compliance controls are associated with this Policy definition 'Document the information system environment in acquisition contracts' (c148208b-1a6f-a4ac-7abc-23b1d41121b1)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-10 |
FedRAMP_High_R4_SA-10 |
FedRAMP High SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
| FedRAMP_High_R4 |
SA-4 |
FedRAMP_High_R4_SA-4 |
FedRAMP High SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
| FedRAMP_Moderate_R4 |
SA-10 |
FedRAMP_Moderate_R4_SA-10 |
FedRAMP Moderate SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
| FedRAMP_Moderate_R4 |
SA-4 |
FedRAMP_Moderate_R4_SA-4 |
FedRAMP Moderate SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
| hipaa |
0640.10k2Organizational.1012-10.k |
hipaa-0640.10k2Organizational.1012-10.k |
0640.10k2Organizational.1012-10.k |
06 Configuration Management |
0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. |
|
22 |
| hipaa |
0669.10hCSPSystem.1-10.h |
hipaa-0669.10hCSPSystem.1-10.h |
0669.10hCSPSystem.1-10.h |
06 Configuration Management |
0669.10hCSPSystem.1-10.h 10.04 Security of System Files |
Shared |
n/a |
Open and published APIs are used by cloud service providers to ensure support for interoperability between components and to facilitate migrating applications. |
|
16 |
| hipaa |
0671.10k1System.1-10.k |
hipaa-0671.10k1System.1-10.k |
0671.10k1System.1-10.k |
06 Configuration Management |
0671.10k1System.1-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization manages changes to mobile device operating systems, patch levels, and/or applications through a formal change management process. |
|
16 |
| hipaa |
0791.10b2Organizational.4-10.b |
hipaa-0791.10b2Organizational.4-10.b |
0791.10b2Organizational.4-10.b |
07 Vulnerability Management |
0791.10b2Organizational.4-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
Procedures, guidelines, and standards for the development of applications are periodically reviewed, assessed, and updated as necessary by the appointed senior-level information security official of the organization. |
|
8 |
| hipaa |
0837.09.n2Organizational.2-09.n |
hipaa-0837.09.n2Organizational.2-09.n |
0837.09.n2Organizational.2-09.n |
08 Network Protection |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management |
Shared |
n/a |
Formal agreements with external information system providers include specific obligations for security and privacy. |
|
20 |
| hipaa |
0888.09n2Organizational.6-09.n |
hipaa-0888.09n2Organizational.6-09.n |
0888.09n2Organizational.6-09.n |
08 Network Protection |
0888.09n2Organizational.6-09.n 09.06 Network Security Management |
Shared |
n/a |
The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. |
|
17 |
| hipaa |
1406.05k1Organizational.110-05.k |
hipaa-1406.05k1Organizational.110-05.k |
1406.05k1Organizational.110-05.k |
14 Third Party Assurance |
1406.05k1Organizational.110-05.k 05.02 External Parties |
Shared |
n/a |
A standard agreement with third-parties is defined and includes the required security controls in accordance with the organization's security policies. |
|
11 |
| hipaa |
1409.09e2System.1-09.e |
hipaa-1409.09e2System.1-09.e |
1409.09e2System.1-09.e |
14 Third Party Assurance |
1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. |
|
15 |
| hipaa |
1410.09e2System.23-09.e |
hipaa-1410.09e2System.23-09.e |
1410.09e2System.23-09.e |
14 Third Party Assurance |
1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization addresses information security and other business considerations when acquiring systems or services; including maintaining security during transitions and continuity following a failure or disaster. |
|
11 |
| hipaa |
1416.10l1Organizational.1-10.l |
hipaa-1416.10l1Organizational.1-10.l |
1416.10l1Organizational.1-10.l |
14 Third Party Assurance |
1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where software development is outsourced, formal contracts are in place to address the ownership and security of the code and application. |
|
11 |
| hipaa |
1417.10l2Organizational.1-10.l |
hipaa-1417.10l2Organizational.1-10.l |
1417.10l2Organizational.1-10.l |
14 Third Party Assurance |
1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. |
|
12 |
| hipaa |
1419.05j1Organizational.12-05.j |
hipaa-1419.05j1Organizational.12-05.j |
1419.05j1Organizational.12-05.j |
14 Third Party Assurance |
1419.05j1Organizational.12-05.j 05.02 External Parties |
Shared |
n/a |
