The crosswalk from NIST to HIPAA is from HHS's HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. (HHS calls it a HIPAA to NIST crosswalk, but the mapping is one NIST subcategory to many HIPAA chapters, though I think it makes more sense to call it NIST-to-HIPAA.)
The crosswalk from NIST to HITRUST is from NIST's HITRUST CSF v9.2 to NIST CSF v1.1 Informative Reference Details.
For crosswalks from NIST to other frameworks (ISO, Cobit, etc.), see NIST's Framework for Improving Critical Infrastructure Cybersecurity (2018).
| NIST | Description | HITRUST | HIPAA Law | HIPAA Details |
|---|---|---|---|---|
ID.AM-1 | Physical devices and systems within the organization are inventoried | 07.a, 07.d | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(d) |
ID.AM-2 | Software platforms and applications within the organization are inventoried | 01.l, 07.a, 07.d | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(7)(ii)(E) |
ID.AM-3 | Organizational communication and data flows are mapped | 01.m, 01.o, 05.i, 09.m, 09.n | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(3)(ii)(A), 164.308(a)(8), 164.310(d) |
ID.AM-4 | External information systems are catalogued | 01.i, 09.e, 09.n | 164.308 (Administrative safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(4)(ii)(A), 164.308(b), 164.314(a)(1), 164.314(a)(2)(i)(B), 164.314(a)(2)(ii), 164.316(b)(2) |
ID.AM-5 | Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value | 01.a, 01.w, 06.c, 07.a, 07.b, 07.d, 12.a, 12.c, 12.d | 164.308 (Administrative safeguards) | 164.308(a)(7)(ii)(E) |
ID.AM-6 | Cybersecurity roles and responsibilities for the entire workforce and third party stakeholders (e.g., suppliers, customers, partners) are established | 00.a, 01.a, 02.a, 02.b, 02.c, 02.d, 02.e, 05.e, 05.j, 05.k, 07.b, 07.c, 07.d, 09.m, 09.n, 10.k, 10.m, 11.d, 12.a, 12.c, 12.d, 12.e | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.314 |
ID.BE-1 | The organization’s role in the supply chain is identified and communicated | 05.d, 09.g, 10.l | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(4)(ii), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(2)(i), 164.314, 164.316 |
ID.BE-2 | The organization’s place in critical infrastructure and its industry sector is identified and communicated | 05.a, 12.b | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(4)(ii), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(2)(i), 164.314, 164.316 |
ID.BE-3 | Priorities for organizational mission, objectives, and activities are established and communicated | 01.w, 03.a, 05.a, 05.b | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.316 |
ID.BE-4 | Dependencies and critical functions for delivery of critical services are established | 08.h, 12.b, 12.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(7)(i), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314(a)(1), 164.314(b)(2)(i) |
ID.BE-5 | Resilience requirements to support delivery of critical services are established | 12.a, 12.b, 12.c, 12.d | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(8), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314(b)(2)(i) |
ID.GV-1 | Organizational information security policy is established | 00.a, 04.a, 04.b, 05.a, 05.c | 164.308 (Administrative safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.316 |
ID.GV-2 | Information security roles & responsibilities are coordinated and aligned with internal roles and external partners | 04.a, 05.a, 05.b, 05.c, 05.k | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(i), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b), 164.314 |
ID.GV-3 | Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed | 01.a, 02.a, 02.b, 02.c, 02.e, 04.a, 04.b, 05.b, 05.e, 05.g, 05.i, 05.k, 06.a, 06.b, 06.c, 06.d, 06.e, 06.f, 06.g, 07.b, 08.b, 08.c, 08.h, 09.ab, 09.n, 09.v, 09.x, 09.z, 10.a, 10.f, 11.a, 11.c, 11.e, 12.e | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.310, 164.312, 164.314, 164.316 |
ID.GV-4 | Governance and risk management processes address cybersecurity risks | 00.a, 01.a, 01.q, 01.w, 01.x, 01.y, 02.e, 03.a, 03.b, 03.d, 04.a, 04.b, 05.a, 05.d, 05.g, 05.h, 06.a, 06.c, 06.i, 07.b, 07.d | 164.308 (Administrative safeguards) | 164.308(a)(1), 164.308(b) |
ID.RA-1 | Asset vulnerabilities are identified and documented | 03.b, 03.d, 06.h, 09.ab, 09.z, 10.c, 10.m, 11.b, 12.b | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.312(a)(1), 164.316(b)(2)(iii) |
ID.RA-2 | Threat and vulnerability information is received from information sharing forums and sources | 03.b, 03.d, 05.g, 07.d, 10.m, 12.b | No direct analog to HIPAA Security Rule | No direct analog to HIPAA Security Rule |
ID.RA-3 | Threats, both internal and external, are identified and documented | 03.b, 03.d, 07.d, 10.l, 12.b | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(A), 164.310(a)(1), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(c), 164.312(e), 164.314, 164.316 |
ID.RA-4 | Potential business impacts and likelihoods are identified | 03.b, 03.d, 05.d, 07.d, 09.g, 10.k, 10.m, 12.b | 164.308 (Administrative safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.316(a) |
ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | 03.b, 03.d, 10.k, 10.m, 12.b | 164.308 (Administrative safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.316(a) |
ID.RA-6 | Risk responses are identified and prioritized | 03.c, 06.g, 06.h, 10.m | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(B), 164.314(a)(2)(i)(C), 164.314(b)(2)(iv) |
ID.RM-1 | Risk management processes are established, managed, and agreed to by organizational stakeholders | 03.a, 03.b, 05.a, 05.h, 05.i | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(B) |
ID.RM-2 | Organizational risk tolerance is determined and clearly expressed | 03.a, 05.h | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(B) |
ID.RM-3 | The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | 03.a, 05.h, 12.b | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i) |
PR.AC-1 | Identities and credentials are managed for authorized devices and users | 01.a, 01.b, 01.c, 01.d, 01.e, 01.f, 01.j, 01.k, 01.p, 01.q, 01.r, 01.v, 02.g, 02.i, 05.j, 06.j, 09.m, 10.i | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d) |
PR.AC-2 | Physical access to assets is managed and protected | 01.g, 01.k, 01.l, 01.v, 01.x, 01.y, 08.a, 08.b, 08.c, 08.e, 08.f, 08.h, 08.i, 10.i | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) |
PR.AC-3 | Remote access is managed | 01.j, 01.n, 01.q, 01.v, 01.y, 05.i, 05.j, 09.e, 09.s, 09.w, 10.i | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii) |
PR.AC-4 | Access permissions are managed, incorporating the principles of least privilege and separation of duties | 01.a, 01.b, 01.c, 01.e, 01.m, 01.p, 01.s, 01.v, 01.x, 02.g, 02.i, 05.i, 06.j, 07.a, 07.d, 08.i, 09.ac, 09.c, 09.j, 09.r, 09.w, 09.y, 09.z, 10.i | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii) |
PR.AC-5 | Network integrity is protected, incorporating network segregation where appropriate | 01.m, 01.n, 01.o, 01.w, 09.m, 09.w | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(4)(ii)(B), 164.310(a)(1), 164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e) |
PR.AT-1 | All users are informed and trained | 00.a, 01.f, 01.g, 01.p, 01.x, 01.y, 02.d, 02.e, 05.c, 07.c, 09.j, 09.s, 11.b, 11.c, 12.c, 12.d | 164.308 (Administrative safeguards) | 164.308(a)(5) |
PR.AT-2 | Privileged users understand roles & responsibilities | 00.a, 01.q, 02.d, 02.e, 05.c, 09.z | 164.308 (Administrative safeguards) | 164.308(a)(2), 164.308(a)(3)(i), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D) |
PR.AT-3 | Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities | 00.a, 02.d, 05.i, 05.j, 05.k, 06.a, 09.e, 09.f, 09.g, 09.n, 09.t, 09.x, 10.a, 10.k, 10.l | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(b), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii) |
PR.AT-4 | Senior executives understand roles & responsibilities | 00.a, 02.d, 02.e, 05.a | 164.308 (Administrative safeguards) | 164.308(a)(2), 164.308(a)(3)(i), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D) |
PR.AT-5 | Physical and information security personnel understand roles & responsibilities | 00.a, 02.d, 02.e, 05.c, 11.a | 164.308 (Administrative safeguards), 164.530 (Administrative requirements) | 164.308(a)(2), 164.308(a)(3)(i), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.530(b)(1) |
PR.DS-1 | Data-at-rest is protected | 01.d, 01.j, 01.k, 01.v, 01.x, 01.y, 06.d, 08.j, 09.ac, 09.l, 09.o, 09.x, 09.y, 09.z, 10.f, 10.g, 10.i, 12.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d) |
PR.DS-2 | Data-in transit is protected | 01.d, 01.j, 01.n, 01.r, 01.y, 05.i, 06.d, 08.i, 09.ac, 09.l, 09.m, 09.s, 09.t, 09.u, 09.v, 09.x, 09.y, 09.z, 10.d, 10.f, 10.g | 164.308 (Administrative safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
PR.DS-3 | Assets are formally managed throughout removal, transfers, and disposition | 01.y, 06.c, 07.a, 07.b, 07.d, 08.k, 08.l, 08.m, 09.e, 09.p, 09.q | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2) |
