AC · Access Control 17
AC-1
Policy and Procedures
a. Develop, document, and disseminate to: organizational personnel with access control responsibilities 1. Agency-level access control policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
ADHICSCIS ControlsHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IAPCI DSS 4.0.1
AC-2
Account Management
a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
AC-3
Access Enforcement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AC-4
Information Flow Enforcement
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
AC-5
Separation of Duties
a. Identify and document separation of duties based on specific duties, operations, or information systems, as necessary, to mitigate risk to CJI; and b. Define system access authorizations to support separation of duties.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AC-6
Least Privilege
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCCDORA
AC-7
Unsuccessful Logon Attempts
a. Enforce a limit of five (5) consecutive invalid logon attempts by a user during a 15-minute time period; and30F30F30F b. Automatically lock the account or node until released by an administrator when the maximum number of unsuccessful attempts is exceeded.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AC-8
System Use Notification
a. Display a system use notification message to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that: 1. Users are accessing a restricted information system; 2. System usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and 4. Use of the system indicates consent to monitoring and recording; b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and c. For publicly accessible systems: 1. Display system use information consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines, before granting further access to the publicly accessible system; 2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Include a description of the authorized uses of the system.
AC-11
Device Lock
a. Prevent further access to the system by initiating a device lock after a maximum of 30 minutes of inactivity and requiring the user to initiate a device lock before leaving the system unattended. NOTE: In the interest of safety, devices that are: (1) part of a criminal justice conveyance; or (2) used to perform dispatch functions and located within a physically secure location; or (3) terminals designated solely for the purpose of receiving alert notifications (i.e., receive only terminals or ROT) used within physically secure location facilities that remain staffed when in operation, are exempt from this requirement. b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AC-12
Session Termination
Automatically terminate a user session after a user has been logged out.
AC-14
Permitted Actions Without Identification or Authentication
a. Identify any specific user actions that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
AC-17
Remote Access
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRCyber EssentialsCyber Essentials Plus
AC-18
Wireless Access
a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and b. Authorize each type of wireless access to the system prior to allowing such connections.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AC-19
Access Control for Mobile Devices
a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and b. Authorize the connection of mobile devices to organizational systems.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRDORANCA CCC
AC-20
Use of External Systems
a. Establish agency-level policies governing the use of external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1. Access the system from external systems; and 2. Process, store, or transmit organization-controlled information using external systems; or b. Prohibit the use of personally-owned information systems including mobile devices (i.e., bring your own device [BYOD]) and publicly accessible systems for accessing, processing, storing, or transmitting CJI. 33F33F33F
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AC-21
Information Sharing
a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for as defined in an executed information exchange agreement; and b. Employ attribute-based access control (see AC-2(d)(3)) or manual processes as defined in information exchange agreements to assist users in making information sharing and collaboration decisions.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
AC-22
Publicly Accessible Content
a. Designate individuals authorized to make information publicly accessible; b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d. Review the content on the publicly accessible system for nonpublic information quarterly and remove such information, if discovered.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPR
AT · Awareness and Training 4
AT-1
Policy and Procedures
a. Develop, document, and disseminate to all personnel when their unescorted logical or physical access to any information system results in the ability, right, or privilege to view, modify, or make use of unencrypted CJI: 1. Organization-level awareness and training policy that: a. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls; b. Designate organizational personnel with information security awareness and training responsibilities to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and c. Review and update the current awareness and training: 1. Policy annually and following changes in the information system operating environment, when security incidents occur, or when changes to the CJIS Security Policy are made; and 2. Procedures annually and following changes in the information system operating environment, when security incidents occur, or when changes to the CJIS Security Policy are made.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPR
AT-2
Literacy Training and Awareness
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users prior to accessing CJI and annually thereafter; and 2. When required by system changes or within 30 days of any security event for individuals involved in the event; b. Employ one or more of the following techniques to increase the security and privacy awareness of system users: 1. Displaying posters 2. Offering supplies inscribed with security and privacy reminders 3. Displaying logon screen messages 4. Generating email advisories or notices from organizational officials 5. Conducting awareness events c. Update literacy training and awareness content annually and following changes in the information system operating environment, when security incidents occur, or when changes are made in the CJIS Security Policy; and d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPR
AT-3
Role-based Training
g. Audit Monitoring, Analysis, and Reporting h. Access Enforcement i. Least Privilege j. System Access Control k. Access Control Criteria l. System Use Notification m. Session Lock n. Personally Owned Information Systems o. Password p. Access Control
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPRPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021NCA CCCDORACyber EssentialsCyber Essentials Plus
AT-4
Training Records
a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Retain individual training records for a minimum of three years.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPR
AU · Audit and Accountability 11
AU-1
Policy and Procedures
2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-2
Event Logging
4. Actions by privileged accounts (i.e., root, Oracle, DBA, admin, etc.)
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
AU-3
Content of Audit Records
Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-4
Audit Log Storage Capacity
Allocate audit log storage capacity to accommodate the collection of audit logs to meet retention requirements (AU-11).
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-5
Response to Audit Logging Process Failures
a. Alert organizational personnel with audit and accountability responsibilities and system/network administrators within one (1) hour in the event of an audit logging process failure; and b. Take the following additional actions: restart all audit logging processes and verify system(s) are logging properly.
AU-6
Audit Record Review, Analysis, and Reporting
a. Review and analyze system audit records weekly for indications of inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity; b. Report findings to organizational personnel with audit review, analysis, and reporting responsibilities and organizational personnel with information security and privacy responsibilities; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-7
Audit Record Reduction and Report Generation
Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after- the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-8
Time Stamps
a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-9
Protection of Audit Information
a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert organizational personnel with audit and accountability responsibilities, organizational personnel with information security and privacy responsibilities, and system/network administrators upon detection of unauthorized access, modification, or deletion of audit information.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
AU-11
Audit Record Retention
Retain audit records for a minimum of one (1) year or until it is determined they are no longer needed for administrative, legal, audit, or other operational purposes to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
AU-12
Audit Record Generation
a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on all systems generating required audit logs; b. Allow organizational personnel with audit record generation responsibilities, organizational personnel with information security and privacy responsibilities, and system/network administrators to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
CA · Assessment, Authorization, and Monitoring 7
CA-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with assessment, authorization, and monitoring policy responsibilities: 1. An assessment, authorization, and monitoring policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls; b. Designate organizational personnel with information security responsibilities to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and c. Review and update the current assessment, authorization, and monitoring: 1. Policy annually and following changes to the assessment criteria and 2. Procedures annually and following changes to the assessment criteria.
CA-2
Control Assessments
a. Select the appropriate assessor or assessment team for the type of assessment to be conducted; b. Develop a control assessment plan that describes the scope of the assessment including: 1. Controls and control enhancements under assessment; 2. Assessment procedures to be used to determine control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d. Assess the controls in the system and its environment of operation and any controls that have been impacted by evolving threats at least once every three years to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e. Produce a control assessment report that documents the results of the assessment; and f. Provide the results of the control assessment report to the individual who executed the CJIS User Agreement or is in contract with the FBI.
CA-3
Information Exchange
a. Approve and manage the exchange of information between the agency system and external systems using the following agreements when applicable; 1. Executed CJIS User Agreements a. Each CSA, SIB, or IA shall execute a signed written agreement (see Appendix D.1) with the FBI CJIS Division stating their willingness to demonstrate conformity with the CJISSECPOL before accessing and consuming CJIS systems and services as set forth in the agreement. b. The agreement shall include the standards, audit, and sanctions governing utilization of CJIS systems and services. c. The FBI CJIS Division is authorized to periodically test the ability to penetrate the FBI’s network through the external connection or system upon proper notification of all signatories in the user agreement. 2. Criminal Justice Agency User Agreements a. Any CJA receiving access to CJI shall enter into a signed written agreement with the appropriate signatory authority of the CSA providing the access. b. The written agreement shall specify the FBI CJIS systems and services to which the agency will have access, and the FBI CJIS Division policies to which the agency must adhere. These agreements shall include: i. Audit ii. Dissemination iii. Hit confirmation iv. Logging v. Quality Assurance (QA) vi. Screening (Criminal Justice Employment) vii. Security viii. Timeliness ix. Training x. Use of the system xi. Validation
CA-5
Plan of Action and Milestones
a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and b. Update existing plan of action and milestones at least every six (6) months or when new information is available based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
CA-6
Authorization
a. Assign a senior official as the responsible official for the system; b. Assign the CSO, SIB Chief, or IA Official as the authorizing official for common controls available for inheritance by organizational systems; c. Ensure that the authorizing official for the system, before commencing operations: 1. Accepts the use of common controls inherited by the system; and 2. Authorizes the system to operate; d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; e. Update the authorizations at least every three (3) years.