The organization ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities prior to accessing, processing, communicating, or managing the organization's information and information assets. |
|
11 |
| hipaa |
1421.05j2Organizational.12-05.j |
hipaa-1421.05j2Organizational.12-05.j |
1421.05j2Organizational.12-05.j |
14 Third Party Assurance |
1421.05j2Organizational.12-05.j 05.02 External Parties |
Shared |
n/a |
Access by customers to the organization's information is not provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement, including specific terms around asset protection, access control policy, arrangements for the resolution of inaccuracies, a description of each service provided, service levels, benefits to the customer, legal responsibilities of the organization and the customer, and any intellectual property rights. |
|
10 |
| hipaa |
1429.05k1Organizational.34-05.k |
hipaa-1429.05k1Organizational.34-05.k |
1429.05k1Organizational.34-05.k |
14 Third Party Assurance |
1429.05k1Organizational.34-05.k 05.02 External Parties |
Shared |
n/a |
The organization maintains written agreements (contracts) that include: (i) an acknowledgement that the third-party (e.g., a service provider) is responsible for the security of the data and requirements to address the associated information security risks; and, (ii) requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. |
|
14 |
| hipaa |
1430.05k1Organizational.56-05.k |
hipaa-1430.05k1Organizational.56-05.k |
1430.05k1Organizational.56-05.k |
14 Third Party Assurance |
1430.05k1Organizational.56-05.k 05.02 External Parties |
Shared |
n/a |
The agreement ensures that there is no misunderstanding between the organization and the third-party and satisfies the organization as to the indemnity of the third-party. |
|
13 |
| hipaa |
1438.09e2System.4-09.e |
hipaa-1438.09e2System.4-09.e |
1438.09e2System.4-09.e |
14 Third Party Assurance |
1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. |
|
14 |
| ISO27001-2013 |
A.12.1.2 |
ISO27001-2013_A.12.1.2 |
ISO 27001:2013 A.12.1.2 |
Operations Security |
Change management |
Shared |
n/a |
Changes to organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
link |
27 |
| ISO27001-2013 |
A.14.1.1 |
ISO27001-2013_A.14.1.1 |
ISO 27001:2013 A.14.1.1 |
System Acquisition, Development And Maintenance |
Information security requirements analysis and specification |
Shared |
n/a |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
link |
24 |
| ISO27001-2013 |
A.14.2.2 |
ISO27001-2013_A.14.2.2 |
ISO 27001:2013 A.14.2.2 |
System Acquisition, Development And Maintenance |
System change control procedures |
Shared |
n/a |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
link |
25 |
| ISO27001-2013 |
A.14.2.4 |
ISO27001-2013_A.14.2.4 |
ISO 27001:2013 A.14.2.4 |
System Acquisition, Development And Maintenance |
Restrictions on changes to software packages |
Shared |
n/a |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
link |
24 |
| ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
| ISO27001-2013 |
A.14.2.9 |
ISO27001-2013_A.14.2.9 |
ISO 27001:2013 A.14.2.9 |
System Acquisition, Development And Maintenance |
System acceptance testing |
Shared |
n/a |
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. |
link |
14 |
| ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
| ISO27001-2013 |
A.15.2.2 |
ISO27001-2013_A.15.2.2 |
ISO 27001:2013 A.15.2.2 |
Supplier Relationships |
Managing changes to supplier services |
Shared |
n/a |
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
link |
15 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
| ISO27001-2013 |
A.7.1.2 |
ISO27001-2013_A.7.1.2 |
ISO 27001:2013 A.7.1.2 |
Human Resources Security |
Terms and conditions of employment |
Shared |
n/a |
The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. |
link |
24 |
| ISO27001-2013 |
A.7.2.1 |
ISO27001-2013_A.7.2.1 |
ISO 27001:2013 A.7.2.1 |
Human Resources Security |
Management responsibilities |
Shared |
n/a |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
link |
26 |
| ISO27001-2013 |
C.4.3.c |
ISO27001-2013_C.4.3.c |
ISO 27001:2013 C.4.3.c |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information. |
link |
18 |
|
mp.eq.2 User session lockout |
mp.eq.2 User session lockout |
404 not found |
|
|
|
n/a |
n/a |
|
29 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
59 |
| NIST_SP_800-53_R4 |
SA-10 |
NIST_SP_800-53_R4_SA-10 |
NIST SP 800-53 Rev. 4 SA-10 |
System And Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2.