PR.DS-4 | Adequate capacity to ensure availability is maintained | 09.ac, 09.h, 12.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(7), 164.310(a)(2)(i), 164.310(d)(2)(iv), 164.312(a)(2)(ii) |
PR.DS-5 | Protections against data leaks are implemented | 01.c, 01.m, 01.n, 01.o, 01.p, 01.r, 01.s, 01.t, 01.u, 01.v, 01.w, 02.b, 02.c, 05.e, 07.c, 07.d, 07.e, 09.i, 09.m, 09.p, 09.q, 09.s, 09.v, 09.w, 09.x, 09.y, 10.b, 10.d, 10.j | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) |
PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity | 09.ab, 09.ac, 09.z, 10.b, 10.c, 10.d | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i) |
PR.DS-7 | The development and testing environment(s) are separate from the production environment | 09.d, 09.k, 10.h | 164.308 (Administrative safeguards) | 164.308(a)(4)4 |
PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained | 01.i, 01.l, 01.m, 01.w, 01.x, 01.y, 06.b, 07.b, 09.m, 09.w, 09.z, 10.h, 10.k | 164.308 (Administrative safeguards) | 164.308(a)(8), 164.308(a)(7)(i), 164.308(a)(7)(ii) |
PR.IP-2 | A System Development Life Cycle to manage systems is implemented | 09.i, 10.a, 10.k, 10.l | 164.308 (Administrative safeguards) | 164.308(a)(1)(i) |
PR.IP-3 | Configuration change control processes are in place | 01.l, 01.n, 09.b, 09.d, 10.h, 10.k | 164.308 (Administrative safeguards) | 164.308(a)(8) |
PR.IP-4 | Backups of information are conducted, maintained, and tested periodically | 09.l, 09.w | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(D), 164.310(a)(2)(i), 164.310(d)(2)(iv) |
PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met | 01.g, 01.y, 08.d, 08.e, 08.f, 08.g, 08.h, 08.i | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii) |
PR.IP-6 | Data is destroyed according to policy | 08.l, 08.m, 09.p | 164.310 (Physical safeguards) | 164.310(d)(2)(i), 164.310(d)(2)(ii) |
PR.IP-7 | Protection processes are continuously improved | 00.a, 03.c, 05.h, 06.a, 11.a, 12.d, 12.e | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.306(e), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.316(b)(2)(iii) |
PR.IP-8 | Effectiveness of protection technologies is shared with appropriate parties | 05.b, 05.h | 164.308 (Administrative safeguards) | 164.308(a)(6)(ii) |
PR.IP-9 | Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed | 11.a, 11.c, 12.a, 12.b, 12.c, 12.d, 12.e | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(6), 164.308(a)(7), 164.310(a)(2)(i), 164.312(a)(2)(ii) |
PR.IP-10 | Response and recovery plans are tested | 11.c, 12.e | 164.308 (Administrative safeguards) | 164.308(a)(7)(ii)(D) |
PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) | 01.a, 01.b, 01.c, 01.d, 02.a, 02.b, 02.c, 02.d, 02.e, 02.f, 02.g, 02.h, 02.i, 05.e, 05.k, 06.e, 07.c, 11.a, 11.e, 12.a | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(3) |
PR.IP-12 | A vulnerability management plan is developed and implemented | 03.c, 06.h, 10.m | 164.308 (Administrative safeguards) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B) |
PR.MA-1 | Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools | 01.l, 08.j | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(3)(ii)(A), 164.310(a)(2)(iv) |
PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access | 01.j, 01.q, 08.j | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2)(ii), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.312(d), 164.312(e), 164.308(a)(1)(ii)(D) |
PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy | 01.c, 06.c, 06.i, 07.b, 08.b, 09.aa, 09.ab, 09.ac, 09.ad, 09.ae, 09.af, 09.h, 09.q, 10.i, 10.m | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) |
PR.PT-2 | Removable media is protected and its use restricted according to policy | 01.c, 01.g, 01.h, 01.v, 07.e, 09.o, 09.q, 09.t, 09.u | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b) |
PR.PT-3 | Access to systems and assets is controlled, incorporating the principle of least functionality | 01.h, 01.i, 01.l, 01.s, 01.u, 01.v, 06.j, 10.i, 10.j, 10.k, 10.m | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv) |
PR.PT-4 | Communications and control networks are protected | 01.c, 01.j, 01.l, 01.m, 01.n, 01.o, 01.t, 01.u, 09.n | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.312(a)(1), 164.312(b), 164.312(e) |
DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed | 01.i, 01.l, 01.m, 01.n, 05.i, 09.m, 09.n, 09.w, 11.d | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.312(b) |
DE.AE-2 | Detected events are analyzed to understand attack targets and methods | 09.ab, 11.d | 164.308 (Administrative safeguards) | 164.308(6)(i) |
DE.AE-3 | Event data are aggregated and correlated from multiple sources and sensors | 01.j, 09.ab, 11.c, 11.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) |
DE.AE-4 | Impact of events is determined | 09.e, 09.m, 11.d, 12.a, 12.b | 164.308 (Administrative safeguards) | 164.308(a)(6)(ii) |
DE.AE-5 | Incident alert thresholds are established | 12.d | 164.308 (Administrative safeguards) | 164.308(a)(6)(i) |
DE.CM-1 | The network is monitored to detect potential cybersecurity events | 01.j, 01.n, 06.e, 09.aa, 09.ab, 09.ac, 09.m, 10.k, 11.a | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(8), 164.312(b), 164.312(e)(2)(i) |
DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events | 08.a, 08.b, 08.c, 09.ab | 164.310 (Physical safeguards) | 164.310(a)(2)(ii), 164.310(a)(2)(iii) |
DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events | 01.b, 01.c, 06.b, 06.e, 08.c, 09.aa, 09.ab, 09.c | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e) |
DE.CM-4 | Malicious code is detected | 08.j, 09.ab, 09.j, 09.k, 10.l | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B) |
DE.CM-5 | Unauthorized mobile code is detected | 09.k | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B) |
DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events | 05.k, 09.e, 09.f, 09.n, 09.z, 10.l | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(D) |
DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed | 01.x, 06.g, 08.a, 08.b, 08.c, 09.ab, 09.n, 10.k | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(b), 164.314(b)(2)(i) |
DE.CM-8 | Vulnerability scans are performed | 06.h, 09.z, 10.b, 10.c, 10.m | 164.308 (Administrative safeguards) | 164.308(a)(1)(i), 164.308(a)(8) |
DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability | 02.a, 06.g, 06.i, 06.j | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(2), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(a)(2)(ii) |
DE.DP-2 | Detection activities comply with all applicable requirements | 06.i, 08.a, 08.b, 08.c, 09.ab | 164.308 (Administrative safeguards) | 164.308(a)(1)(i), 164.308(a)(8) |
DE.DP-3 | Detection processes are tested | 08.b, 09.ab | 164.306 (Security standards: General rules) | 164.306(e) |
DE.DP-4 | Event detection information is communicated to appropriate parties | 05.b, 05.f, 06.g, 06.i, 09.ab, 09.ae, 11.a | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(6)(ii), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) |
DE.DP-5 | Detection processes are continuously improved | 09.ab, 10.b | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards) | 164.306(e), 164.308(a)(8) |
RS.RP-1 | Response plan is executed during or after an event | 11.a, 11.c, 11.d | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.310(a)(2)(i), 164.312(a)(2)(ii) |
RS.CO-1 | Personnel know their roles and order of operations when a response is needed | 02.e, 11.a, 11.c, 12.c, 12.d, 12.e | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(2), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.310(a)(2)(i), 164.308(a)(6)(i), 164.312(a)(2)(ii) |
RS.CO-2 | Events are reported consistent with established criteria | 05.f, 09.ab, 10.c, 11.a, 11.b, 11.c | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) |
RS.CO-3 | Information is shared consistent with response plans | 05.f, 05.g, 08.b, 09.ab, 10.m, 11.a, 11.c, 11.d | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.314(a)(2)(i)(C) |
RS.CO-4 | Coordination with stakeholders occurs consistent with response plans | 09.f, 11.c, 11.d, 12.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(6), 164.308(a)(7), 164.310(a)(2)(i), 164.312(a)(2)(ii) |
RS.CO-5 | Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness | 03.b, 05.g, 06.a, 11.a, 11.c | 164.308 (Administrative safeguards) | 164.308(a)(6) |
RS.AN-1 | Notifications from detection systems are investigated | 08.b, 09.ab, 09.ac, 11.d | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.312(b) |
RS.AN-2 | The impact of the incident is understood | 11.d | 164.308 (Administrative safeguards) | 164.308(a)(6)(ii), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E) |
RS.AN-3 | Forensics are performed | 11.c, 11.d, 11.e | 164.308 (Administrative safeguards) | 164.308(a)(6) |
RS.AN-4 | Incidents are categorized consistent with response plans | 11.c | 164.308 (Administrative safeguards) | 164.308(a)(6)(ii) |