CA-7
Continuous Monitoring
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CA-9
Internal System Connections
a. Authorize internal connections of components with the capability to process, store, or transmit CJI to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections when no longer required or authorized; and d. Review at least annually the continued need for each internal connection.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCCyber EssentialsCyber Essentials PlusHIPAA Security RuleNIS2SAMA CSF
CM · Configuration Management 12
CM-1
Policy and Procedures
2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-2
Baseline Configuration
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system;
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-3
Configuration Change Control
a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for two (2) years; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through personnel with configuration management responsibilities, a Configuration Control Board, or Change Advisory Board that convenes regularly or when hardware or software changes (i.e., updates, upgrades, replacements, etc.) to the information system are required.
CM-4
Impact Analyses
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
CM-5
Access Restrictions for Change
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
CM-6
Configuration Settings
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings;
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-7
Least Functionality
a. Configure the system to provide only essential capabilities to meet operational requirements; and b. Prohibit or restrict the use of specified functions, ports, protocols, software, and/or services which are not required.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-8
System Component Inventory
a. Develop and document an inventory of system components that: 1. Accurately reflects the system 2. Includes all components within the system
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-9
Configuration Management Plan
Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by organizational personnel with information security responsibilities and organizational personnel with configuration management responsibilities; and e. Protects the configuration management plan from unauthorized disclosure and modification.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-10
Software Usage Restrictions
a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-11
User-installed Software
a. Establish agency-level policies governing the installation of software by users; b. Enforce software installation policies through automated methods; and c. Monitor policy compliance through automated methods at least weekly.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CM-12
Information Location
a. Identify and document the location of CJI and the specific system components on which the information is processed, stored, or transmitted; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCCDORAHIPAA Security RuleNIS2SAMA CSF
CP · Contingency Planning 8
CP-2
Contingency Plan
a. Develop, document, and disseminate to organizational personnel with contingency planning responsibilities: 1. Agency-level contingency planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate organizational personnel with information security responsibilities to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI, or training simulations or exercises; and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI, or training simulations or exercises.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPR
CP-3
Contingency Training
a. Provide contingency training to system users consistent with assigned roles and responsibilities: 1. Within thirty (30) days of assuming a contingency role or responsibility; 2. When required by system changes; and 3. Annually thereafter; and b. Review and update contingency training content annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI, or training simulations or exercises.
CP-4
Contingency Plan Testing
a. Test the contingency plan for the system annually using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), or comprehensive exercises.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPR
CP-6
Alternate Storage Site
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPR
CP-7
Alternate Processing Site
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of operations for essential mission and business functions within the time period defined in the system contingency plan(s) when the primary processing capabilities are unavailable; b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and c. Provide controls at the alternate processing site that are equivalent to those at the primary site.
CP-8
Telecommunications Services
Establish alternate telecommunications services, including necessary agreements to permit the resumption of system operations for essential mission and business functions within the time period as defined in the system contingency plan(s) when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CP-9
System Backup
a. Conduct backups of user-level information contained in operational systems for essential business functions as required by the contingency plans; b. Conduct backups of system-level information contained in the system as required by the contingency plans; c. Conduct backups of system documentation, including security- and privacy-related documentation as required by the contingency plans; and
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPRPCI DSS 4.0.1SAMA CSF
CP-10
System Recovery and Reconstitution
Provide for the recovery and reconstitution of the system to a known state within the timeframe as required by the contingency plans after a disruption, compromise, or failure.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIAUAE IAUK GDPR
IA · Identification and Authentication 10
IA-1
Policy and Procedures
a. Develop, document, and disseminate to authorized personnel: 1. Agency/Entity identification and authentication policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and c. Review and update the current identification and authentication: 1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
IA-2
Identification and Authentication (organizational Users)
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusHIPAA Security RuleNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIA
IA-3
Device Identification and Authentication
Uniquely identify and authenticate agency-managed devices before establishing network connections. In the instance of local connection, the device must be approved by the agency and the device must be identified and authenticated prior to connection to an agency asset.
