MOACL

Could you use a Mother of All Control Lists (MOACL)?

With the multitude of different compliance efforts an organization could be subjected to, it is not uncommon to hear confusion on what may or may not apply. What compliance regulations does the organization fall under? What must the organization do to meet a specific compliance effort and not conflict with a separate one? How can the organization know it is meeting required compliance controls? Can anything be done to reduce the amount of work needed to meet these objectives? The answers lay in the details of the many controls of each of these efforts and the ability of technology practitioners to find commonalities that will ease redundant testing. By reviewing each of the compliance frameworks, technologists can define a set of generic controls such that when a control is met for one objective it can meet additional objectives in other compliance frameworks. The creation of the Mother of all Control Lists (MOACL) will be a one-to-many relationship between a general control and varying compliance controls.

The presented MOACL should be used as a conceptual list of controls. Each organization is different and may not align with what is posted here. An XLS version of the list can be found here -> MOACL

The current version of the MOACL is being updated for several new compliance directives such as GDPR. Please check back for the new posting that can be found here.

Mother Of All Control Lists (MOACL) v1.4
GCC Control Description ISO 27002 SOX HIPAA PCI DSS SAS70 GLBA 201 CMR 17
POLICY
1.1 The organization will maintain a security policy framework. 1.1
Information Security Policy
08-SOX – Entity Control Sanction Policy §164.308(a)(1) PCI 12.1.1
PCI 12.2
PCI 12.3
1.2 The organization will maintain a high-level security policy that displays management backing. 1.1.1
High Level Security Policy (HLSP)
1.3 The security policy framework is reviewed / evaluated on a periodic basis. 1.1.2
Review and Evaluation
09-SOX – Entity Control PCI 12.1.2
PCI 12.1.3
1.4 Organization has assigned responsibility for security to an individual or committee. 10-SOX – Entity Control Assigned Security Responsibility §164.308(a)(2) PCI 12.3.1 § 314.4(a) CMR 17.03.1
ORGANIZATIONAL SECURITY
2.1 Organizations will maintain current organizational charts. 2.1
Internal organization
2.2 Management will show commitment to the security program and it’s efforts. 2.1.1
Management commitment
2.3 2.1.2
Information security coordination
2.4 Implement procedures for the authorization and supervision of workforce members who work with sensitive data. Roles should be clearly defined. 2.1.3
Allocation of responsibilities
Authorization and/or Supervision §164.308(a)(3)
2.5 Procedures will be in place that require the proper authorization of computing resources before they are allowed in the production envirionment. 2.1.4
Authorization for facilities
2.6 The organization will utilize confidentiality agreements to protect it’s information resources. 2.1.5
Confidentiality Agreements
2.7 The organization will commit to maintaing a relationship with local and federal authorities. 2.1.6
Contact with Authorities
2.8 The organization utilizes SME advice for new projects or major program changes. 2.1.7
Specialist Security Advice
2.9 Major projects will perform independent review to help reduce risk. 2.1.8
Independent Review
2.10 2.2
External Parties
07-SOX – Data Recovery
2.11 Organizations will conduct periodic Risk Analysis efforts.

Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromises of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:

2.2.1
risk assessment
Risk Analysis §164.308(a)(1) § 314.4 (b)
§ 314.4 (e)
CMR 17.03.2.c
CMR 17.03.11
2.12 Organizations will remediate risks identified by the RA activities Risk Management §164.308(a)(1) § 314.4 ( c)
2.13 Organizations will maintain policies for third party access into the network. 2.2.2
third party access
2.14 Organizations will maintain policies for the outsourcing of resources. 2.2.3
outsourcing
08-SOX – Data Recovery
ASSET MANAGEMENT
3.1 ORganization identifies paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information 3 Assets PCI 9.9.1 CMR 17.03.8
3.2 Organization has security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.

Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers

3.1
Accountability
CMR 17.03.3
CMR 17.03.9
3.3 Media is labeled so it can be identified as a classification. 3.2
Classification
PCI 9.7.1
3.4 Limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected CMR 17.03.7
HR Domain
4.1 Security is clearly defined in Job descriptions 4.1.1
Security Roles in job descriptions
01-SOX – Entity Control PCI 1.1.4 SAS 1.2 CMR 17.03.2b
4.2 Organization to determine that the access of a workforce member to specific classifications of electronic information is appropriate. 4.1.2
Personnel Screening
02-SOX – Entity Control Workforce Clearance Procedure
164.308(a)(3)
4.3 Organization will clearly review and define terms and conditions. 4.1.3
Terms and Conditions
4.4 Organization will monitor traffic leaving the perimeter for violations of policy. 4.1.4
Egress Monitoring
03-SOX – Entity Control
4.5 Organizations will review internet activity for appropriate use. 4.1.5
Appropriate Use Monitoring
04-SOX – Entity Control
4.6 4.2.1
Management Responsibilities
05-SOX – Entity Control
4.7 Implement a security awareness and training program for all members of the organization (including management). 4.2.2
Security Awareness
06-SOX – Entity Control Security Awareness and Training
164.308(a)(5)
§ 314.4(b)(1) CMR 17.03.2a
CMR 17.04.08
4.8 Implement periodic security updates such as quarterly email distribution or poster campaigns. Security Reminders
164.308(a)(5)
The organization has procedures for terminating access to electronic information when the employment of a workforce member ends

Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and usernames

4.2.3
Disciplinary Process
07-SOX – Entity Control Termination Procedures
164.308(a)(3)(ii)(B)
CMR 17.03.4
CMR 17.03.5
PHYSICAL AND ENVIRONMENTAL SECURITY
5.1 Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Maintain strict control over the internal or external distribution of any kind of media that contains cardholder information:
5.1.1
Physical Security Perimeter
01-SOX – Data Center Ops Facility Security Plan
164.310(a)
PCI 9.1
PCI 9.6
PCI 9.7
PCI 9.9
CMR 17.04.2a
5.2 Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. The organization will utilize equipment such as cameras and visitor logs. 5.1.2
Physical Entry Controls
02-SOX – Data Center Ops Access Control and Validation Procedures
164.310 (a)
PCI 9.1.1
PCI 9.2
PCI 9.3
PCI 9.4
SAS 4.2
5.3 Access to the data center, computer room, and sensitive areas of the operations center is controlled through electronic key cards assigned to appropriate employees. 5.1.3
Secure offices, rooms and facilities
03-SOX – Data Center Ops SAS 4.1
5.4 The data center is equipped to prevent, detect, and suppress environmental factors, such as raised floors, air conditioning, fire and smoke detectors, and fire suppressant systems. 5.1.4
Protecting Against External and Environ
04-SOX – Data Center Ops SAS 4.3
5.5 Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a  workstation or class of workstation that can access electronic information. 5.1.5
Working in Secure Areas
05-SOX – Data Center Ops Workstation Use
164.310 (c)
5.6 Organisation will have procedures for securing loading/delivery areas. 5.1.6
Isolated delivery and loading areas
06-SOX – Data Center Ops
5.7 Organization will maintain procedures for the proper placements and physical security of technology equipment. 5.2.1
Equipment sitting and protection
09-SOX – Data Recovery
5.8 Redundant/fault-tolerant power supplies should be utilized where feasible. 5.2.2
Power Supplies
10-SOX – Data Recovery
5.9 Restrict physical access to publicly accessible network infrastructure. (Wireless included) 5.2.3
Cabling Security
07-SOX – Data Center Ops PCI 9.1.2
PCI 9.1.3
5.10 Implement policies to maintain and document repairs to physical components. 5.2.4
Equipment maintenance
08-SOX – Data Center Ops Maintenance Records
164.310(a)
5.11 Management approves all media that is moved from a secured area (especially when media is distributed to individuals). Media back-ups will be stored in a secure off-site facility, which may be either an alternate third-party or a commercial storage facility. 5.2.5
Security of Equipment Off-Premises
09-SOX – Data Center Ops PCI 9.5
PCI 9.8
5.12 policies and procedures to address the final disposition of reuse of electronic hardware or electronic media on which it is stored.
Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.
5.2.6
Secure Disposal/ Reuse of Equipment
10-SOX – Data Center Ops Disposal
164.310(d)Media Re-use
164.310(d)
PCI 9.10
PCI 9.10.1
PCI 9.10.2
5.13 Organization has procedures for removing technology property when it is no longer in a production capacity. 5.2.7
Removal of Property
11-SOX – Data Center Ops
COMMUNICATIONS AND OPERATIONS MANAGEMENT
6.1 Organization will have specific procedures that explain exactly how systems are to be configured and operated. For example, do not use vendor supplied passwords. 6.1.1
Documented Operating Procedures
01-SOX – Network Security PCI 1.1.9
PCI 2.1
PCI 2.2
PCI 6.3.6
6.2 Change control procedures will be followed for changes in infrastructure. 6.1.2
Operational Change Controls
12-SOX – Data Center Ops
6.3 Management’s control consciousness and organization structure provide for adequately segregated duties within information systems and between information systems and users. 6.1.3
Segregation of duties
06-SOX – Data Recovery SAS 1.1
6.4 Development, Staging, Testing, Laboratory and Production environments will be separated by logical or physical means. 6.1.4
Separation of development and operational facilities
13-SOX – Data Center Ops PCI 6.3.2
6.5 Organization may permit a business associate to create, receive, maintain, or transmit electronic information on the entity’s behalf only if the entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. 6.2.1
3rd party Service Delivery – Contract
Business Associate Contracts and Other Arrangement
164.308 (b)
SAS 7.2 § 314.4 (d)(1)
§ 314.4 (d)(2)
CMR 17.03.6
