business requirements and the calculated risks.
Human Resources
Security Employment
Agreements
HR-02
Human Resources
Security Employment
Termination
HR-03
Information
Security Management
Program
IS-01
Information
Security Management
Support /
Involvement
IS-02
Executive and line management shall take formal action to NIST SP800-53 R3 CM-1
support information security through clear documented
NIST SP800-53 R3 PM-1
direction, commitment, explicit assignment and verification NIST SP800-53 R3 PM-11
of assignment execution
3 of 18
Control Area
02/12/2015
Information
Security - Policy
IS-03
Information
Security - Baseline
Requirements
IS-04
Information
Security - Policy
Reviews
IS-05
Management shall review the information security policy at NIST SP800-53 R3 PL-1
regular planned intervals or if changes occur that threaten NIST SP800-53 R3 AC-1
to compromise its continuing effectiveness and accuracy. NIST SP800-53 R3 AU-1
NIST SP800-53 R3 AT-1
NIST SP800-53 R3 IA-5
NIST SP800-53 R3 PM-10
Information
Security - Policy
Enforcement
IS-06
Information
Security - User
Access Policy
IS-07
User access policies and procedures shall be documented, NIST SP800-53 R3 AC-1
approved and implemented for granting and revoking
NIST SP800-53 R3 IA-1
normal and privileged access to applications, databases, NIST SP800-53 R3 AC-17
and server and network infrastructure in accordance with
business, security, compliance and service level
agreement (SLA) requirements.
4 of 18
Control Area
02/12/2015
Information
Security - User
Access
Restriction /
Authorization
IS-08
Information
Security - User
Access Revocation
IS-09
Information
Security - User
Access Reviews
IS-10
Information
Security Training /
Awareness
IS-11
Information
Security - Industry
Knowledge /
Benchmarking
IS-12
Information
Security - Roles /
Responsibilities
IS-13
Information
Security Management
Oversight
IS-14
5 of 18
Control Area
02/12/2015
Information
Security Segregation of
Duties
IS-15
Information
Security - User
Responsibility
IS-16
Information
Security Workspace
IS-17
Information
Security Encryption
IS-18
Information
Security Encryption Key
Management
IS-19
Information
Security Vulnerability /
Patch
Management
IS-20
Information
Security - AntiVirus / Malicious
Software
IS-21
Information
Security - Incident
Management
IS-22
Information
Security - Incident
Reporting
IS-23
6 of 18
Control Area
02/12/2015
Information
Security - Incident
Response Legal
Preparation
IS-24
Information
Security - Incident
Response Metrics
IS-25
Information
Security Acceptable Use
IS-26
Information
Security - Asset
Returns
IS-27
Employees, contractors and third party users must return NIST SP800-53 R3 PS-4
all assets owned by the organization within a defined and
documented time frame once the employment, contract or
agreement has been terminated.
Information
Security eCommerce
Transactions
IS-28
Information
Security - Audit
Tools Access
IS-29
Access to, and use of, audit tools that interact with the
NIST SP800-53 R3 AU-9
organizations information systems shall be constrained
NIST SP800-53 R3 AU-11
and restricted to prevent compromise and misuse of data. NIST SP800-53 R3 AU-14
Information
Security Diagnostic /
Configuration Ports
Access
IS-30
Information
Security - Network
Services
IS-31
Service level, capacity, security elements and management NIST SP800-53 R3 SC-20
requirement of all network services shall be identified,
NIST SP800-53 R3 SC-21
documented and included in any network service
NIST SP800-53 R3 SC-22
agreement regardless of service origin (e.g.. PaaS, IaaS, NIST SP800-53 R3 SC-23
SaaS, DaaS, hosted, collocated or outsourced).
NIST SP800-53 R3 SC-24
Information
Security Portable / Mobile
Devices
IS-32
Information
Security - Source
Code Access
Restriction
IS-33
Access to application, program or object source code shall NIST SP800-53 R3 CM-5
be restricted to authorized personnel on a need to know
NIST SP800-53 R3 CM-6
basis. Records shall be maintained regarding the individual
granted access, reason for access and version of source
code exposed.
7 of 18
Control Area
02/12/2015
Information
Security - Utility
Programs Access
IS-34
Legal - NonDisclosure
Agreements
LG-01
LG-02
Operations
Management Policy
OP-01
Operations
Management Documenation
OP-02
Operations
Management Capacity /
Resource Planning
OP-03
Operations
Management Equipment
Maintenance
OP-04
Policies and procedures shall be established for equipment NIST SP800-53 R3 MA-2
maintenance ensuring continuity and availability of
NIST SP800-53 R3 MA-3
operations.