IA-4
Identifier Management
Manage system identifiers by: a. Receiving authorization from organizational personnel with identifier management responsibilities to assign an individual, group, role, service, or device identifier; b. Selecting an identifier that identifies an individual, group, role, service, or device; c. Assigning the identifier to the intended individual, group, role, service, or device; and d. Preventing reuse of identifiers for one (1) year.41F41F41F
ADHICSCIS ControlsHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IAPCI DSS 4.0.1
IA-5
Authenticator Management
g. Protecting authenticator content from unauthorized disclosure and modification;
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRCyber EssentialsCyber Essentials PlusDORA
IA-6
Authentication Feedback
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
IA-7
Cryptographic Module Authentication
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
IA-8
Identification and Authentication (non-organizational Users)
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRDORANCA CCC
IA-11
Re-authentication
Require users to re-authenticate when: roles, authenticators, or credentials change, security categories of systems change, the execution of privileged functions occur, or every 12 hours.
IR · Incident Response 8
IR-1
Policy and Procedures
Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the incident response policy and procedures;
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
IR-2
Incident Response Training
a. Provide incident response training to system users consistent with assigned roles and responsibilities: 1. Prior to assuming an incident response role or responsibility or acquiring system access; 2. When required by system changes; and 3. Annually thereafter; and b. Review and update incident response training content annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI. 5F5F5F
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPRDORAPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021NCA CCC
IR-3
Incident Response Testing
Test the effectiveness of the incident response capability for the system annually using the following tests: tabletop or walk-through exercises; simulations; or other agency-appropriate tests.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
IR-4
Incident Handling
c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly;
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
IR-5
Incident Monitoring
Track and document incidents.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
IR-6
Incident Reporting
a. Require personnel to report suspected incidents to the organizational incident response capability immediately but not to exceed one (1) hour after discovery; and b. Report incident information to organizational personnel with incident handling responsibilities, and if confirmed, notify the CSO, SIB Chief, or Interface Agency Official.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
IR-7
Incident Response Assistance
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
IR-8
Incident Response Plan
10. Explicitly designates responsibility for incident response to organizational personnel with incident reporting responsibilities and CSO or CJIS WAN Official.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
MA · Maintenance 6
MA-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with system maintenance responsibilities: 1. Agency-level maintenance policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls; b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the maintenance policy and procedures; and c. Review and update the current maintenance: 1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
MA-2
Controlled Maintenance
a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location; c. Require that organizational personnel with information security and privacy responsibilities explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; d. Sanitize equipment to remove information from associated media prior to removal from organizational facilities for off-site maintenance, repair, replacement, or destruction; e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and f. Include the following information in organizational maintenance records: 1. Component name 2. Component serial number 3. Date/time of maintenance 4. Maintenance performed 5. Name(s) of entity performing maintenance including escort if required.
MA-3
Maintenance Tools
a. Approve, control, and monitor the use of system maintenance tools; and b. Review previously approved system maintenance tools prior to each use.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
MA-4
Nonlocal Maintenance
a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed.
MA-5
Maintenance Personnel
a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
MA-6
Timely Maintenance
Obtain maintenance support and/or spare parts for critical system components that process, store, and transmit CJI within agency-defined recovery time and recovery point objectives of failure.
MP · Media Protection 6
MP-1
Policy and Procedures
a. Develop, document, and disseminate to authorized individuals: 1. Agency-level media protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among agency entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls; b. Designate an individual with security responsibilities to manage the development, documentation, and dissemination of the media protection policy and procedures; and c. Review and update the current media protection: 82F82F82F 1. Policy at least annually and following any security incidents involving digital and/or non-digital media; and 2. Procedures at least annually and following any security incidents involving digital and/or non-digital media.