References: NIST Special Publication 800-128. |
link |
9 |
| NIST_SP_800-53_R4 |
SA-4 |
NIST_SP_800-53_R4_SA-4 |
NIST SP 800-53 Rev. 4 SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
| NIST_SP_800-53_R5 |
SA-10 |
NIST_SP_800-53_R5_SA-10 |
NIST SP 800-53 Rev. 5 SA-10 |
System and Services Acquisition |
Developer Configuration Management |
Shared |
n/a |
Require the developer of the system, system component, or system service to:
a. Perform configuration management during system, component, or service [Selection (OneOrMore): design;development;implementation;operation;disposal] ;
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. |
link |
9 |
| NIST_SP_800-53_R5 |
SA-4 |
NIST_SP_800-53_R5_SA-4 |
NIST SP 800-53 Rev. 5 SA-4 |
System and Services Acquisition |
Acquisition Process |
Shared |
n/a |
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (OneOrMore): standardized contract language; [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service:
a. Security and privacy functional requirements;
b. Strength of mechanism requirements;
c. Security and privacy assurance requirements;
d. Controls needed to satisfy the security and privacy requirements.
e. Security and privacy documentation requirements;
f. Requirements for protecting security and privacy documentation;
g. Description of the system development environment and environment in which the system is intended to operate;
h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
i. Acceptance criteria. |
link |
11 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.ext.2 Daily management |
op.ext.2 Daily management |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
op.pl.5 Certified components |
op.pl.5 Certified components |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| PCI_DSS_v4.0 |
12.8.2 |
PCI_DSS_v4.0_12.8.2 |
PCI DSS v4.0 12.8.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Written agreements with TPSPs are maintained as follows:
• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. |
link |
15 |
| PCI_DSS_v4.0 |
12.8.5 |
PCI_DSS_v4.0_12.8.5 |
PCI DSS v4.0 12.8.5 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
link |
13 |
| SOC_2 |
CC5.2 |
SOC_2_CC5.2 |
SOC 2 Type 2 CC5.2 |
Control Activities |
COSO Principle 11 |
Shared |
The customer is responsible for implementing this recommendation. |
• Determines Dependency Between the Use of Technology in Business Processes and
Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. |
|
18 |
| SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
| SOC_2 |
P6.1 |
SOC_2_P6.1 |
SOC 2 Type 2 P6.1 |
Additional Criteria For Privacy |
Personal information third party disclosure |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Privacy Policies to Third Parties — Privacy policies or other specific
instructions or requirements for handling personal information are communicated
to third parties to whom personal information is disclosed.
• Discloses Personal Information Only When Appropriate — Personal information is
disclosed to third parties only for the purposes for which it was collected or created
and only when implicit or explicit consent has been obtained from the data subject,
unless a law or regulation specifically requires otherwise.
• Discloses Personal Information Only to Appropriate Third Parties — Personal information
is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the
entity’s privacy notice or other specific instructions or requirements. The entity has
procedures in place to evaluate that the third parties have effective controls to meet
the terms of the agreement, instructions, or requirements.
• Discloses Information to Third Parties for New Purposes and Uses — Personal information
is disclosed to third parties for new purposes or uses only with the prior
implicit or explicit consent of data subjects. |
|
15 |
| SOC_2 |
P6.5 |
SOC_2_P6.5 |
SOC 2 Type 2 P6.5 |
Additional Criteria For Privacy |
Third party unauthorized disclosure notification |
Shared |
The customer is responsible for implementing this recommendation. |
• Remediates Misuse of Personal Information by a Third Party — The entity takes
remedial action in response to misuse of personal information by a third party to
whom the entity has transferred such information.
• Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining
commitments from vendors and other third parties to report to the entity actual
or suspected unauthorized disclosures of personal information. |
|
12 |
| SWIFT_CSCF_v2022 |
2.8A |
SWIFT_CSCF_v2022_2.8A |
SWIFT CSCF v2022 2.8A |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. |
Shared |
n/a |
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation. |
link |
11 |
| SWIFT_CSCF_v2022 |
8.5 |
SWIFT_CSCF_v2022_8.5 |
SWIFT CSCF v2022 8.5 |
8. Set and Monitor Performance |
Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. |
Shared |
n/a |
Ensure early availability of SWIFTNet releases and of the FIN standards for proper testing by the customer before going live. |
link |
11 |