6.6 Periodic reports regarding services rendered and any records related to that service that pertain to information security of third parties is conducted. 6.2.2
3rd Party Monitoring and Review
Business Associate Contracts and Other Arrangement
164.308 (b)
§ 314.4 (d)(1)
§ 314.4 (d)(1)
6.7 Organization has policies and procedures for managing the changes involving 3rd parties. 6.2.3
3rd Party Managing Changes
Business Associate Contracts and Other Arrangement
164.308 (b)
6.8 Organization conducts capacity planning on production systems. 6.3.1
Capacity Planning
07-SOX – Data Recovery PCI 1.1.2
6.9 A mechanism exists for the acceptance of a system into the environment. Signoff is conducted by the proper management. 6.3.2
System Acceptance
02-SOX – Network Security
6.10 Procedures and software exist for guarding against, detecting, and reporting malicious software. 6.4.1
Controls Against Malicious Software
01-SOX – Virus Control Protection from Malicious Software
164.308(a)(5)
PCI 5.1
PCI 5.2
CMR 17.04.7
6.11 Organization has established clear controls around ACLS and firewall type technologies to protect information assets. 6.6.1
Network Controls
14-SOX – Data Center Ops PCI 1.1
PCI 1.1.1
PCI 1.1.3
PCI 1.1.5
PCI 1.1.6
PCI 1.1.7
PCI 1.2
PCI 1.3
PCI 1.4
PCI 11.4
CMR 17.04.6
6.12 Procedures exist for the secure handling of mass media such as tape backups and flash drives. 6.7
Media Handling
15-SOX – Data Center Ops
6.13 Organization has policies and procedures for the exchanging of data with external parties. 6.8.1
Exchange of Info and Software
16-SOX – Data Center Ops
6.14 Media will be sent via secured courier or a delivery mechanism that can be accurately tracked. 6.8.3
Physical Media in Transit
17-SOX – Data Center Ops PCI 9.7.2
6.15 Sensitive communications conducted over email is secured by a form of encryption. 6.8.4
Security of electronic mail
18-SOX – Data Center Ops PCI 4.2
6.16 Implement security measures to ensure that electronically transmitted information is not improperly modified without detection. 6.9.1
Electronic Commerce Security
19-SOX – Data Center Ops Integrity Controls
164.312 (e)
PCI 4.1
PCI 4.1.1
§ 314.4(b)(2) CMR 17.04.3
6.17 Publically available systems are protected to ensure sensitive information is protected. 6.9.3
Publicly Available Systems
20-SOX – Data Center Ops
Policies and procedures exist to create and maintain retrievable exact copies of electronic assets. 08-SOX – Data Recovery Data Backup Plan
164.308(a)(7)Data Backup and Storage
164.310 (d)
ACCESS CONTROL
7.1 Implement technical policies and procedures for electronic information systems that maintain information to allow access only to those persons or software programs that have been granted access rights as specified .
Limit access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements.
7.1
Access Control Policy
02-SOX – Network Security Access Control
164.308(a)(4)
PCI 3.1
PCI 3.3
SAS 5.1 CMR 17.03.7
7.2 Limit access to computing resources to only those individuals whose job requires such access. 7.2
User Access Management
03-SOX – Network Security PCI 7.2
PCI 7.2
PCI 8.1
7.3 Organization has policies and procedures for granting access to electronic assets. For example, through access to a workstation, transaction, program, process, or another mechanism. (requests, identify the role, approvals, statement of rights, unique ID) 7.2.1
User Registration
04-SOX – Network Security Access Authorization
164.308(a)(4)Unique User Identification
164.312 (a)
PCI 8.1
PCI 10.1
SAS 5.3 CMR 17.04.1.a
CMR 17.04.1.b
CMR 17.04.2b
7.4 Implement policies and procedures for granting access to electronic assets. for example, through access to a workstation, transaction, program, process, or other mechanism.
Ensure proper user authentication and password management for non-consumer users and administrators, on all system components
7.2.2
Privilege Management
05-SOX – Network Security Access Authorization
164.308(a)(4)
PCI 8.5
PCI 8.5.16
PCI 10.5
PCI 10.5.1
PCI 10.5.2
7.5 Organization has procedures for creating, changing, and safeguarding passwords. Access to user identification is blocked after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system 7.2.3
Password Management
06-SOX – Network Security Password Management
164.308 (a)(5)
PCI 8.2
PCI 8.3
PCI 8.4
SAS 5.3
SAS 5.4
CMR 17.04.1.c
CMR 17.04.1.e
7.6 Organization has policies and procedures that review, and modify a user’s right of access to a workstation, transaction, program, or process.