MP-2
Media Access
Restrict access to digital and non-digital media to authorized individuals.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
MP-4
Media Storage
a. Physically control and securely store digital and non-digital media within physically secure locations or controlled areas and encrypt CJI on digital media when physical and personnel restrictions are not feasible; and b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5
Media Transport
a. Protect and control digital and non-digital media to help prevent compromise of the data during transport outside of the physically secure locations or controlled areas using encryption, as defined in SC-13 and SC-28 of this Policy. Physical media will be protected at the same level as the information would be protected in electronic form. Restrict the activities associated with transport of electronic and physical media to authorized personnel;
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
MP-6
Media Sanitization
Sanitize or destroy digital and non-digital media prior to disposal, release out of agency control, or release for reuse using overwrite technology at least three times or degauss digital media prior to disposal or release for reuse by unauthorized individuals. Inoperable digital media will be destroyed (cut up, shredded, etc.). Physical media will be securely disposed of when no longer needed for investigative or security purposes, whichever is later. Physical media will be destroyed by crosscut shredding or incineration; and b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCC
MP-7
Media Use
a. Restrict the use of digital and non-digital media on agency owned systems that have been approved for use in the storage, processing, or transmission of criminal justice information by using technical, physical, or administrative controls (examples below);
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
PE · Physical and Environmental Protection 16
PE-1
Policy and Procedures
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] physical and environmental protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and c. Review and update the current physical and environmental protection: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
PE-2
Physical Access Authorizations
a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; b. Issue authorization credentials for facility access; c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Remove individuals from the facility access list when access is no longer required.
PE-3
Physical Access Control
a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by: 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices]; guards]; b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points]; c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: [Assignment: organization-defined physical access controls]; d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity]; e. Secure keys, combinations, and other physical access devices; f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
PE-4
Access Control for Transmission
Control physical access to [Assignment: organization-defined system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security controls].
PE-5
Access Control for Output Devices
Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output.
PE-6
Monitoring Physical Access
a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c. Coordinate results of reviews and investigations with the organizational incident response capability.
PE-8
Visitor Access Records
a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; b. Review visitor access records [Assignment: organization-defined frequency]; and c. Report anomalies in visitor access records to [Assignment: organization-defined personnel].
PE-9
Power Equipment and Cabling
Protect power equipment and power cabling for the system from damage and destruction.
PE-10
Emergency Shutoff
a. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system components] in emergency situations; b. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system component] to facilitate access for authorized personnel; and c. Protect emergency power shutoff capability from unauthorized activation.
PE-11
Emergency Power
Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss.
PE-12
Emergency Lighting
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
PE-13
Fire Protection
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
PE-14
Environmental Controls
a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined environmental control]] levels within the facility where the system resides at [Assignment: organization-defined acceptable levels]; and b. Monitor environmental control levels [Assignment: organization-defined frequency].
PE-15
Water Damage Protection
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
PE-16
Delivery and Removal
a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the facility; and b. Maintain records of the system components.
PE-17
Alternate Work Site
a. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employees; b. Employ the following controls at alternate work sites: [Assignment: organization-defined controls]; c. Assess the effectiveness of controls at alternate work sites; and d. Provide a means for employees to communicate with information security and privacy personnel in case of incidents.
PL · Planning 7
PL-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with planning responsibilities: 1. Agency-level planning policy that: (c) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (d) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the planning policy and the associated planning controls; b. Designate organizational personnel with information security and privacy responsibilities to manage the development, documentation, and dissemination of the planning policy and procedures; and c. Review and update the current planning: 1. Policy annually and following; any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
PL-2
System Security and Privacy Plans
a. Develop security and privacy plans for the system that: 1. Are consistent with the organization’s enterprise architecture; 2. Explicitly define the constituent system components; 3. Describe the operational context of the system in terms of mission and business processes; 4. Identify the individuals that fulfill system roles and responsibilities; 5. Identify the information types processed, stored, and transmitted by the system; 6. Provide the security categorization of the system, including supporting rationale; 7. Describe any specific threats to the system that are of concern to the organization; 8. Provide the results of a privacy risk assessment for systems processing personally identifiable information; 9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components; 10. Provide an overview of the security and privacy requirements for the system; 11. Identify any relevant control baselines or overlays, if applicable; 12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions; 13. Include risk determinations for security and privacy architecture and design decisions; 14. Include security- and privacy-related activities affecting the system that require planning and coordination with organizational personnel with system security and privacy planning and plan implementation responsibilities; system developers; organizational personnel with information security and privacy responsibilities; and 15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
PL-4
Rules of Behavior
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; c. Review and update the rules of behavior at least annually; and d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge annually, or when the rules are revised or updated.
PL-8
Security and Privacy Architectures
a. Develop security and privacy architectures for the system that: 1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; 2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; 3. Describe how the architectures are integrated into and support the enterprise architecture; and 4. Describe any assumptions about, and dependencies on, external systems and services; b. Review and update the architectures at least annually or when changes to the system or its environment occur to reflect changes in the enterprise architecture; and c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRDORANCA CCC
PL-9
Central Management
The CJISSECPOL is centrally managed by the FBI CJIS ISO.