RS.MI-1 | Incidents are contained | 01.b, 11.c, 11.d | 164.308 (Administrative safeguards) | 164.308(a)(6)(ii) |
RS.MI-2 | Incidents are mitigated | 01.b, 09.f, 10.a, 11.c, 11.d | 164.308 (Administrative safeguards) | 164.308(a)(6)(ii) |
RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks | 03.a, 03.c, 06.h, 10.c, 10.m | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii) |
RS.IM-1 | Response plans incorporate lessons learned | 11.c, 11.d | 164.308 (Administrative safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.316(b)(2)(iii)) |
RS.IM-2 | Response strategies are updated | 11.c, 11.d | 164.308 (Administrative safeguards) | 164.308(a)(7)(ii)(D), 164.308(a)(8) |
RC.RP-1 | Recoveryplan is executed during or after an event | 11.d, 12.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(7), 164.310(a)(2)(i) |
RC.IM-1 | Recovery plans incorporate lessons learned | 11.d, 12.e | 164.308 (Administrative safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.316(b)(2)(iii) |
RC.IM-2 | Recovery strategies are updated | 11.d, 12.e | 164.308 (Administrative safeguards) | 164.308(a)(7)(ii)(D), 164.308(a)(8) |
RC.CO-1 | Public relations are managed | 11.c, 11.d | 164.308 (Administrative safeguards) | 164.308(a)(6)(i)5 |
RC.CO-2 | Reputation after an event is repaired | 11.c | 164.308 (Administrative safeguards) | 164.308(a)(6)(i)5 |
RC.CO-3 | Recovery activities are communicated to internal stakeholders and executive and management teams | 11.d, 12.c | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.314 (Organizational requirements) | 164.308(a)(6)(ii), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.310(a)(2)(i), 164.314(a)(2)(i)(C) |
| HITRUST | Description | NIST | HIPAA Law | HIPAA Detail |
|---|---|---|---|---|
00.a | An Information Security Management Program (ISMP) shall be defined in terms of the characteristics of the business and established and managed including monitoring, maintenance and improvement. | ID.AM-6, ID.GV-1, ID.GV-4, PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5, PR.IP-7 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements), 164.530 (Administrative requirements) | 164.306(e), 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(4), 164.308(a)(5), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.316, 164.316(b)(2)(iii), 164.530(b)(1) |
01.a | An access control policy shall be established, documented, and reviewed based on business and security requirements for access | ID.AM-5, ID.AM-6, ID.GV-3, ID.GV-4, PR.AC-1, PR.AC-4, PR.AC-7, PR.IP-11 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(1)(ii)(C), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(b), 164.308(b)(1), 164.310, 164.310(a)(2)(iii), 164.310(b), 164.312, 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d), 164.314, 164.316 |
01.b | There shall be a formal documented and implemented user registration and deregistration procedure for granting and revoking access. | PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-11, DE.CM-3, RS.MI-1, RS.MI-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(b), 164.312(d), 164.312(e) |
01.c | The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls | PR.AC-1, PR.AC-4, PR.DS-5, PR.IP-11, PR.PT-1, PR.PT-2, PR.PT-4, DE.CM-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(d), 164.312(e) |
01.d | Passwords shall be controlled through a formal management process | PR.AC-1, PR.AC-7, PR.DS-1, PR.DS-2, PR.IP-11 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(b)(1), 164.308(b)(2), 164.310(d), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
01.e | All access rights shall be regularly reviewed by management via a formal documented process | PR.AC-1, PR.AC-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d) |
01.f | Users shall be made aware of their responsibilities for maintaining effective access controls and shall be required to follow good security practices in the selection and use of passwords and security of equipment | PR.AC-1, PR.AC-7, PR.AT-1 | 164.308 (Administrative safeguards), 164.312 (Technical safeguards) | 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d) |
01.g | Users shall ensure that unattended equipment has appropriate protection | PR.AC-2, PR.AT-1, PR.IP-5, PR.PT-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(5), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(C), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 164.316(b)(2)(iii) |
01.h | A clear desk policy for papers and removable storage media and a clear screen policy for information assets shall be adopted | PR.PT-2, PR.PT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b) |
01.i | Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment | ID.AM-4, PR.IP-1, PR.PT-3, DE.AE-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(ii)(A), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(8), 164.308(b), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.314(a)(1), 164.314(a)(2)(i)(B), 164.314(a)(2)(ii), 164.316(b)(2) |
01.j | Appropriate authentication methods shall be used to control access by remote users | PR.AC-1, PR.AC-3, PR.AC-7, PR.DS-1, PR.DS-2, PR.MA-2, PR.PT-4, DE.AE-3, DE.CM-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.308(b)(1), 164.308(b)(2), 164.308(b)(3), 164.310(b), 164.310(d), 164.310(d)(1), 164.310(d)(2)(ii), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.314(b)(2)(i) |
01.k | Automatic equipment identification shall be used as a means to authenticate connections from specific locations and equipment | PR.AC-1, PR.AC-2, PR.AC-7, PR.DS-1, PR.DS-8 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(b)(1), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.314(b)(2)(i) |
01.l | Physical and logical access to diagnostic and configuration ports shall be controlled | ID.AM-2, PR.AC-2, PR.IP-1, PR.IP-3, PR.MA-1, PR.PT-3, PR.PT-4, DE.AE-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.312(e) |
01.m | Groups of information services, users, and information systems should be segregated on networks | ID.AM-3, PR.AC-4, PR.AC-5, PR.DS-5, PR.IP-1, PR.PT-4, DE.AE-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(4)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(8), 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(b), 164.312(c), 164.312(e) |
01.n | For shared networks, especially those extending across the organization's boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications | PR.AC-3, PR.AC-5, PR.DS-2, PR.DS-5, PR.IP-3, PR.PT-4, DE.AE-1, DE.CM-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(8), 164.308(b)(1), 164.308(b)(2), 164.308(b)(3), 164.310(a)(1), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
01.o | Routing controls shall be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications | ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(4)(ii)(B), 164.308(a)(8), 164.310(a)(1), 164.310(b), 164.310(c), 164.310(d), 164.312(a), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e) |
01.p | Access to operating systems shall be controlled by a secure log-on procedure | PR.AC-1, PR.AC-4, PR.AC-7, PR.AT-1, PR.DS-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d), 164.312(e) |
01.q | All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user | ID.GV-4, PR.AC-1, PR.AC-3, PR.AC-7, PR.AT-2, PR.MA-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(b), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.310(d)(1), 164.310(d)(2)(ii), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(ii) |
01.r | Systems for managing passwords shall be interactive and shall ensure quality passwords | PR.AC-1, PR.AC-7, PR.DS-2, PR.DS-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(b)(1), 164.308(b)(2), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
01.s | The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled | PR.AC-4, PR.DS-5, PR.PT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(e) |
01.t | Inactive sessions shall shut down after a defined period of inactivity | PR.AC-7, PR.DS-5, PR.PT-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(b), 164.312(e) |
01.u | Restrictions on connection times shall be used to provide additional security for high-risk applications | PR.AC-7, PR.DS-5, PR.PT-3, PR.PT-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.312(e) |
01.v | Logical and physical access to information and application systems and functions by users and support personnel shall be restricted in accordance with the defined access control policy | PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.DS-1, PR.DS-5, PR.PT-2, PR.PT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(b)(1), 164.308(b)(3), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
01.w | Sensitive systems shall have a dedicated and isolated computing environment | ID.AM-5, ID.BE-3, ID.GV-4, PR.AC-5, PR.DS-5, PR.IP-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(1), 164.310(a)(2)(i), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e), 164.316 |