restricting access to active users and active user accounts only

7.2.4
Review of Rights
07-SOX – Network Security Access Establishment and Modification
164.308(a)(4)
SAS 5.2
SAS 5.5
CMR 17.04.1.d
7.7 7.3
User Responsibilities
02-SOX – Virus Control PCI 3.1
7.8 Maintain a record of the movements of hardware and electronic media and any person responsible therefore. Accountability
164.310 (d)
7.9 Policies and procedures exist for the correct use and management of passwords. 7.3.1
Password Use
08-SOX – Network Security PCI 8.5.8
PCI 8.5.9
PCI 8.5.10
PCI 8.5.11
PCI 8.5.12
PCI 8.5.13
PCI 8.5.14
PCI 8.5.15
CMR 17.04.1.c
7.10 Unattended equipment will be secured by timeouts, locking screens, logoffs, etc. 7.3.2
Unattended Equipment
09-SOX – Network Security
7.11 Organizations will implement a clean desk policy to protect physical assets such as electronics and paper. 7.3.3
Clear desk Policy
7.12 Clear policies exist detailing the use of network services and restrictions. 7.4.1
Policy on Use of Network Services
03-SOX – Virus Control
7.13 Authentication will be required for any access across external or public networks. 7.4.2
User authentication for external connections
10-SOX – Network Security
7.14 workstations will be authenticated before they are allowed to access network resources. 7.4.3
Node authentication
11-SOX – Network Security
7.15 Organization will implement security for the protection of sideband or diagnostic ports in equipment. 7.4.4
Remote diagnostic port protection
12-SOX – Network Security
7.16 Networks will be segmented where logically applicable. Segmentation will serve to protect information assets. 7.4.5
Segregation in networks
13-SOX – Network Security PCI 1.4
7.17 Processes are in place to control access to what is placed on the internal or external network. 7.4.6
Network connection control
14-SOX – Network Security
7.18 Static and dynamic routing protocols will be managed by the appropriate individuals and with security as a priority. 7.4.7
Network routing control
15-SOX – Network Security
7.19 Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation 7.5
Operating system access control
16-SOX – Network Security Workstation Use
164.310 (b)
7.20 use windows to restrict access to resources based on user or computer
logon procedures, identification, password management, utilities, timeout, connection timeImplement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
7.5.1
terminal log-on procedures
17-SOX – Network Security Person or Entity Authentication
164.312(do)
7.21 Users will be authenticated using a industry standard, best practices method to ensure the account being utilized is the correct individual. 7.5.2
User identification and authentication
18-SOX – Network Security
7.22 Organization will provide procedures for the management of passwords, recovery, and resets. 7.5.3
Password Management System
19-SOX – Network Security
7.23 System utilities will only be used if authorized and are needed for the job. Utilities such as password crackers are forbidden. 7.5.4
Use of system utilities
20-SOX – Network Security
7.24 Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 7.5.5
Terminal time-out
21-SOX – Network Security Automatic Logoff
164.312 (a)
7.25 Implement electronic procedures that terminate a network session after a predetermined time of inactivity. 7.5.6
Limitation of connection time
22-SOX – Network Security
7.27 Applications define controls around information accessed inside the application. 7.5.8
Information access restriction
24-SOX – Network Security
7.29 Data will be isolated, depending on its purpose, for sensitivity. De-identification is preferred. 7.5.9
Sensitive system isolation
25-SOX – Network Security
7.30 Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Including:
FW, the individual user accesses to cardholder data, actions taken by any individual with root or administrative privileges, Creation and deletion of system-level objects,Date and time, etc, ie. best practices.Review logs for all system components at least daily. Log reviews should include those servers that perform security functions like Intrusion Detection System (IDS) and Authentication, Authorization, and Accounting (AAA) servers (for example, RADIUS).
7.6.1
event logging
26-SOX – Network Security Information System Activity Review §164.308(a)(1) PCI 1.1.8
PCI 10.2
PCI 10.6
SAS 5.6 CMR 17.03.10
CMR 17.04.4
7.31 Procedures for monitoring log-in attempts and reporting discrepancies. 27-SOX – Network Security Log-in Monitoring
164.308(a)(5)
7.32 Synchronize all critical system clocks and times. 7.6.1
clock synchronization
28-SOX – Network Security PCI 10.4
7.33 Policies and procedures exist for the correct use of mobile computing devices such as laptops and smart phones. The mobile devices will be protected using encryption, authentication, templates, timeouts, etc. 7.7.1
mobile computing
29-SOX – Network Security
7.34 Policies and procedures exist for the correct use of teleworking. 7.7.2
Teleworking
30-SOX – Network Security
SYSTEM DEVELOPMENT
8.1 Develop applications based on secure coding guidelines and business requirements. 8.1
Statement of Bus Requirements
01-SOX – App Development PCI 6.3
PCI 6.5
§ 314.4(b)(2)
8.2 implement electronic mechanisms to corroborate that electronic data has not been altered or destroyed in an unauthorized manner. 8.2
Correct Processing In Applications
02-SOX – App Development Mechanism to Authenticate Electronic PHI