PL-10
Baseline Selection
Select a control baseline for the system.
PL-11
Baseline Tailoring
Tailor the selected control baseline by applying specified tailoring actions
PS · Personnel Security 8
PS-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with personnel security responsibilities: 1. Agency-level personnel security policy that: a. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; b. Designate organizational personnel with information security responsibilities to manage the development, documentation, and dissemination of the personnel security policy and procedures; and c. Review and update the current personnel security: 1. Policy annually and following assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures annually and following assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
PS-2
Position Risk Designation
a. Assign a risk designation to all organizational positions; b. Establish screening criteria for individuals filling those positions; and c. Review and update position risk designations as required.
PS-3
Personnel Screening
a. Screen individuals prior to authorizing access to the information system;
PS-4
Personnel Termination
Upon termination of individual employment: a. Disable system access within twenty-four (24) hours; b. Terminate or revoke any authenticators and credentials associated with the individual; c. Conduct exit interviews that include a discussion of non-disclosure of CJI and PII; d. Retrieve all security-related organizational system-related property; and e. Retain access to organizational information and systems formerly controlled by terminated individual.
ADHICSCIS ControlsHIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFQatar NIASAMA CSFUAE IAPCI DSS 4.0.1
PS-6
Access Agreements
a. Develop and document access agreements for organizational systems; b. Review and update the access agreements at least annually; and c. Verify that individuals requiring access to organizational information and systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or when signatories change.
PS-7
External Personnel Security
a. Establish personnel security requirements, including security roles and responsibilities for external providers; b. Require external providers to comply with personnel security policies and procedures established by the organization; c. Document personnel security requirements; d. Require external providers to notify organizational personnel with information security responsibilities, organizational personnel with personnel security responsibilities, system/network administrators, or organizational personnel with account management responsibilities of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within twenty-four (24) hours; and e. Monitor provider compliance with personnel security requirements.
PS-8
Personnel Sanctions
a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and b. Notify organizational personnel with information security responsibilities, organizational personnel with personnel security responsibilities, system/network administrators, or organizational personnel with account management responsibilities within twenty-four (24) hours when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
PS-9
Position Descriptions
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
RA · Risk Assessment 6
RA-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with risk assessment responsibilities: 1. Agency Level risk assessment policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls; b. Designate organizational personnel with security and privacy responsibilities to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and c. Review and update the current risk assessment: 1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
RA-2
Security Categorization
a. Categorize the system and information it processes, stores, and transmits; b. Document the security categorization results, including supporting rationale, in the security plan for the system; and c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCC
RA-3
Risk Assessment
a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system; 2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and 3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments; c. Document risk assessment results in a risk assessment report; d. Review risk assessment results at least quarterly; e. Disseminate risk assessment results to organizational personnel with risk assessment responsibilities and organizational personnel with security and privacy responsibilities; and f. Update the risk assessment at least quarterly or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.
RA-5
Vulnerability Monitoring and Scanning
a. Monitor and scan for vulnerabilities in the system and hosted applications at least monthly and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring;
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAGDPR (EU)HIPAA Security RulePDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021UK GDPR
RA-7
Risk Response
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IA
RA-9
Criticality Analysis
Identify critical system components and functions by performing a criticality analysis for information system components containing or processing CJI at the planning, design, development, testing, implementation, and maintenance stages of the system development life cycle.
SA · System and Services Acquisition 11
SA-1
Policy and Procedures
a. Develop, document, and disseminate to: organizational personnel with system and services acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities: 1. Agency/Entity information systems and services acquisition policy for systems used to process, store, or transmit CJI that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls; b. Designate organizational personnel with information security responsibilities and organizational personnel with system and services acquisition responsibilities to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and c. Review and update the current system and services acquisition: 1. Policy following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
SA-2
Allocation of Resources
a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process;
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
SA-3
System Development Life Cycle
a. Acquire, develop, and manage the system using an agency documented system development lifecycle process that incorporates information security and privacy considerations; b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle; c. Identify individuals having information security and privacy roles and responsibilities; and d. Integrate the organizational information security and privacy risk management process into system development life cycle activities.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPRCyber EssentialsCyber Essentials PlusDORANCA CCCPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021
SA-4
Acquisition Process
Include the following requirements, descriptions, and criteria, explicitly or by reference, using agency defined contract language in the acquisition contract for the system, system component, or system service: a. Security and privacy functional requirements; b. Strength of mechanism requirements; c. Security and privacy assurance requirements; d. Controls needed to satisfy the security and privacy requirements. e. Security and privacy documentation requirements; f. Requirements for protecting security and privacy documentation; g. Description of the system development environment and environment in which the system is intended to operate; h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i. Acceptance criteria.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SA-5
System Documentation
a. Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security and privacy functions and mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions; b. Obtain or develop user documentation for the system, system component, or system service that describes: 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; c. Document steps to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent by contacting manufacturers, suppliers, or developers and conducting web-based searches in response; and d. Distribute documentation to organizational personnel with system and services responsibilities.