NIST SP800-53 R3 MA-4
NIST SP800-53 R3 MA-5
NIST SP800-53 R3 MA-6
8 of 18
Control Area
02/12/2015
Risk Management
- Program
RI-01
Risk Management
- Assessments
RI-02
Risk Management
- Mitigation /
Acceptance
RI-03
Risk Management
- Business / Policy
Change Impacts
RI-04
Risk assessment results shall include updates to security NIST SP800-53 R3 RA-2
policies, procedures, standards and controls to ensure they NIST SP800-53 R3 RA-3
remain relevant and effective.
Risk Management
- Third Party
Access
RI-05
Release
Management New
Development /
Acquisition
Release
Management Production
Changes
9 of 18
Control Area
02/12/2015
Release
Management Quality Testing
RM-03 A program for the systematic monitoring and evaluation to NIST SP800-53 R3 SA-3
ensure that standards of quality are being met shall be
NIST SP800-53 R3 SA-13
established for all software developed by the organization.
Quality evaluation and acceptance criteria for information
systems, upgrades, and new versions shall be established,
documented and tests of the system(s) shall be carried out
both during development and prior to acceptance to
maintain security. Management shall have a clear oversight
capacity in the quality testing process with the final product
being certified as "fit for purpose" (the product should be
suitable for the intended purpose) and "right first time"
(mistakes should be eliminated) prior to release.
Release
Management Outsourced
Development
RM-04 A program for the systematic monitoring and evaluation to NIST SP800-53 R3 SA-4
ensure that standards of quality are being met shall be
established for all outsourced software development. The
development of all outsourced software shall be
supervised and monitored by the organization and must
include security requirements, independent security review
of the outsourced environment by a certified individual,
certified security training for outsourced software
developers, and code reviews. Certification for the
purposes of this control shall be defined as either a
ISO/IEC 17024 accredited certification or a legally
recognized license or certification in the legislative
jurisdiction the organization outsourcing the development
has chosen as its domicile.
Release
Management Unauthorized
Software
Installations
Resiliency Management
Program
RS-01
Policy, process and procedure defining business continuity NIST SP800-53 R3 CP-1
and disaster recovery shall be put in place to minimize the NIST SP800-53 R3 CP-2
impact of a realized risk event on the organization to an
acceptable level and facilitate recovery of information
assets (which may be the result of, for example, natural
disasters, accidents, equipment failures, and deliberate
actions) through a combination of preventive and recovery
controls, in accordance with regulatory, statutory,
contractual, and business requirements and consistent
with industry standards. This Resiliency management
program shall be communicated to all organizational
participants with a need to know basis prior to adoption
and shall also be published, hosted, stored, recorded and
disseminated to multiple facilities which must be accessible
in the event of an incident.
10 of 18
Control Area
02/12/2015
Resiliency - Impact
Analysis
RS-02
Resiliency Business
Continuity
Planning
RS-03
Resiliency Business
Continuity Testing
RS-04
Resiliency Environmental
Risks
RS-05
Resiliency Equipment
Location
RS-06
11 of 18
Control Area
02/12/2015
RS-07
Resiliency Power /
Telecommunication
s
RS-08
Security
Architecture Customer Access
Requirements
SA-01
Security
Architecture - User
ID Credentials
SA-02
Security
Architecture - Data
Security / Integrity
SA-03
12 of 18
Control Area
02/12/2015
Security
Architecture Application
Security
SA-04
Security
Architecture - Data
Integrity
SA-05
Security
Architecture Production / NonProduction
Environments
SA-06
Security
Architecture Remote User
Multi-Factor
Authentication
SA-07
Security
Architecture Network Security
SA-08
Security
Architecture Segmentation
SA-09
13 of 18
Control Area
02/12/2015
Security
Architecture Wireless Security
SA-10
Security
Architecture Shared Networks
SA-11
Access to systems with shared network infrastructure shall NIST SP800-53 R3 SC-7
be restricted to authorized personnel in accordance with
security policies, procedures and standards. Networks
shared with external entities shall have a documented plan
detailing the compensating controls used to separate
network traffic between organizations.