164.312(c)
PCI 6.5.1
PCI 6.5.2
PCI 6.5.3
PCI 6.5.4
PCI 6.5.5
PCI 6.5.6
PCI 6.5.7
PCI 6.5.8
PCI 6.5.9
PCI 6.5.10
CMR 17.03.2.c
8.3 Application will validate data being submitted to the system to check for validity. 8.2.1
Input data validation
03-SOX – App Development
8.4 Organization will have policies and procedures to ensure the internal processing of applications is correct. 8.2.2
Control of Internal Processing
04-SOX – App Development
8.5 Applications utilizing data exchange will use message authentication to maintain integrity. 8.2.3
Message Authentication
05-SOX – App Development
8.6 Applications will validate the data being presented as output to ensure the data is correct. 8.2.4
Output Data Validation
06-SOX – App Development
8.7 Implement a method to encrypt and decrypt sensitive data and manage encryption keys securely. Data on laptops and portable systems will utilize encryption to protect data at rest. 8.3
Cryptographic Controls
31-SOX – Network Security Encryption and Decryption
164.312(a)Encryption
164.312 (e)
PCI 3.4
PCI 3.5
PCI 3.6
SAS 7.1 § 314.4(b)(2) CMR 17.04.5
8.8 Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files 8.4
Security of System Files
32-SOX – Network Security PCI 11.5
8.9 Organization has policies for securing operating systems that applications run on. (Hardening guides, templates, base images, peer review) 8.4.1
Control of operational software
07-SOX – App Development
8.10 Separation of duties between development/test and production environments. 8.4.2
Protection of system test data
08-SOX – App Development PCI 6.3.4
PCI 6.3.5
8.11 Organization controls access to source code and log files. Provide centralized servers or media that is difficult to alter and requires authorization to manipulate. 8.4.3
Access control to source code and logs
PCI 10.5.3
PCI 10.5.4
PCI 10.5.5
PCI 10.7
8.12 Organization has policies and procedures to detect and remedy information leakage from applications. 8.5.4
Information leakage
10-SOX – App Development
8.13 Policies and procedures exist for the outsourcing of development efforts. These policies detail how the code will be secured, reviewed, and owned. 8.5.5
outsourced development management
11-SOX – App Development
8.14 Organization will perform vulnerability management. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes. Deploy IDS to monitor traffic. 8.6
Vulnerability Management
33-SOX – Network Security PCI 6.1
PCI 6.2
PCI 11.1
PCI 11.2
PCI 11.3
PCI 11.4
Change Control
8.15 Organization has a comprehensive change management policy and detailed procedures. 8.5
Security in Development and Support
01 – SOX – Change Control PCI 6.4 SAS 2.1
SAS 2.4
SAS 3.1
8.16 Each change request is entered into a CMDB, which is used to coordinate the change process, authorization and track the status of outstanding change requests. 8.5.1
Change control
02 – SOX – Change Control PCI 6.4.1
PCI 6.4.2
PCI 6.4.3
PCI 6.4.4
SAS 2.2
SAS 3.2
8.17 Perform testing in response to environmental or operational changes. 8.5.2
Technical Review following a change
03-SOX – Change Control Evaluation
164.308 (a)(8)
PCI 6.3.1
PCI 6.3.7
SAS 2.3
SAS 3.3
8.18 Organization has controls around the ability to modify code or deploy executables into the production environment. 8.5.3
Restrictions on Change
04-SOX – Change Control SAS 2.5
SAS 3.4
INCIDENT MANAGEMENT
9.1 Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. 9.1
Responding to Incidents
34-SOX – Network Security Response and Reporting
164.308 (a)(6)
§ 314.4(b)(3) CMR 17.03.2.c
9.2 Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to the protection of personal information. 9.1.1
Reporting Security Incidents
35-SOX – Network Security CMR 17.03.12
9.3 Response teams have follow up meetings to discuss weaknesses found during incident investigations. 9.1.2
Reporting weaknesses
9.4 Incident Response teams report to management when malfunctions are discovered. 9.2
Reporting Software Malfunctions
36-SOX – Network Security CMR 17.03.2.c
9.5 Policies and procedure exist for dealing with incidents. 9.2.1
incident management procedures
37-SOX – Network Security
9.6 Meetings are scheduled for post-incident response. These meetings allow teams to learn from the incident. 9.2.2
Learning from incidents
BUSINESS CONTINUITY
10.1 Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Off-site facilities are mandatory?
10.1
continuity and management process
01-SOX – Data Recovery Contingency Operations
164.310(a)
PCI 9.5 SAS 6.2 § 314.4 ( c)
10.2 Organizations will conduct a BIA with regard to the importance of assets and what they are worth. 10.2
Business Impact analysis
02-SOX – Data Recovery Applications and Data Criticality Analysis
164.308(a)(7)
10.3 Establish (and implement as needed) procedures to restore any loss of data. 10.3
writing and implementation plan
03-SOX – Data Recovery Disaster Recovery Plan
164.308(a)(7)
SAS 6.1
10.4 Establish  procedures to enable the continuation of critical business processes for protection of the security of electronic assets 10.4
planning framework
04-SOX – Data Recovery Emergency Mode Operation Plan
164.308(a)(7)
10.5  procedures for periodic testing and revision of contingency plans. Backup tapes should be restored to ensure they contain valid data. 10.5
testing and maintaining
05-SOX – Data Recovery Testing and Revision Procedure
164.308(a)(7)Emergency Access Procedure
164.312 (a)
SAS 6.3

Proudly powered by WordPress

Theme designed by Webempresa