01.x | A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication devices | ID.GV-4, PR.AC-2, PR.AC-4, PR.AT-1, PR.DS-1, PR.IP-1, DE.CM-7 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(A), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.314(b)(2)(i) |
01.y | A policy, operational plans and procedures shall be developed and implemented for teleworking activities | ID.GV-4, PR.AC-2, PR.AC-3, PR.AT-1, PR.DS-1, PR.DS-2, PR.DS-3, PR.IP-1, PR.IP-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(4)(i), 164.308(a)(5), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(C), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.308(b)(2), 164.308(b)(3), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 164.316(b)(2)(iii) |
02.a | Security roles and responsibilities of employees, contractors and third-party users shall be defined and documented in accordance with the organization's information security policy | ID.AM-6, ID.GV-3, PR.IP-11, DE.DP-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4), 164.308(b)(1), 164.310, 164.310(a)(2)(iii), 164.312, 164.312(a)(1), 164.312(a)(2)(ii), 164.314, 164.316 |
02.b | Background verification checks on all candidates for employment, contractors, and third-party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks | ID.AM-6, ID.GV-3, PR.AC-6, PR.DS-5, PR.IP-11 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.310, 164.310(b), 164.310(c), 164.312, 164.312(a), 164.312(e), 164.314, 164.316 |
02.c | As part of their contractual obligation, employees, contractors and third-party users shall agree and sign the terms and conditions of their employment contract, which shall include their responsibilities for information security | ID.AM-6, ID.GV-3, PR.DS-5, PR.IP-11 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.310, 164.310(b), 164.310(c), 164.312, 164.312(a), 164.312(e), 164.314, 164.316 |
02.d | Management shall require employees, and where applicable contractors and third-party users, to apply security in accordance with established policies and procedures of the organization | ID.AM-6, PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5, PR.IP-11 | 164.308 (Administrative safeguards), 164.314 (Organizational requirements), 164.530 (Administrative requirements) | 164.308(a)(1)(ii)(C), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(4), 164.308(a)(5), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(b), 164.308(b)(1), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.530(b)(1) |
02.e | All employees of the organization and contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function | ID.AM-6, ID.GV-3, ID.GV-4, PR.AT-1, PR.AT-2, PR.AT-4, PR.AT-5, PR.IP-11, RS.CO-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements), 164.530 (Administrative requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(1)(ii)(C), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(4), 164.308(a)(5), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(a)(6)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(b), 164.308(b)(1), 164.310, 164.310(a)(2)(i), 164.312, 164.312(a)(2)(ii), 164.314, 164.316, 164.530(b)(1) |
02.f | There shall be a formal disciplinary process for employees who have violated security policies and procedures. | PR.IP-11 | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(3) |
02.g | Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned | PR.AC-1, PR.AC-4, PR.IP-11 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d) |
02.h | All employees, contractors and third-party users shall return all of the organization's assets in their possession upon termination of their employment, contract or agreement. | PR.IP-11 | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(3) |
02.i | The access rights of all employees, contractors and third-party users to information and information assets shall be removed upon termination of their employment, contract or agreement, or adjusted upon a change of employment (i.e. upon transfer within the organization) | PR.AC-1, PR.AC-4, PR.IP-11 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(C), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d) |
03.a | Organizations shall develop and maintain a risk management program to manage risk to an acceptable level | ID.BE-3, ID.GV-4, ID.RM-1, ID.RM-2, ID.RM-3, RS.MI-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(b), 164.310(a)(2)(i), 164.316 |
03.b | Risk Assessments shall be performed to identify and quantify risks | ID.GV-4, ID.RA-1, ID.RA-2, ID.RA-3, ID.RA-4, ID.RA-5, ID.RM-1, RS.CO-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(A), 164.308(a)(6), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(1), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(c), 164.312(e), 164.314, 164.316, 164.316(a), 164.316(b)(2)(iii) |
03.c | Risks shall be mitigated to an acceptable level | ID.RA-6, PR.IP-7, PR.IP-12, RS.MI-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306(e), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.314(a)(2)(i)(C), 164.314(b)(2)(iv), 164.316(b)(2)(iii) |
03.d | Risks shall be continually evaluated and assessed | ID.GV-4, ID.RA-1, ID.RA-2, ID.RA-3, ID.RA-4, ID.RA-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(A), 164.308(a)(6), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(1), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(c), 164.312(e), 164.314, 164.316, 164.316(a), 164.316(b)(2)(iii) |
04.a | Information Security Policy documents shall be approved by management, and published and communicated to all employees and relevant external parties. Information Security Policy documents shall establish the direction of the organization and align to best practices, regulatory, federal/state and international laws where applicable. The Information Security policy documents shall be supported by a strategic plan and a security program with well-defined roles and responsibilities for leadership and officer roles | ID.GV-1, ID.GV-2, ID.GV-3, ID.GV-4 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b), 164.310, 164.312, 164.314, 164.316 |
04.b | The information security policy documents shall be reviewed at planned intervals or if significant changes occur to ensure its continuing adequacy and effectiveness | ID.GV-1, ID.GV-3, ID.GV-4 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(1)(i), 164.308(b), 164.310, 164.312, 164.314, 164.316 |
05.a | Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities | ID.BE-2, ID.BE-3, ID.GV-1, ID.GV-2, ID.GV-4, ID.RM-1, PR.AT-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(4), 164.308(a)(4)(ii), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(2)(i), 164.314, 164.316 |
05.b | Information security activities shall be coordinated by representatives from different parts of the organization with relevant roles and job functions | ID.BE-3, ID.GV-2, ID.GV-3, PR.IP-8, DE.DP-4 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(i), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(b), 164.310, 164.310(a)(2)(i), 164.312, 164.314, 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.316 |
05.c | All information security responsibilities shall be clearly defined | ID.GV-1, ID.GV-2, PR.AT-1, PR.AT-2, PR.AT-5 | 164.308 (Administrative safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements), 164.530 (Administrative requirements) | 164.308(a)(1)(i), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(4), 164.308(a)(5), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(b), 164.314, 164.316, 164.530(b)(1) |
05.d | A management authorization process for new information assets (e.g. systems and applications) (see Other Information), and facilities (e.g. data centers or offices where covered information is to be processed) shall be defined and implemented | ID.BE-1, ID.GV-4, ID.RA-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(4)(ii), 164.308(a)(6), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(2)(i), 164.314, 164.316, 164.316(a) |
05.e | Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified and regularly reviewed | ID.AM-6, ID.GV-3, PR.DS-5, PR.IP-11 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.310, 164.310(b), 164.310(c), 164.312, 164.312(a), 164.312(e), 164.314, 164.316 |
05.f | Appropriate contacts with relevant authorities shall be maintained | DE.DP-4, RS.CO-2, RS.CO-3 | 164.308 (Administrative safeguards), 164.314 (Organizational requirements) | 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) |
05.g | Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained | ID.GV-3, ID.GV-4, ID.RA-2, RS.CO-3, RS.CO-5 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6), 164.308(a)(6)(ii), 164.308(b), 164.310, 164.312, 164.314, 164.314(a)(2)(i)(C), 164.316 |
05.h | The organization's approach to managing information security and its implementation (control objectives, controls, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, at a minimum annually, or when significant changes to the security implementation occur | ID.GV-4, ID.RM-1, ID.RM-2, ID.RM-3, PR.IP-7, PR.IP-8 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.306(e), 164.308(a)(1), 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(2)(i), 164.316(b)(2)(iii) |
05.i | The risks to the organization's information and information assets from business processes involving external parties shall be identified, and appropriate controls implemented before granting access | ID.AM-3, ID.GV-3, ID.RM-1, ID.SC-1, ID.SC-2, ID.SC-3, PR.AC-3, PR.AC-4, PR.AT-3, PR.DS-2, DE.AE-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.308(b)(2), 164.308(b)(3), 164.310, 164.310(a)(2)(iii), 164.310(b), 164.310(d), 164.312, 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(b), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.314(b)(2)(i), 164.316 |
05.j | All identified security requirements shall be addressed before giving customers access to the organization's information or assets | ID.AM-6, PR.AC-1, PR.AC-3, PR.AT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(b), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(d), 164.312(e)(1), 164.312(e)(2)(ii), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii) |
05.k | Agreements with third parties involving accessing, processing, communicating or managing the organization's information or information assets, or adding products or services to information assets shall cover all relevant security requirements. | ID.AM-6, ID.GV-2, ID.GV-3, ID.SC-1, ID.SC-3, ID.SC-4, PR.AC-6, PR.AT-3, PR.DS-8, PR.IP-11, DE.CM-6 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(i), 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(b), 164.308(b)(1), 164.310, 164.312, 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.316 |
06.a | All relevant statutory, regulatory, and contractual requirements and the | ID.GV-3, ID.GV-4, PR.AT-3, PR.IP-7, RS.CO-5 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.306(e), 164.308, 164.308(a)(1), 164.308(a)(6), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.308(b), 164.310, 164.312, 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.316, 164.316(b)(2)(iii) |
| organization's approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and the organization | ||||
06.b | Detailed procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights, and on the use of proprietary software products | ID.GV-3, PR.IP-1, DE.CM-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(8), 164.310, 164.312, 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 164.314, 164.316 |
06.c | Important records shall be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements | ID.AM-5, ID.GV-3, ID.GV-4, PR.DS-3, PR.PT-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(b), 164.310, 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312, 164.312(b), 164.314, 164.316 |
06.d | Data protection and privacy shall be ensured as required in relevant legislation, regulations, and contractual clauses | ID.GV-3, PR.AC-7, PR.DS-1, PR.DS-2 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.308(b)(2), 164.310, 164.310(d), 164.312, 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(b)(2)(i), 164.316 |
06.e | Users shall be deterred from using information assets for unauthorized purposes | ID.GV-3, PR.IP-11, DE.CM-1, DE.CM-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(8), 164.310, 164.312, 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 164.312(e)(2)(i), 164.314, 164.316 |
06.f | Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations | ID.GV-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.310, 164.312, 164.314, 164.316 |
06.g | Managers shall ensure that all security procedures within their area of | ID.GV-3, ID.RA-6, DE.CM-7, DE.DP-1, DE.DP-4 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.310, 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312, 164.312(a)(1), 164.312(a)(2)(ii), 164.312(b), 164.314, 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.314(b)(2)(i), 164.314(b)(2)(iv), 164.316 |
| responsibility are carried out correctly to achieve compliance with security policies and standards | ||||
06.h | Information systems shall be regularly checked for compliance with security implementation standards | ID.RA-1, ID.RA-6, PR.IP-12, DE.CM-8, RS.MI-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.312(a)(1), 164.314(a)(2)(i)(C), 164.314(b)(2)(iv), 164.316(b)(2)(iii) |
06.i | Audit requirements and activities involving checks on operational systems shall be carefully planned and agreed to, to minimize the risk of disruptions to business processes | ID.GV-4, PR.PT-1, DE.DP-1, DE.DP-2, DE.DP-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.308(b), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(ii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) |
06.j | Access to information systems audit tools shall be protected to prevent any possible misuse or compromise | PR.AC-1, PR.AC-4, PR.PT-3, DE.DP-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(d) |
07.a | All assets including information shall be clearly identified and an inventory of all assets drawn up and maintained | ID.AM-1, ID.AM-2, ID.AM-5, PR.AC-4, PR.DS-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(3), 164.308(a)(4), 164.308(a)(7)(ii)(E), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(d), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii) |
07.b | All information and assets associated with information processing systems shall be owned by a designated part of the organization | ID.AM-5, ID.AM-6, ID.GV-3, ID.GV-4, PR.DS-3, PR.IP-1, PR.PT-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.310, 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312, 164.312(b), 164.314, 164.316 |
07.c | Rules for the acceptable use of information and assets associated with information processing systems shall be identified, documented, and implemented | ID.AM-6, PR.AT-1, PR.DS-5, PR.IP-11 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5), 164.308(b)(1), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 164.314 |
07.d | Information shall be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization | ID.AM-1, ID.AM-2, ID.AM-5, ID.AM-6, ID.GV-4, ID.RA-2, ID.RA-3, ID.RA-4, PR.AC-4, PR.DS-3, PR.DS-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(A), 164.308(a)(6), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(c), 164.312(e), 164.314, 164.316, 164.316(a) |
07.e | An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization | PR.DS-5, PR.PT-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2), 164.312(a), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 164.312(e) |
08.a | Security perimeters (barriers such as walls, card-controlled entry gates or manned reception desks) shall be used to protect areas that contain information and information assets | PR.AC-2, DE.CM-2, DE.CM-7, DE.DP-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(8), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(b), 164.314(b)(2)(i) |
08.b | Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access | ID.GV-3, PR.AC-2, PR.PT-1, DE.CM-2, DE.CM-7, DE.DP-2, DE.DP-3, RS.AN-1, RS.CO-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.306(e), 164.308, 164.308(a)(1)(i), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(8), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312, 164.312(b), 164.314, 164.314(a)(2)(i)(C), 164.314(b)(2)(i), 164.316 |
08.c | Physical security for offices, rooms, and facilities shall be designed and applied | ID.GV-3, PR.AC-2, DE.CM-2, DE.CM-3, DE.CM-7, DE.DP-2 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(i), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(8), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312, 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 164.314, 164.314(b)(2)(i), 164.316 |
08.d | Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster shall be designed and applied | PR.IP-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii) |
08.e | Physical protection and guidelines for working in secure areas shall be designed and applied | PR.AC-2, PR.IP-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(C), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.316(b)(2)(iii) |
08.f | Access points such as delivery and loading areas and other points where unauthorized persons may enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. | PR.AC-2, PR.IP-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(C), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.316(b)(2)(iii) |
08.g | Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access | PR.IP-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii) |
08.h | Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities | ID.BE-4, ID.GV-3, PR.AC-2, PR.DS-8, PR.IP-5 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312, 164.312(a)(2)(ii), 164.314, 164.314(a)(1), 164.314(b)(2)(i), 164.316, 164.316(b)(2)(iii) |
08.i | Power and telecommunications cabling carrying data or supporting information services shall be protected from interception or damage | PR.AC-2, PR.AC-4, PR.DS-2, PR.IP-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(3), 164.308(a)(4), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(C), 164.308(b)(1), 164.308(b)(2), 164.310, 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i), 164.316(b)(2)(iii) |
08.j | Equipment shall be correctly maintained to ensure its continued availability and integrity | PR.DS-1, PR.DS-8, PR.MA-1, PR.MA-2, DE.CM-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(b)(1), 164.310(a)(2)(iv), 164.310(d), 164.310(d)(1), 164.310(d)(2)(ii), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(1), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e), 164.314(b)(2)(i) |
08.k | Security shall be applied to off-site equipment taking into account the different risks of working outside the organization's premises | PR.DS-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2) |
08.l | All items of equipment containing storage media shall be checked to ensure that any covered information and licensed software has been removed or securely overwritten prior to disposal | PR.DS-3, PR.IP-6 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(i), 164.310(d)(2)(ii) |
08.m | Equipment, information or software shall not be taken off site without prior authorization | PR.DS-3, PR.IP-6 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards) | 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(i), 164.310(d)(2)(ii) |
09.a | Operating procedures shall be documented, maintained, and made available to all users who need them | No mapping | No mapping | |
09.b | Changes to information assets and systems shall be controlled and archived | PR.IP-3 | 164.308 (Administrative safeguards) | 164.308(a)(8) |
09.c | Separation of duties shall be enforced to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets | PR.AC-4, DE.CM-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(b), 164.312(d), 164.312(e) |
09.d | Development, test, and operational environments shall be separated and controlled to reduce the risks of unauthorized access or changes to the operational system | PR.DS-7, PR.IP-3 | 164.308 (Administrative safeguards) | 164.308(a)(4)4, 164.308(a)(8) |
09.e | It shall be ensured that the security controls, service definitions and delivery levels included in the third-party service delivery agreement are implemented, operated and maintained by the third party | ID.AM-4, ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4, PR.AC-3, PR.AT-3, PR.DS-3, DE.AE-4, DE.CM-6 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(6)(ii), 164.308(b), 164.308(b)(1), 164.308(b)(3), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(d)(1), 164.310(d)(2), 164.312(e)(1), 164.312(e)(2)(ii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(i)(B), 164.314(a)(2)(ii), 164.316(b)(2) |
09.f | The services, reports and records provided by the third party shall be regularly monitored and reviewed, and audits shall be carried out regularly to govern and maintain compliance with the service delivery agreements | ID.SC-1, ID.SC-2, ID.SC-4, PR.AT-3, DE.CM-6, RS.CO-4, RS.MI-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(6), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(b), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii) |
09.g | Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business systems and processes involved and re-assessment of risks | ID.BE-1, ID.RA-4, ID.SC-1, PR.AT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(4)(ii), 164.308(a)(6), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(2)(i), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.316, 164.316(a) |
09.h | The availability of adequate capacity and resources shall be planned, prepared, and managed to deliver the required system performance. Projections of future capacity requirements shall be made to mitigate the risk of system overload | PR.DS-4, PR.PT-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.308(a)(7), 164.310(a)(2)(i), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.310(d)(2)(iv), 164.312(a)(2)(ii), 164.312(b) |
09.i | Acceptance criteria for new information systems, upgrades, and new versions shall be established and suitable tests of the system(s) carried out during development and prior to acceptance to maintain security. | PR.DS-5, PR.IP-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e) |
09.j | Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided | PR.AC-4, PR.AT-1, DE.CM-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5), 164.308(a)(5)(ii)(B), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii) |
09.k | Mobile code shall be authorized before its installation and use, and the configuration shall ensure that the authorized mobile code operates according to a clearly defined security policy. All unauthorized mobile code shall be prevented from executing | PR.DS-7, DE.CM-4, DE.CM-5 | 164.308 (Administrative safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(4)4, 164.308(a)(5)(ii)(B) |
09.l | Back-up copies of information and software shall be taken and tested regularly | PR.DS-1, PR.DS-2, PR.IP-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(D), 164.308(b)(1), 164.308(b)(2), 164.310(a)(2)(i), 164.310(d), 164.310(d)(2)(iv), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
09.m | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit | ID.AM-3, ID.AM-6, PR.AC-1, PR.AC-5, PR.DS-2, PR.DS-5, PR.IP-1, DE.AE-1, DE.AE-4, DE.CM-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(8), 164.308(b)(1), 164.308(b)(2), 164.310(a)(1), 164.310(b), 164.310(c), 164.310(d), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(b), 164.312(c), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(b)(2)(i) |
09.n | Security features, service levels, and management requirements of all network services shall be identified and included in any network services agreement, whether these services are provided in-house or outsourced | ID.AM-3, ID.AM-4, ID.AM-6, ID.GV-3, PR.AT-3, PR.PT-4, DE.AE-1, DE.CM-6, DE.CM-7 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(4)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.310, 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2)(iii), 164.312, 164.312(a)(1), 164.312(b), 164.312(e), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(i)(B), 164.314(a)(2)(ii), 164.314(b)(2)(i), 164.316, 164.316(b)(2) |
09.o | Formal procedures shall be documented and implemented for the management of removable media | PR.DS-1, PR.PT-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(b)(1), 164.310(d), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.314(b)(2)(i) |
09.p | Media shall be disposed of securely and safely when no longer required, using formal procedures that are documented | PR.DS-3, PR.DS-5, PR.IP-6 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(i), 164.310(d)(2)(ii), 164.312(a), 164.312(e) |
09.q | Procedures for the handling and storage of information shall be established to protect this information from unauthorized disclosure or misuse | PR.DS-3, PR.DS-5, PR.PT-1, PR.PT-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4), 164.308(a)(5)(ii)(C), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2), 164.310(d)(2)(iii), 164.312(a), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 164.312(e) |
09.r | System documentation shall be protected against unauthorized access | PR.AC-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii) |
09.s | Formal exchange policies, procedures, and controls shall be in place to protect the exchange of information through the use of all types of communication mediums | PR.AC-3, PR.AT-1, PR.DS-2, PR.DS-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(5), 164.308(b)(1), 164.308(b)(2), 164.308(b)(3), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
09.t | Agreements shall be established and implemented for the exchange of information and software between the organization and external parties | PR.AT-3, PR.DS-2, PR.PT-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(b), 164.308(b)(1), 164.308(b)(2), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.314(b)(2)(i) |
09.u | Media containing information shall be protected against unauthorized access, misuse or corruption during transportation beyond the organization's physical boundaries | PR.DS-2, PR.PT-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(b)(1), 164.308(b)(2), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
09.v | Information involved in electronic messaging shall be appropriately protected | ID.GV-3, PR.DS-2, PR.DS-5 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.308(b)(2), 164.310, 164.310(b), 164.310(c), 164.312, 164.312(a), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(b)(2)(i), 164.316 |
09.w | Policies and procedures shall be developed and implemented to protect information associated with the interconnection of business information systems | PR.AC-3, PR.AC-4, PR.AC-5, PR.DS-5, PR.IP-1, PR.IP-4, DE.AE-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.308(b)(1), 164.308(b)(3), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(2)(iv), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(b), 164.312(c), 164.312(e), 164.312(e)(1), 164.312(e)(2)(ii) |
09.x | Information involved in electronic commerce passing over public networks shall be protected from fraudulent activity, contract dispute, and unauthorized disclosure or modification | ID.GV-3, PR.AT-3, PR.DS-1, PR.DS-2, PR.DS-5 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(b), 164.308(b)(1), 164.308(b)(2), 164.310, 164.310(b), 164.310(c), 164.310(d), 164.312, 164.312(a), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.314(b)(2)(i), 164.316 |
09.y | Information involved in online transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay | PR.AC-4, PR.DS-1, PR.DS-2, PR.DS-5 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.308(b)(2), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
09.z | The integrity of information being made available on a publicly available system shall be protected to prevent unauthorized modification | ID.GV-3, ID.RA-1, PR.AC-4, PR.AT-2, PR.DS-1, PR.DS-2, PR.DS-6, PR.IP-1, DE.CM-6, DE.CM-8 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(4), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b)(1), 164.308(b)(2), 164.310, 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(d), 164.312, 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(c)(1), 164.312(c)(2), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(b)(2)(i), 164.316, 164.316(b)(2)(iii) |
09.aa | Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring | PR.PT-1, DE.CM-1, DE.CM-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(8), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 164.312(e)(2)(i) |
09.ab | Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly | ID.GV-3, ID.RA-1, PR.DS-6, PR.PT-1, DE.AE-2, DE.AE-3, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-7, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5, RS.AN-1, RS.CO-2, RS.CO-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.306(e), 164.308, 164.308(6)(i), 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310, 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312, 164.312(a)(1), 164.312(a)(2)(i), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(d), 164.312(e), 164.312(e)(2)(i), 164.314, 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.314(b)(2)(i), 164.316, 164.316(b)(2)(iii) |
09.ac | Logging systems and log information shall be protected against tampering and unauthorized access | PR.AC-4, PR.DS-1, PR.DS-2, PR.DS-4, PR.DS-6, PR.PT-1, DE.CM-1, RS.AN-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(8), 164.308(b)(1), 164.308(b)(2), 164.310(a)(2)(i), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(d), 164.310(d)(2)(iii), 164.310(d)(2)(iv), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(c)(1), 164.312(c)(2), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
09.ad | System administrator and system operator activities shall be logged and regularly reviewed | PR.PT-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) |
09.ae | Faults shall be logged, analyzed, and appropriate remediation action taken | PR.PT-1, DE.DP-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii) |
09.af | The clocks of all relevant information processing systems within the organization or security domain shall be synchronized with an agreed accurate time source to support tracing and reconstitution of activity timelines | PR.PT-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b) |
10.a | Statements of business requirements for new information systems (developed or purchased), or enhancements to existing information systems shall specify the requirements for security controls | ID.GV-3, PR.AT-3, PR.IP-2, PR.PT-5, RS.MI-2 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(i), 164.308(a)(6)(ii), 164.308(b), 164.310, 164.312, 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.316 |
10.b | Data input to applications and databases shall be validated to ensure that this data is correct and appropriate | PR.DS-5, PR.DS-6, DE.CM-8, DE.DP-5 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.306(e), 164.308(a)(1)(i), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(8), 164.310(b), 164.310(c), 164.312(a), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e), 164.312(e)(2)(i) |
10.c | Validation checks shall be incorporated into applications to detect any corruption of information through processing errors or deliberate acts | ID.RA-1, PR.DS-6, DE.CM-8, RS.CO-2, RS.MI-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.312(a)(1), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.316(b)(2)(iii) |
10.d | Requirements for ensuring authenticity and protecting message integrity in applications shall be identified and controls implemented | PR.DS-2, PR.DS-5, PR.DS-6 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(b)(1), 164.308(b)(2), 164.310(b), 164.310(c), 164.312(a), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
10.e | Data output from an application shall be validated to ensure that the processing of stored information is correct and appropriate to the circumstances | No mapping | No mapping | |
10.f | A policy on the use of cryptographic controls for protection of information shall be developed and implemented, and supported by formal procedures | ID.GV-3, PR.DS-1, PR.DS-2 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.308(b)(2), 164.310, 164.310(d), 164.312, 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314, 164.314(b)(2)(i), 164.316 |
10.g | Key management shall be in place to support the organization's use of cryptographic techniques | PR.DS-1, PR.DS-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.308(b)(2), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
10.h | There shall be procedures in place to control the installation of software on operational systems | PR.DS-7, PR.IP-1, PR.IP-3 | 164.308 (Administrative safeguards) | 164.308(a)(4)4, 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(8) |
10.i | Test data shall be selected carefully, and protected and controlled in nonproduction environments | PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.DS-1, PR.PT-1, PR.PT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C), 164.308(a)(4), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(b)(1), 164.308(b)(3), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.312(e)(1), 164.312(e)(2)(ii), 164.314(b)(2)(i) |
10.j | Access to program source code shall be restricted | PR.DS-5, PR.PT-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards) | 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(e) |
10.k | The implementation of changes, including patches, service packs, and other updates and modifications, shall be controlled by the use of formal change control procedures | ID.AM-6, ID.RA-4, ID.RA-5, PR.AT-3, PR.DS-8, PR.IP-1, PR.IP-2, PR.IP-3, PR.PT-3, DE.CM-1, DE.CM-7 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6), 164.308(a)(7)(i), 164.308(a)(7)(ii), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.308(b)(1), 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.312(e)(2)(i), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.314(b)(2)(i), 164.316(a) |
10.l | Outsourced software development shall be supervised and monitored by the organization | ID.BE-1, ID.RA-3, PR.AT-3, PR.IP-2, DE.CM-4, DE.CM-6 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(ii), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(c), 164.312(e), 164.314, 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii), 164.316 |
10.m | Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk | ID.AM-6, ID.RA-1, ID.RA-2, ID.RA-4, ID.RA-5, ID.RA-6, PR.IP-12, PR.PT-1, PR.PT-3, DE.CM-8, RS.AN-5, RS.CO-3, RS.MI-3 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b)(1), 164.310(a)(1), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(b), 164.310(c), 164.310(d)(2)(iii), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv), 164.312(b), 164.314, 164.314(a)(2)(i)(C), 164.314(b)(2)(iv), 164.316(a), 164.316(b)(2)(iii) |
11.a | Information security events shall be reported through appropriate communications channels as quickly as possible. All employees, contractors and third-party users shall be made aware of their responsibility to report any information security events as quickly as possible | ID.GV-3, PR.AT-5, PR.IP-7, PR.IP-9, PR.IP-11, DE.CM-1, DE.DP-4, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-5, RS.RP-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements), 164.530 (Administrative requirements) | 164.306, 164.306(e), 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(3)(i), 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(5)(ii)(D), 164.308(a)(6), 164.308(a)(6)(i), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.310, 164.310(a)(2)(i), 164.312, 164.312(a)(2)(ii), 164.312(b), 164.312(e)(2)(i), 164.314, 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.316, 164.316(b)(2)(iii), 164.530(b)(1) |
11.b | All employees, contractors, and third-party users of information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services | ID.RA-1, PR.AT-1, RS.CO-2 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(5), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.312(a)(1), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.316(b)(2)(iii) |
11.c | Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents | ID.GV-3, PR.AT-1, PR.IP-9, PR.IP-10, DE.AE-3, DE.AE-3, RS.AN-3, RS.AN-4, RS.CO-1, RS.CO-2, RS.CO-3, RS.CO-4, RS.CO-5, RS.IM-1, RS.IM-2, RS.MI-1, RS.MI-2, RS.RP-1, RC.CO-1, RC.CO-2 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(5), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6), 164.308(a)(6)(i), 164.308(a)(6)(i)5, 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.310, 164.310(a)(2)(i), 164.310(d)(2)(iii), 164.312, 164.312(a)(2)(ii), 164.312(b), 164.314, 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 164.316, 164.316(b)(2)(iii)) |
11.d | There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored | ID.AM-6, DE.AE-1, DE.AE-2, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.CO-3, RS.CO-4, RS.IM-1, RS.IM-2, RS.MI-1, RS.MI-2, RS.RP-1, RC.CO-1, RC.CO-3, RC.IM-1, RC.IM-2, RC.RP-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(6)(i), 164.308(a)(1)(i), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6), 164.308(a)(6)(i)5, 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b)(1), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.312(b), 164.314, 164.314(a)(2)(i)(C), 164.316(b)(2)(iii), 164.316(b)(2)(iii)) |
11.e | Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented in support of potential legal action in accordance with the rules for evidence in the relevant jurisdiction(s) | ID.GV-3, PR.IP-11, RS.AN-3 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.308, 164.308(a)(1)(ii)(C), 164.308(a)(3), 164.308(a)(6), 164.310, 164.312, 164.314, 164.316 |
12.a | A managed program and process shall be developed and maintained for business continuity throughout the organization that addresses the information security requirements needed for the organization's business continuity | ID.AM-5, ID.AM-6, ID.BE-5, PR.IP-9, PR.IP-11, PR.PT-5, DE.AE-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(C), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(6), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b)(1), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314, 164.314(b)(2)(i) |
12.b | Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security | ID.BE-2, ID.BE-4, ID.BE-5, ID.RA-1, ID.RA-2, ID.RA-3, ID.RA-4, ID.RA-5, ID.RM-3, PR.IP-9, PR.PT-5, DE.AE-4 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(4)(ii), 164.308(a)(5)(ii)(A), 164.308(a)(6), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(a)(2)(ii), 164.312(c), 164.312(e), 164.314, 164.314(a)(1), 164.314(b)(2)(i), 164.316, 164.316(a), 164.316(b)(2)(iii) |
12.c | Plans shall be developed and implemented to maintain or restore operations and ensure availability of information, at the required level and in the required time scales, following interruption to, or failure of, critical business processes | ID.AM-5, ID.AM-6, ID.BE-4, ID.BE-5, PR.AT-1, PR.DS-1, PR.DS-4, PR.IP-9, PR.PT-5, RS.CO-1, RS.CO-4, RC.CO-3, RC.RP-1 | 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements) | 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5), 164.308(a)(6), 164.308(a)(6)(i), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b)(1), 164.310(a)(2)(i), 164.310(d), 164.310(d)(2)(iv), 164.312(a)(1), 164.312(a)(2)(ii), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.312(d), 164.314, 164.314(a)(1), 164.314(a)(2)(i)(C), 164.314(b)(2)(i) |
12.d | A single framework of business continuity plans shall be maintained to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance | ID.AM-5, ID.AM-6, ID.BE-5, PR.AT-1, PR.IP-7, PR.IP-9, PR.PT-5, DE.AE-5, RS.CO-1 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306(e), 164.308(a)(1)(ii)(B), 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5), 164.308(a)(6), 164.308(a)(6)(i), 164.308(a)(6)(ii), 164.308(a)(7), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.308(b)(1), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314, 164.314(b)(2)(i), 164.316(b)(2)(iii) |
12.e | Business continuity plans shall be tested and updated regularly, at a minimum annually, to ensure that they are up to date and effective | ID.AM-6, ID.GV-3, ID.SC-5, PR.IP-7, PR.IP-9, PR.IP-10, RS.CO-1, RC.IM-1, RC.IM-2 | 164.306 (Security standards: General rules), 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), 164.316 (Policies and procedures and documentation requirements) | 164.306, 164.306(e), 164.308, 164.308(a)(2), 164.308(a)(3), 164.308(a)(4), 164.308(a)(6), 164.308(a)(6)(i), 164.308(a)(7), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(D), 164.308(a)(8), 164.308(b)(1), 164.310, 164.310(a)(2)(i), 164.312, 164.312(a)(2)(ii), 164.314, 164.316, 164.316(b)(2)(iii) |
13.a | Data Subjects have a right to adequate and easily accessible notice of the use and disclosures of their PII that may be made by the PII controller, and of the data subject's rights and the controller’s legal duties with respect to PII | No mapping | No mapping | |
13.b | To provide data subjects with clear and easily accessible information about the PII controller’s policies, procedures and practices with respect to the handling of PII | No mapping | No mapping | |
13.c | To ensure that disclosures of PII, especially to third parties, are recorded. To ensure the PII processor notifies the PII controller of any legally binding requests for disclosure of PII. Provisions for the use of subcontractors to process PII should be specified in the contract between the PII processor and the PII controller | No mapping | No mapping | |
13.d | To make data subjects active participants in the decision-making process regarding the processing of their PII, except as otherwise limited by legislation and regulations, through the exercise of meaningful, informed and freely given consent | No mapping | No mapping | |
13.e | To present to data subjects, where appropriate and feasible, the choice not to allow the processing of their PII, to refuse or withdraw consent or to oppose a specific type of processing, and to explain to data subjects the implications of granting or refusing consent | No mapping | No mapping | |
13.f | To give data subjects the ability to access and review their PII and to challenge its accuracy and completeness | No mapping | No mapping | |
13.g | To ensure that the purpose(s) for processing PII complies with applicable laws and relies on a permissible legal ground | No mapping | No mapping | |
13.h | To specify the purposes for which PII are collected no later than at the time of PII collection where feasible and limit the subsequence use to the fulfillment of original purposes | No mapping | No mapping | |
13.i | To limit the collection of PII to that which is within the boundaries of applicable law and strictly necessary for the specified purpose(s) | No mapping | No mapping | |
13.j | To minimize the PII which is processed to what is strictly necessary for the legitimate interest pursued by the PII controller and to limit the disclosure of PII to a minimum number of internal and external parties | No mapping | No mapping | |
13.k | To limit the use and disclosure of PII for specific, explicit and legitimate purposes and to fulfill the stated purpose(s) or to abide by applicable laws | No mapping | No mapping | |
13.l | To retain PII no longer than necessary to fulfill the stated purpose(s) or to abide by applicable laws | No mapping | No mapping | |
13.m | To ensure that the PII processed is accurate, complete, up-to-date, adequate and relevant for the purpose of use | No mapping | No mapping | |
13.n | To provide any amendment, correction or removal to PII processors and third parties to whom personal data had been disclosed | No mapping | No mapping | |
13.o | To set up efficient internal complaint handling and redress procedures for use by data subjects | No mapping | No mapping | |
13.p | To establish efficient governance for PII processing | No mapping | No mapping | |
13.q | To establish a privacy impact assessment process and to perform a privacy impact assessment as necessary | No mapping | No mapping | |
13.r | To ensure, through contractual or other means, that third party recipients provide at least equivalent levels of PII protection | No mapping | No mapping | |
13.s | To monitor and audit PII protection controls and the effectiveness of internal PII protection policy | No mapping | No mapping | |
13.t | To provide suitable training and awareness concerning PII protection for the personnel of the PII controller who will have access to PII | No mapping | No mapping | |
13.u | To develop, disseminate and update PII protection reports | No mapping | No mapping |