Security
Architecture Clock
Synchronization
SA-12
An external accurate, externally agreed upon, time source NIST SP800-53 R3 AU-1
shall be used to synchronize the system clocks of all
NIST SP800-53 R3 AU-8
relevant information processing systems within the
organization or explicitly defined security domain to
facilitate tracing and reconstitution of activity timelines.
Note: specific legal jurisdictions and orbital storage and
relay platforms (US GPS & EU Galileo Satellite Network)
may mandate a reference clock that differs in
synchronization with the organizations domicile time
reference, in this event the jurisdiction or platform is
treated as an explicitly defined security domain.
Security
Architecture Equipment
Identification
SA-13
Security
Architecture - Audit
Logging / Intrusion
Detection
SA-14
Security
Architecture Mobile Code
SA-15
Mobile code shall be authorized before its installation and NIST SP800-53 R3 SC-18
use, and the configuration shall ensure that the authorized
mobile code operates according to a clearly defined
security policy. All unauthorized mobile code shall be
prevented from executing.
14 of 18
CSA CM v2.0
Compliance Mapping Reference
trol Objectives for Information and related Technology (COBIT), Version 4.1 (2007)
//www.isaca.org
eloped by the IT Governance Institute, COBIT is a framework and supporting tool to bridge the gap with respect to control requirements, technical issues and business risks, and
municate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. The process structure of CO
its high-level, business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules
//www.hhs.gov/ocr/privacy/
HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the
e time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. The Security Rule specifie
s of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
national Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27002:2005 -- Information technology -- Security techniques -- Code o
tice for Information Security Management
//www.iso.org/iso/iso_catalogue.htm
02/12/2015
15 of 18
PUBLIC RELEASE
FOR COMMENT
CSA CM v2.0
Compliance Mapping Reference
IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The
ctives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives an
rols in the following areas of information security management:
curity policy
ganization of information security
set management
uman resources security
ysical and environmental security
ommunications and operations management
cess control
ormation systems acquisition, development and maintenance
ormation security incident management
siness continuity management
ompliance
IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC
99:2005/Cor.1:2007 changes the reference number of the standard from 17799 to 27002.
02/12/2015
16 of 18
PUBLIC RELEASE
FOR COMMENT
CSA CM v2.0
Compliance Mapping Reference
onal Institute of Technology (NIST) Special Publication 800-53 -- Recommended Security Controls for Federal Information Systems, Revision 2 (Dec 2007)
//csrc.nist.gov/publications/PubsSPs.html
purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal governmen
guidelines apply to all components of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure
mation systems within the federal government by:
cilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems;
oviding a recommendation for minimum security controls for information systems categorized in accordance with Federal Information Processing Standards (FIPS) 199, Standards f
urity Categorization of Federal Information and Information Systems;
oviding a stable, yet flexible catalog of security controls for information systems to meet current organizational protection needs and the demands of future protection needs based o
nging requirements and technologies; and
eating a foundation for the development of assessment methods and procedures for determining security control effectiveness.
ment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures, Version 1.2 (Oct 2008)
s://www.pcisecuritystandards.org/index.shtml
PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. This document, PCI Da
urity Standard Requirements and Security Assessment Procedures, uses as its foundation the 12 PCI DSS requirements, and combines them with corresponding testing procedures
a security assessment tool. It is designed for use by assessors conducting onsite reviews for merchants and service providers who must validate compliance with the PCI DSS.
02/12/2015
17 of 18
PUBLIC RELEASE
FOR COMMENT
CSA CM v2.0
Compliance Mapping Reference
national Standards
O/IEC 27003:2010, Information technology -- Security techniques -- Information security management system implementation guidance
O/IEC 27033-1:2009, Information technology -- Security techniques -- Network security -- Part 1: Overview and concepts
O/IEC 19792:2009, Information technology -- Security techniques -- Security evaluation of biometrics
O 31000:2009, Risk management -- Principles and guidelines
O 9001:2008, Quality management systems -- Requirements
O 14001:2004, Environmental management systems - Requirements with guidance for use
O 27799:2008, Health informatics -- Information security management in health using ISO/IEC 27002
S 25999:2007, Business continuity management
//www.iso.org/iso/iso_catalogue.htm
th Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA)
//www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/guidance_breachnotice.html
S Shared Assessments Program Agreed Upon Procedures (AUP) Version 5.0 Assessment Guide
//www.sharedassessments.org/
02/12/2015
18 of 18
PUBLIC RELEASE
FOR COMMENT