SA-8
Security and Privacy Engineering Principles
Apply agency documented systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SA-9
External System Services
a. Require that providers of external system services comply with organizational security and privacy requirements and employ system and services acquisition security controls in accordance with the CJISSECPOL including the following agreements when applicable:
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
SA-10
Developer Configuration Management
Require the developer of the system, system component, or system service to: a. Perform configuration management during system, component, or service during design, development, implementation, operation, and disposal; b. Document, manage, and control the integrity of changes to security configuration, network diagrams, and system components (hardware, software, firmware) by implementing access restrictions such as least privilege for changes; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to the individual(s) with information security responsibilities and an individual(s) with system and services acquisition responsibilities.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SA-11
Developer Testing and Evaluation
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform system and regression testing/evaluation at a level of comprehensive testing; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation.
CIS ControlsNCA ECC-2UAE IAADHICSISO 27001NCA CCCPCI DSS 4.0.1Qatar NIASAMA CSF
SA-15
Development Process, Standards, and Tools
a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy security and privacy requirements during design, development, implementation, operation, and disposal.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IAUK GDPRCyber EssentialsCyber Essentials PlusDORANCA CCCPDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021
SA-22
Unsupported System Components
a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or b. Provide the following options for alternative sources for continued support for unsupported components: original manufacturer support, or original contracted vendor support.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC · System and Communications Protection 18
SC-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with system and communications protection responsibilities: 1. Agency-level system and communications protection policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls; b. Designate organizational personnel with information security responsibilities to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and c. Review and update the current system and communications protection: 1. Policy annually and following any changes and security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures annually and following any changes and security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
SC-2
Separation of System and User Functionality
Separate user functionality, including user interface services, from system management functionality.
SC-4
Information in Shared System Resources
Prevent unauthorized and unintended information transfer via shared system resources.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCC
SC-5
Denial-of-service Protection
a. Protect against or limit the effects of the following types of denial-of-service events: distributed denial of service, DNS Denial of Service, etc.; and b. Employ the following controls to achieve the denial-of-service objective: boundary protection devices and intrusion detection or prevention devices.
SC-7
Boundary Protection
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1Qatar NIAUAE IAISO 27001GDPR (EU)HIPAA Security RuleNIS2PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021SAMA CSFUK GDPR
SC-8
Transmission Confidentiality and Integrity
Protect the confidentiality and integrity of transmitted information. Metadata derived from unencrypted CJI shall be protected in the same manner as CJI and shall not be used for any advertising or other commercial purposes by any cloud service provider or other associated entity.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-10
Network Disconnect
Terminate the network connection associated with a communications session at the end of the session or after one (1) hour of inactivity.
SC-12
Cryptographic Key Establishment and Management
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: encryption key generation, distribution, storage, access, and destruction is controlled by the agency.
SC-13
Cryptographic Protection
a. Determine the use of encryption for CJI in-transit when outside a physically secure location; and b. Implement the following types of cryptography required for each specified cryptographic use: cryptographic modules which are Federal Information Processing Standard (FIPS) 140-3 certified, or FIPS validated algorithm for symmetric key encryption and decryption (FIPS 197 [AES]), with a symmetric cipher key of at least 128-bit strength for CJI in-transit.
SC-15
Collaborative Computing Devices and Applications
a. Prohibit remote activation of collaborative computing devices and applications; and b. Provide an explicit indication of use to users physically present at the devices.
SC-17
Public Key Infrastructure Certificates
a. Issue public key certificates under an agency-level certificate authority or obtain public key certificates from an approved service provider; and b. Include only approved trust anchors in trust stores or certificate stores managed by the organization.
SC-18
Mobile Code
a. Define acceptable and unacceptable mobile code and mobile code technologies; and b. Authorize, monitor, and control the use of mobile code within the system.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-20
Secure Name/address Resolution Service (authoritative Source)
a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-21
Secure Name/address Resolution Service (recursive or Caching Resolver)
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-22
Architecture and Provisioning for Name/address Resolution Service
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-23
Session Authenticity
Protect the authenticity of communications sessions.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-28
Protection of Information at Rest
Protect the confidentiality and integrity of the following information at rest: CJI when outside physically secure locations using cryptographic modules which are certified FIPS 140-3 with a symmetric cipher key of at least 128-bit strength, or FIPS 197 with a symmetric cipher key of at least 256-bit strength.
ADHICSCIS ControlsGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SC-39
Process Isolation
Maintain a separate execution domain for each executing system process.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SI · System and Information Integrity 11
SI-1
Policy and Procedures
a. Develop, document, and disseminate to all organizational personnel with system and information integrity responsibilities and information system owners: 1. Agency-level system and information integrity policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate organizational personnel with system and information integrity responsibilities to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
SI-2
Flaw Remediation
c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IA
SI-3
Malicious Code Protection
2. Block or quarantine malicious code, take mitigating action(s), and when necessary, implement incident response procedures; and send alert to system/network administrators and/or organizational personnel with information security responsibilities in response to malicious code detection; and118F118F118F
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1Qatar NIAUAE IAISO 27001
SI-4
System Monitoring
a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections;
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SI-5
Security Alerts, Advisories, and Directives
a. Receive system security alerts, advisories, and directives from external source(s) (e.g., CISA, Multi-State Information Sharing & Analysis Center [MS-ISAC], U.S. Computer Emergency Readiness Team [USCERT], hardware/software providers, federal/state advisories, etc.) on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: organizational personnel implementing, operating, maintaining, and using the system; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.
SI-7
Software, Firmware, and Information Integrity
a. Employ integrity verification tools to detect unauthorized changes to software, firmware, and information systems that contain or process CJI; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: notify organizational personnel responsible for software, firmware, and/or information integrity and implement incident response procedures as appropriate.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
SI-8
Spam Protection
a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1Qatar NIAUAE IAISO 27001
SI-10
Information Input Validation
Check the validity of the following information inputs: all inputs to web/application servers, database servers, and any system or application input that might receive or process CJI.
SI-11
Error Handling
a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to organizational personnel with information security responsibilities.
SI-12
Information Management and Retention
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.
ADHICSCIS ControlsGDPR (EU)ISO 27001NCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLQatar NIAPDPL – Federal Decree-Law 45/2021UAE IAUK GDPRNCA CCC
SI-16
Memory Protection
Implement the following controls to protect the system memory from unauthorized code execution: data execution prevention and address space layout randomization.
ADHICSCIS ControlsCyber EssentialsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1Qatar NIAUAE IA
SR · Supply Chain Risk Management 6
SR-1
Policy and Procedures
a. Develop, document, and disseminate to organizational personnel with supply chain risk management responsibilities: 1. Agency-level supply chain risk management policy that: a. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls; b. Designate organizational personnel with security responsibilities to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and c. Review and update the current supply chain risk management: 1. Policy annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI; and 2. Procedures annually and following any security incidents involving unauthorized access to CJI or systems used to process, store, or transmit CJI.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPRNCA CCC
SR-2
Supply Chain Risk Management Plan
a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: systems used to process, store, or transmit CJI; b. Review and update the supply chain risk management plan annually or as required, to address threat, organizational or environmental changes; and c. Protect the supply chain risk management plan from unauthorized disclosure and modification.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SR-5
ACQUISITION STRATEGIES, TOOLS, AND METHODS
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: use preferred suppliers who can provide attestation or demonstration of compliance with state or federal standards.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SR-8
Notification Agreements
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the notification of supply chain compromises to systems used to process, store, or transmit CJI.
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
SR-10
Inspection of Systems or Components
Inspect the following systems or system components upon initial procurement and periodically as needed to detect tampering: systems used to access, process, store, or transmit CJI.
SR-12
COMPONENT DISPOSAL
Dispose of CJI using the techniques and methods as described in Media Protection (MP).
ADHICSCIS ControlsDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR