Compliance Report
Back to summary report
i
Info
Scan Date: January 02, 2018
Description: Cybersecurity standards and regulations provide policy frameworks of computer security guidance for private and public-sector organizations. They provide a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. Major regulations within this section include NIST 800-53, GDPR, ISO 27001, PCI-DSS, HIPAA, COBIT.

NIST 800-53 Level: 63%


NIST Special Publication 800-53 provides a catalog of security controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act of 2002 (FISMA) and to help with managing cost effective programs to protect their information and information systems. Agencies are expected to be compliant with NIST security standards and guidelines within one year of the publication date (February 2005) unless otherwise directed. Information systems that are under development are expected to be compliant upon deployment.


Area Level
Access Control 51 %
Awareness and Training 30 %
Audit and Accountability 58 %
Security Assessment and Authorization 75 %
Configuration Management 82 %
Contingency Planning 69 %
Identification and Authentication 42 %
Incident Response 67 %
Maintenance 80 %
Media Protection 52 %
Physical and Environmental Protection 86 %
Planning 37 %
Program Management 66 %
Personnel Security 90 %
Risk Assessment 38 %
System and Services Acquisition 65 %
System and Communications Protection 59 %
System and Information Integrity 59 %

Access Control

Item ID Description Level
AC-1 Access Control Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].
AC-10 Concurrent Session Control
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
AC-11 Session Lock
The information system:
a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.
AC-12 Session Termination
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
AC-13 Supervision And Review - Access Control
[Withdrawn: Incorporated into AC-2 and AU-6].
AC-14 Permitted Actions Without Identification Or Authentication
The organization:
a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and
b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
AC-15 Automated Marking
[Withdrawn: Incorporated into MP-3].
AC-16 Security Attributes
The organization:
a. Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
b. Ensures that the security attribute associations are made and retained with the information;
c. Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
d. Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.
AC-17 Remote Access
The organization:
a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
b. Authorizes remote access to the information system prior to allowing such connections.
AC-18 Wireless Access
The organization:
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections.
AC-19 Access Control For Mobile Devices
The organization:
a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
b. Authorizes the connection of mobile devices to organizational information systems.
AC-2 Account Management
The organization:
a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];
g. Monitors the use of information system accounts;
h. Notifies account managers:
1. When accounts are no longer required;
2. When users are terminated or transferred; and
3. When individual information system usage or need-to-know changes;
i. Authorizes access to the information system based on:
1. A valid access authorization;
2. Intended system usage; and
3. Other attributes as required by the organization or associated missions/business functions;
j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and
k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
AC-20 Use Of External Information Systems
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from external information systems; and
b. Process, store, or transmit organization-controlled information using external information systems.
AC-21 Information Sharing
The organization:
a. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
AC-22 Publicly Accessible Content
The organization:
a. Designates individuals authorized to post information onto a publicly accessible information system;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
AC-23 Data Mining Protection
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.
AC-24 Access Control Decisions
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
AC-25 Reference Monitor
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
AC-3 Access Enforcement
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
AC-4 Information Flow Enforcement
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
AC-5 Separation Of Duties
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
AC-6 Least Privilege
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AC-7 Unsuccessful Lon Attempts
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid lon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next lon prompt according to [Assignment: organization-defined delay alrithm]] when the maximum number of unsuccessful attempts is exceeded.
AC-8 System Use Notification
The information system:
a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
1. Users are accessing a U.S. vernment information system;
2. Information system usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and
4. Use of the information system indicates consent to monitoring and recording;
b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and
c. For publicly accessible systems:
1. Displays system use information [Assignment: organization-defined conditions], before granting further access;
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
3. Includes a description of the authorized uses of the system.
AC-9 Previous Lon (Access) Notification
The information system notifies the user, upon successful lon (access) to the system, of the date and time of the last lon (access).

Awareness and Training

Item ID Description Level
AT-1 Security Awareness And Training Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
b. Reviews and updates the current:
1. Security awareness and training policy [Assignment: organization-defined frequency]; and
2. Security awareness and training procedures [Assignment: organization-defined frequency].
AT-2 Security Awareness Training
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
AT-3 Role-Based Security Training
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
a. Before authorizing access to the information system or performing assigned duties;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
AT-4 Security Training Records
The organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
b. Retains individual training records for [Assignment: organization-defined time period].
AT-5 Contacts With Security Groups And Associations
[Withdrawn: Incorporated into PM-15].

Audit and Accountability

Item ID Description Level
AU-1 Audit And Accountability Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
AU-10 Non-Repudiation
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].
AU-11 Audit Record Retention
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
AU-12 Audit Generation
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
AU-13 Monitoring For Information Disclosure
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.
AU-14 Session Audit
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
AU-15 Alternate Audit Capability
The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].
AU-16 Cross-Organizational Auditing
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
AU-2 Audit Events
The organization:
a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-3 Content Of Audit Records
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-4 Audit Storage Capacity
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
AU-5 Response To Audit Processing Failures
The information system:
a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
AU-6 Audit Review, Analysis, And Reporting
The organization:
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].
AU-7 Audit Reduction And Report Generation
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records.
AU-8 Time Stamps
The information system:
a. Uses internal system clocks to generate time stamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
AU-9 Protection Of Audit Information
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Security Assessment and Authorization

Item ID Description Level
CA-1 Security Assessment And Authorization Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and
b. Reviews and updates the current:
1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and
2. Security assessment and authorization procedures [Assignment: organization-defined frequency].
CA-2 Security Assessments
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
CA-3 System Interconnections
The organization:
a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CA-4 Security Certification
[Withdrawn: Incorporated into CA-2].
CA-5 Plan Of Action And Milestones
The organization:
a. Develops a plan of action and milestones for the information system to document the organization�s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
CA-6 Security Authorization
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
CA-7 Continuous Monitoring
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Oning security control assessments in accordance with the organizational continuous monitoring strategy;
d. Oning security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CA-8 Penetration Testing
The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].
CA-9 Internal System Connections
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Configuration Management

Item ID Description Level
CM-1 Configuration Management Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
b. Reviews and updates the current:
1. Configuration management policy [Assignment: organization-defined frequency]; and
2. Configuration management procedures [Assignment: organization-defined frequency].
CM-10 Software Usage Restrictions
The organization:
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
CM-11 User-Installed Software
The organization:
a. Establishes [Assignment: organization-defined policies] verning the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
CM-2 Baseline Configuration
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
CM-3 Configuration Change Control
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CM-4 Security Impact Analysis
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
CM-5 Access Restrictions For Change
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
CM-6 Configuration Settings
The organization:
a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
CM-7 Least Functionality
The organization:
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
CM-8 Information System Component Inventory
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
CM-9 Configuration Management Plan
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.

Contingency Planning

Item ID Description Level
CP-1 Contingency Planning Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and
b. Reviews and updates the current:
1. Contingency planning policy [Assignment: organization-defined frequency]; and
2. Contingency planning procedures [Assignment: organization-defined frequency].
CP-10 Information System Recovery And Reconstitution
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
CP-11 Alternate Communications Protocols
The information system provides the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.
CP-12 Safe Mode
The information system, when [Assignment: organization-defined conditions] are detected, enters a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].
CP-13 Alternative Security Mechanisms
The organization employs [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.
CP-2 Contingency Plan
The organization:
a. Develops a contingency plan for the information system that:
1. Identifies essential missions and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];
e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protects the contingency plan from unauthorized disclosure and modification.
CP-3 Contingency Training
The organization provides contingency training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
CP-4 Contingency Plan Testing
The organization:
a. Tests the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the effectiveness of the plan and the organizational readiness to execute the plan;
b. Reviews the contingency plan test results; and
c. Initiates corrective actions, if needed.
CP-5 Contingency Plan Update
[Withdrawn: Incorporated into CP-2].
CP-6 Alternate Storage Site
The organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and
b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.
CP-7 Alternate Processing Site
The organization:
a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and
c. Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site.
CP-8 Telecommunications Services
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
CP-9 Information System Backup
The organization:
a. Conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.

Identification and Authentication

Item ID Description Level
IA-1 Identification And Authentication Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and
b. Reviews and updates the current:
1. Identification and authentication policy [Assignment: organization-defined frequency]; and
2. Identification and authentication procedures [Assignment: organization-defined frequency].
IA-10 Adaptive Identification And Authentication
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].
IA-11 Re-Authentication
The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].
IA-2 Identification And Authentication (Organizational Users)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-3 Device Identification And Authentication
The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.
IA-4 Identifier Management
The organization manages information system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, or device;
c. Assigning the identifier to the intended individual, group, role, or device;
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
IA-5 Authenticator Management
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
e. Changing default content of authenticators prior to information system installation;
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and
j. Changing authenticators for group/role accounts when membership to those accounts changes.
IA-6 Authenticator Feedback
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
IA-7 Cryptographic Module Authentication
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-8 Identification And Authentication (Non-Organizational Users)
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
IA-9 Service Identification And Authentication
The organization identifies and authenticates [Assignment: organization-defined information system services] using [Assignment: organization-defined security safeguards].

Incident Response

Item ID Description Level
IR-1 Incident Response Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and
b. Reviews and updates the current:
1. Incident response policy [Assignment: organization-defined frequency]; and
2. Incident response procedures [Assignment: organization-defined frequency].
IR-10 Integrated Information Security Analysis Team
The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.
IR-2 Incident Response Training
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
IR-3 Incident Response Testing
The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results.
IR-4 Incident Handling
The organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and
c. Incorporates lessons learned from oning incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
IR-5 Incident Monitoring
The organization tracks and documents information system security incidents.
IR-6 Incident Reporting
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and
b. Reports security incident information to [Assignment: organization-defined authorities].
IR-7 Incident Response Assistance
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
IR-8 Incident Response Plan
The organization:
a. Develops an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements];
c. Reviews the incident response plan [Assignment: organization-defined frequency];
d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;
e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and
f. Protects the incident response plan from unauthorized disclosure and modification.
IR-9 Information Spillage Response
The organization responds to information spills by:
a. Identifying the specific information involved in the information system contamination;
b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
c. Isolating the contaminated information system or system component;
d. Eradicating the information from the contaminated information system or component;
e. Identifying other information systems or system components that may have been subsequently contaminated; and
f. Performing other [Assignment: organization-defined actions].

Maintenance

Item ID Description Level
MA-1 System Maintenance Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and
b. Reviews and updates the current:
1. System maintenance policy [Assignment: organization-defined frequency]; and
2. System maintenance procedures [Assignment: organization-defined frequency].
MA-2 Controlled Maintenance
The organization:
a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;
b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;
e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and
f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records.
MA-3 Maintenance Tools
The organization approves, controls, and monitors information system maintenance tools.
MA-4 Nonlocal Maintenance
The organization:
a. Approves and monitors nonlocal maintenance and diagnostic activities;
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintains records for nonlocal maintenance and diagnostic activities; and
e. Terminates session and network connections when nonlocal maintenance is completed.
MA-5 Maintenance Personnel
The organization:
a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
MA-6 Timely Maintenance
The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure.

Media Protection

Item ID Description Level
MP-1 Media Protection Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
b. Reviews and updates the current:
1. Media protection policy [Assignment: organization-defined frequency]; and
2. Media protection procedures [Assignment: organization-defined frequency].
MP-2 Media Access
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
MP-3 Media Marking
The organization:
a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
MP-4 Media Storage
The organization:
a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5 Media Transport
The organization:
a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
b. Maintains accountability for information system media during transport outside of controlled areas;
c. Documents activities associated with the transport of information system media; and
d. Restricts the activities associated with the transport of information system media to authorized personnel.
MP-6 Media Sanitization
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security catery or classification of the information.
MP-7 Media Use
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
MP-8 Media Downgrading
The organization:
a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];
b. Ensures that the information system media downgrading process is commensurate with the security catery and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
c. Identifies [Assignment: organization-defined information system media requiring downgrading]; and
d. Downgrades the identified information system media using the established process.

Physical and Environmental Protection

Item ID Description Level
PE-1 Physical And Environmental Protection Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and
b. Reviews and updates the current:
1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and
2. Physical and environmental protection procedures [Assignment: organization-defined frequency].
PE-10 Emergency Shutoff
The organization:
a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
c. Protects emergency power shutoff capability from unauthorized activation.
PE-11 Emergency Power
The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.
PE-12 Emergency Lighting
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
PE-13 Fire Protection
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
PE-14 Temperature And Humidity Controls
The organization:
a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].
PE-15 Water Damage Protection
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
PE-16 Delivery And Removal
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.
PE-17 Alternate Work Site
The organization:
a. Employs [Assignment: organization-defined security controls] at alternate work sites;
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
PE-18 Location Of Information System Components
The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.
PE-19 Information Leakage
The organization protects the information system from information leakage due to electromagnetic signals emanations.
PE-2 Physical Access Authorizations
The organization:
a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;
b. Issues authorization credentials for facility access;
c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and
d. Removes individuals from the facility access list when access is no longer required.
PE-20 Asset Monitoring And Tracking
The organization:
a. Employs [Assignment: organization-defined asset location technologies] to track and monitor the location and movement of [Assignment: organization-defined assets] within [Assignment: organization-defined controlled areas]; and
b. Ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
PE-3 Physical Access Control
The organization:
a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
e. Secures keys, combinations, and other physical access devices;
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
PE-4 Access Control For Transmission Medium
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].
PE-5 Access Control For Output Devices
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
PE-6 Monitoring Physical Access
The organization:
a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinates results of reviews and investigations with the organizational incident response capability.
PE-7 Visitor Control
[Withdrawn: Incorporated into PE-2 and PE-3].
PE-8 Visitor Access Records
The organization:
a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and
b. Reviews visitor access records [Assignment: organization-defined frequency].
PE-9 Power Equipment And Cabling
The organization protects power equipment and power cabling for the information system from damage and destruction.

Planning

Item ID Description Level
PL-1 Security Planning Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and
b. Reviews and updates the current:
1. Security planning policy [Assignment: organization-defined frequency]; and
2. Security planning procedures [Assignment: organization-defined frequency].
PL-2 System Security Plan
The organization:
a. Develops a security plan for the information system that:
1. Is consistent with the organization's enterprise architecture;
2. Explicitly defines the authorization boundary for the system;
3. Describes the operational context of the information system in terms of missions and business processes;
4. Provides the security caterization of the information system including supporting rationale;
5. Describes the operational environment for the information system and relationships with or connections to other information systems;
6. Provides an overview of the security requirements for the system;
7. Identifies any relevant overlays, if applicable;
8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and
9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];
c. Reviews the security plan for the information system [Assignment: organization-defined frequency];
d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and
e. Protects the security plan from unauthorized disclosure and modification.
PL-3 System Security Plan Update
[Withdrawn: Incorporated into PL-2].
PL-4 Rules Of Behavior
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
d. Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised/updated.
PL-5 Privacy Impact Assessment
[Withdrawn: Incorporated into Appendix J, AR-2].
PL-6 Security-Related Activity Planning
[Withdrawn: Incorporated into PL-2].
PL-7 Security Concept Of Operations
The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].
PL-8 Information Security Architecture
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
PL-9 Central Management
The organization centrally manages [Assignment: organization-defined security controls and related processes].

Program Management

Item ID Description Level
PM-1 Information Security Program Plan
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification.
PM-10 Security Authorization Process
The organization:
a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
c. Fully integrates the security authorization processes into an organization-wide risk management program.
PM-11 Mission/Business Process Definition
The organization:
a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.
PM-12 Insider Threat Program
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.
PM-13 Information Security Workforce
The organization establishes an information security workforce development and improvement program.
PM-14 Testing, Training, And Monitoring
The organization:
a. Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems:
1. Are developed and maintained; and
2. Continue to be executed in a timely manner;
b. Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
PM-15 Contacts With Security Groups And Associations
The organization establishes and institutionalizes contact with selected groups and associations within the security community:
a. To facilitate oning security education and training for organizational personnel;
b. To maintain currency with recommended security practices, techniques, and technologies; and
c. To share current security-related information including threats, vulnerabilities, and incidents.
PM-16 Threat Awareness Program
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
PM-2 Senior Information Security Officer
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
PM-3 Information Security Resources
The organization:
a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
b. Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
c. Ensures that information security resources are available for expenditure as planned.
PM-4 Plan Of Action And Milestones Process
The organization:
a. Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems:
1. Are developed and maintained;
2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with OMB FISMA reporting requirements.b. Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
PM-5 Information System Inventory
The organization develops and maintains an inventory of its information systems.
PM-6 Information Security Measures Of Performance
The organization develops, monitors, and reports on the results of information security measures of performance.
PM-7 Enterprise Architecture
The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
PM-8 Critical Infrastructure Plan
The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
PM-9 Risk Management Strategy
The organization:
a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
b. Implements the risk management strategy consistently across the organization; and
c. Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

Personnel Security

Item ID Description Level
PS-1 Personnel Security Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and
b. Reviews and updates the current:
1. Personnel security policy [Assignment: organization-defined frequency]; and
2. Personnel security procedures [Assignment: organization-defined frequency].
PS-2 Position Risk Designation
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position risk designations [Assignment: organization-defined frequency].
PS-3 Personnel Screening
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening].
PS-4 Personnel Termination
The organization, upon termination of individual employment:
a. Disables information system access within [Assignment: organization-defined time period];
b. Terminates/revokes any authenticators/credentials associated with the individual;
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
d. Retrieves all security-related organizational information system-related property;
e. Retains access to organizational information and information systems formerly controlled by terminated individual; and
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
PS-5 Personnel Transfer
The organization:
a. Reviews and confirms oning operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action];
c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
PS-6 Access Agreements
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].
PS-7 Third-Party Personnel Security
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;
c. Documents personnel security requirements;
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and
e. Monitors provider compliance.
PS-8 Personnel Sanctions
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Risk Assessment

Item ID Description Level
RA-1 Risk Assessment Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and
b. Reviews and updates the current:
1. Risk assessment policy [Assignment: organization-defined frequency]; and
2. Risk assessment procedures [Assignment: organization-defined frequency].
RA-2 Security Caterization
The organization:
a. Caterizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security caterization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the authorizing official or authorizing official designated representative reviews and approves the security caterization decision.
RA-3 Risk Assessment
The organization:
a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];
c. Reviews risk assessment results [Assignment: organization-defined frequency];
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.
RA-4 Risk Assessment Update
[Withdrawn: Incorporated into RA-3].
RA-5 Vulnerability Scanning
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
RA-6 Technical Surveillance Countermeasures Survey
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]].

System and Services Acquisition

Item ID Description Level
SA-1 System And Services Acquisition Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and
b. Reviews and updates the current:
1. System and services acquisition policy [Assignment: organization-defined frequency]; and
2. System and services acquisition procedures [Assignment: organization-defined frequency].
SA-10 Developer Configuration Management
The organization requires the developer of the information system, system component, or information system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
SA-11 Developer Security Testing And Evaluation
The organization requires the developer of the information system, system component, or information system service to:
a. Create and implement a security assessment plan;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during security testing/evaluation.
SA-12 Supply Chain Protection
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.
SA-13 Trustworthiness
The organization:
a. Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
b. Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.
SA-14 Criticality Analysis
The organization identifies critical information system components and functions by performing a criticality analysis for [Assignment: organization-defined information systems, information system components, or information system services] at [Assignment: organization-defined decision points in the system development life cycle].
SA-15 Development Process, Standards, And Tools
The organization:
a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:
1. Explicitly addresses security requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].
SA-16 Developer-Provided Training
The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
SA-17 Developer Security Architecture And Design
The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:
a. Is consistent with and supportive of the organization's security architecture which is established within and is an integrated part of the organization's enterprise architecture;
b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and
c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.
SA-18 Tamper Resistance And Detection
The organization implements a tamper protection program for the information system, system component, or information system service.
SA-19 Component Authenticity
The organization:
a. Develops and implements anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the information system; and
b. Reports counterfeit information system components to [Selection (one or more): source of counterfeit component; [Assignment: organization-defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
SA-2 Allocation Of Resources
The organization:
a. Determines information security requirements for the information system or information system service in mission/business process planning;
b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and
c. Establishes a discrete line item for information security in organizational programming and budgeting documentation.
SA-20 Customized Development Of Critical Components
The organization re-implements or custom develops [Assignment: organization-defined critical information system components].
SA-21 Developer Screening
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
a. Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official vernment duties]; and
b. Satisfy [Assignment: organization-defined additional personnel screening criteria].
SA-22 Unsupported System Components
The organization:
a. Replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer; and
b. Provides justification and documents approval for the continued use of unsupported system components required to satisfy mission/business needs.
SA-3 System Development Life Cycle
The organization:
a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;
b. Defines and documents information security roles and responsibilities throughout the system development life cycle;
c. Identifies individuals having information security roles and responsibilities; and
d. Integrates the organizational information security risk management process into system development life cycle activities.
SA-4 Acquisition Process
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
SA-5 Information System Documentation
The organization:
a. Obtains administrator documentation for the information system, system component, or information system service that describes:
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security functions/mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;
b. Obtains user documentation for the information system, system component, or information system service that describes:
1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and
3. User responsibilities in maintaining the security of the system, component, or service;
c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes [Assignment: organization-defined actions] in response;
d. Protects documentation as required, in accordance with the risk management strategy; and
e. Distributes documentation to [Assignment: organization-defined personnel or roles].
SA-6 Software Usage Restrictions
[Withdrawn: Incorporated into CM-10 and SI-7].
SA-7 User-Installed Software
[Withdrawn: Incorporated into CM-11 and SI-7].
SA-8 Security Engineering Principles
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
SA-9 External Information System Services
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents vernment oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an oning basis.

System and Communications Protection

Item ID Description Level
SC-1 System And Communications Protection Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency].
SC-10 Network Disconnect
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
SC-11 Trusted Path
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].
SC-12 Cryptographic Key Establishment And Management
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
SC-13 Cryptographic Protection
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-14 Public Access Protections
[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].
SC-15 Collaborative Computing Devices
The information system:
a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
b. Provides an explicit indication of use to users physically present at the devices.
SC-16 Transmission Of Security Attributes
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
SC-17 Public Key Infrastructure Certificates
The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.
SC-18 Mobile Code
The organization:
a. Defines acceptable and unacceptable mobile code and mobile code technologies;
b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
c. Authorizes, monitors, and controls the use of mobile code within the information system.
SC-19 Voice Over Internet Protocol
The organization:
a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of VoIP within the information system.
SC-2 Application Partitioning
The information system separates user functionality (including user interface services) from information system management functionality.
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
The information system:
a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22 Architecture And Provisioning For Name / Address Resolution Service
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
SC-23 Session Authenticity
The information system protects the authenticity of communications sessions.
SC-24 Fail In Known State
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.
SC-25 Thin Nodes
The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage.
SC-26 Honeypots
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.
SC-27 Platform-Independent Applications
The information system includes: [Assignment: organization-defined platform-independent applications].
SC-28 Protection Of Information At Rest
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
SC-29 Heterogeneity
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.
SC-3 Security Function Isolation
The information system isolates security functions from nonsecurity functions.
SC-30 Concealment And Misdirection
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries.
SC-31 Covert Channel Analysis
The organization:
a. Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
b. Estimates the maximum bandwidth of those channels.
SC-32 Information System Partitioning
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].
SC-33 Transmission Preparation Integrity
[Withdrawn: Incorporated into SC-8].
SC-34 Non-Modifiable Executable Programs
The information system at [Assignment: organization-defined information system components]:
a. Loads and executes the operating environment from hardware-enforced, read-only media; and
b. Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.
SC-35 Honeyclients
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.
SC-36 Distributed Processing And Storage
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.
SC-37 Out-Of-Band Channels
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].
SC-38 Operations Security
The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.
SC-39 Process Isolation
The information system maintains a separate execution domain for each executing process.
SC-4 Information In Shared Resources
The information system prevents unauthorized and unintended information transfer via shared system resources.
SC-40 Wireless Link Protection
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
SC-41 Port And I/O Device Access
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].
SC-42 Sensor Capability And Data
The information system:
a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
b. Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].
SC-43 Usage Restrictions
The organization:
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system.
SC-44 Detonation Chambers
The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].
SC-5 Denial Of Service Protection
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].
SC-6 Resource Availability
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
SC-7 Boundary Protection
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
SC-8 Transmission Confidentiality And Integrity
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
SC-9 Transmission Confidentiality
[Withdrawn: Incorporated into SC-8].

System and Information Integrity

Item ID Description Level
SI-1 System And Information Integrity Policy And Procedures
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy [Assignment: organization-defined frequency]; and
2. System and information integrity procedures [Assignment: organization-defined frequency].
SI-10 Information Input Validation
The information system checks the validity of [Assignment: organization-defined information inputs].
SI-11 Error Handling
The information system:
a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
b. Reveals error messages only to [Assignment: organization-defined personnel or roles].
SI-12 Information Handling And Retention
The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
SI-13 Predictable Failure Prevention
The organization:
a. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
b. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].
SI-14 Non-Persistence
The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].
SI-15 Information Output Filtering
The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content.
SI-16 Memory Protection
The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.
SI-17 Fail-Safe Procedures
The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].
SI-2 Flaw Remediation
The organization:
a. Identifies, reports, and corrects information system flaws;
b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
d. Incorporates flaw remediation into the organizational configuration management process.
SI-3 Malicious Code Protection
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
SI-4 Information System Monitoring
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices:
1. Strategically within the information system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
SI-5 Security Alerts, Advisories, And Directives
The organization:
a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an oning basis;
b. Generates internal security alerts, advisories, and directives as deemed necessary;
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
SI-6 Security Function Verification
The information system:
a. Verifies the correct operation of [Assignment: organization-defined security functions];
b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
SI-7 Software, Firmware, And Information Integrity
The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].
SI-8 Spam Protection
The organization:
a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.
SI-9 Information Input Restrictions
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6].

PCI-DSS Level: Milestone #0


The Payment Card Industry Data Security Standard (PCI DSS) consists of a minimum set of necessary requirements that every merchant and/or service provider must meet in order to protect the cardholder data of their customers. This standard has been formulated by the PCI Security Standard Council which was formed by the five major card companies MasterCard, American Express, VISA, JCB and Discover. This set of requirements serves as a guideline to ensure the protection and security of their cardholder information. Compliance to the PCI DSS is mandatory for all organizations that store, process and transmit cardholder data in order to allow their users to carry out secure card transactions.


Area Level
Milestone #0 33 %
Milestone #6 7 %
Milestone #1 7 %
Milestone #2 7 %
Milestone #4 9 %
Milestone #3 9 %
Milestone #5 6 %

Milestone #0

Item ID Description Level
1.1 Establish and implement firewall and router configuration standards that include the following:
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.3 Record at least the following audit trail entries for all system components for each event:
10.5 Secure audit trails so they cannot be altered.
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.

Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.
3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse:

Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key-encrypting keys must be at least as strong as the data-encrypting key.
3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:

Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.v.
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to "deny all" unless specifically allowed.
This access control system(s) must include the following:
8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows:
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.

Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
9.4 Implement procedures to identify and authorize visitors.
Procedures should include the following:
9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following:
9.7 Maintain strict control over the storage and accessibility of media.
9.8 Destroy media when it is no longer needed for business or legal reasons as follows:
9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Note: These requirements apply to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.

Milestone #6

Item ID Description Level
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.5 Description of groups, roles, and responsibilities for management of network components
1.1.7 Requirement to review firewall and router rule sets at least every six months
12.1 Establish, publish, maintain, and disseminate a security policy.
12.1.1 Review the security policy at least annually and update the policy when the environment changes.
12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
• Daily log reviews
• Firewall rule-set reviews
• Applying configuration standards to new systems
• Responding to security alerts
• Change management processes

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
12.11.1 Additional requirement for service providers only: Maintain documentation of quarterly review process to include:
• Documenting results of the reviews
• Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
12.3 Develop usage policies for critical technologies and define proper use of these technologies.

Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.

Ensure these usage policies require the following:
12.3.1 Explicit approval by authorized parties
12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.
12.3.2 Authentication for use of the technology
12.3.3 A list of all such devices and personnel with access
12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)
12.3.5 Acceptable uses of the technology
12.3.6 Acceptable network locations for the technologies
12.3.7 List of company-approved products
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance
• Defining a charter for a PCI DSS compliance program and communication to executive management

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
12.5 Assign to an individual or team the following information security management responsibilities:
12.5.1 Establish, document, and distribute security policies and procedures.
12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.
12.5.4 Administer user accounts, including additions, deletions, and modifications.
12.5.5 Monitor and control all access to data.
12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
12.6.1 Educate personnel upon hire and at least annually.

Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)

Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
6.4.5 Change control procedures must include the following:
6.4.5.1 Documentation of impact.
6.4.5.2 Documented change approval by authorized parties.
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.
6.4.5.4 Back-out procedures.
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

Milestone #1

Item ID Description Level
1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks
1.1.3 Current diagram that shows all cardholder data flows across systems and networks
12.2 Implement a risk-assessment process that:
• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
• Identifies critical assets, threats, and vulnerabilities, and
• Results in a formal, documented analysis of risk.

Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements
• Specific retention requirements for cardholder data
• Processes for secure deletion of data when no longer needed
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if:
• There is a business justification and
• The data is stored securely.

Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:
3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
• The cardholder’s name
• Primary account number (PAN)
• Expiration date
• Service code
To minimize risk, store only these data elements as needed for business.
3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.
3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.
9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed.
9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

Milestone #2

Item ID Description Level
1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
1.2.2 Secure and synchronize router configuration files.
1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
(For example, block traffic originating from the Internet with an internal source address.)
1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
1.3.5 Permit only "established" connections into the network.
1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.

Note: Methods to obscure IP addressing may include, but are not limited to:
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
• Specific configuration settings are defined.
• Personal firewall (or equivalent functionality) is actively running.
• Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all "high risk" vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.
11.3 Implement a methodology for penetration testing that includes the following:
• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results.
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:
• Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum
• Specific incident response procedures
• Business recovery and continuity procedures
• Data backup processes
• Analysis of legal requirements for reporting compromises
• Coverage and responses of all critical system components
• Reference or inclusion of incident response procedures from the payment brands.
12.10.2 Review and test the plan, including all elements listed in Requirement 12.10.1, at least annually.
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
12.10.4 Provide appropriate training to staff with security breach response responsibilities.
12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.
12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
12.8 Maintain and implement policies and procedures to manage service providers, with whom cardholder data is shared, or that could affect the security of cardholder data, as follows
12.8.1 Maintain a list of service providers including a description of the service provided.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
2.3 Encrypt all non-console administrative access using strong cryptography.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
2.4 Maintain an inventory of system components that are in scope for PCI DSS.
2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
• Only trusted keys and certificates are accepted.
• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.

Examples of open, public networks include but are not limited to:
• The Internet
• Wireless technologies, including 802.11 and Bluetooth
• Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)
• General Packet Radio Service (GPRS).
• Satellite communications.
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are maintained as follows:
• Are kept current,
• Perform periodic scans
• Generate audit logs which are retained per PCI DSS Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
8.1.3 Immediately revoke access for any terminated users.
8.1.4 Remove/disable inactive user accounts within 90 days.
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
• Enabled only during the time period needed and disabled when not in use.
• Monitored when in use.
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric.
8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.
8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.
8.2.3 Passwords/passphrases must meet the following:
• Require a minimum length of at least seven characters.
• Contain both numeric and alphabetic characters.

Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
8.2.4 Change user passwords/passphrases at least once every 90 days.
8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.
8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity's network.
8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

Note: "Sensitive areas" refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
9.1.2 Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
9.3 Control physical access for onsite personnel to sensitive areas as follows:
• Access must be authorized and based on individual job function.
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
9.9.1 Maintain an up-to-date list of devices. The list should include the following:
• Make, model of device
• Location of device (for example, the address of the site or facility where the device is located)
• Device serial number or other method of unique identification.
9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.
9.9.3 Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
A2.1 Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either
• Confirm the devices are not susceptible to any known exploits for those protocols.
Or:
• Have a formal Risk Mitigation and Migration Plan in place.
A2.2 Entities with existing implementations (other than as allowed in A2.1) that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
A2.3 Additional Requirement for Service Providers Only: All service providers must provide a secure service offering by June 30, 2016.

Note: Prior to June 30, 2016, the service provider must either have a secure protocol option included in their service offering, or have a documented Risk Mitigation and Migration Plan (per A2.2) that includes a target date for provision of a secure protocol option no later than June 30, 2016. After this date, all service providers must offer a secure protocol option for their service.

Milestone #4

Item ID Description Level
10.1 Implement audit trails to link all access to system components to each individual user.
10.2.1 All individual user accesses to cardholder data
10.2.2 All actions taken by any individual with root or administrative privileges
10.2.3 Access to all audit trails
10.2.4 Invalid logical access attempts
10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges
10.2.6 Initialization, stopping, or pausing of the audit logs
10.2.7 Creation and deletion of system-level objects
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource.
10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

Note: One example of time synchronization technology is Network Time Protocol (NTP).
10.4.1 Critical systems have the correct and consistent time.
10.4.2 Time data is protected.
10.4.3 Time settings are received from industry-accepted time sources.
10.5.1 Limit viewing of audit trails to those with a job-related need.
10.5.2 Protect audit trail files from unauthorized modifications.
10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
10.6.1 Review the following at least daily:
• All security events
• Logs of all system components that store, process, or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.
10.6.3 Follow up exceptions and anomalies identified during the review process.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
• Firewalls
• IDS/IPS
• FIM
• Anti-virus
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used)

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
10.8.1 Additional requirement for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
• Restoring security functions
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
• Identifying and addressing any security issues that arose during the failure
• Performing a risk assessment to determine whether further actions are required as a result of the security failure
• Implementing controls to prevent cause of failure from reoccurring
• Resuming monitoring of security controls

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.
11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.
11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).
11.5.1 Implement a process to respond to any alerts generated by the change-detection solution.
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.
7.1.1 Define access needs for each role, including:
• System components and data resources that each role needs to access for their job function
• Level of privilege required (for example, user, administrator, etc.) for accessing resources.
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
7.1.3 Assign access based on individual personnel’s job classification and function.
7.1.4 Require documented approval by authorized parties specifying required privileges.
7.2.1 Coverage of all system components
7.2.2 Assignment of privileges to individuals based on job classification and function.
7.2.3 Default "deny-all" setting.
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.
8.4 Document and communicate authentication policies and procedures to all users including:
• Guidance on selecting strong authentication credentials
• Guidance for how users should protect their authentication credentials
• Instructions not to reuse previously used passwords
• Instructions to change passwords if there is any suspicion the password could be compromised.
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
• Generic user IDs are disabled or removed.
• Shared user IDs do not exist for system administration and other critical functions.
• Shared and generic user IDs are not used to administer any system components.
8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:

• Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:

• All user access to, user queries of, and user actions on databases are through programmatic methods.
• Only database administrators have the ability to directly access or query databases.
• Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).
8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.

Milestone #3

Item ID Description Level
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Sources of industry-accepted system hardening standards may include, but are not limited to:
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).
2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.
2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
2.2.4 Configure system security parameters to prevent misuse.
2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as "high," "medium," or "low") to newly discovered security vulnerabilities.

Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk-assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a "high risk" to the environment. In addition to the risk ranking, vulnerabilities may be considered "critical" if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
• In accordance with PCI DSS (for example, secure authentication and logging)
• Based on industry standards and/or best practices.
• Incorporating information security throughout the software-development life cycle

Note: This applies to all software developed internally as well as bespoke or custom software developed by a third party.
6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.
6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
• Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices.
• Code reviews ensure code is developed according to secure coding guidelines
• Appropriate corrections are implemented prior to release.
• Code-review results are reviewed and approved by management prior to release.

Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address oning threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following:
6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls.
6.4.2 Separation of duties between development/test and production environments
6.4.3 Production data (live PANs) are not used for testing or development
6.4.4 Removal of test data and accounts from system components before the system becomes active/es into production.
6.5 Address common coding vulnerabilities in software-development processes as follows:
• Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
• Develop applications based on secure coding guidelines.

Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
6.5.10 Broken authentication and session management
6.5.2 Buffer overflows
6.5.3 Insecure cryptographic storage
6.5.4 Insecure communications
6.5.5 Improper error handling
6.5.6 All "high risk" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
6.5.7 Cross-site scripting (XSS)
6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
6.5.9 Cross-site request forgery (CSRF)
6.6 For public-facing web applications, address new threats and vulnerabilities on an oning basis and ensure these applications are protected against known attacks by either of the following methods:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.

• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.
6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.
A1 Protect each entity’s (that is, merchant, service provider, or other entity) hosted environment and data, per A1.1 through A1.4:

A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS.

Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.
A1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment.
A1.2 Restrict each entity’s access and privileges to its own cardholder data environment only.
A1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10.
A1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.

Milestone #5

Item ID Description Level
3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.

Note: This requirement does not supersede stricter requirements in place for displays of cardholder data—for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography, (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures.

Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.

Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements.
3.5.1 Additional requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes:
• Details of all alrithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
• Description of the key usage for each key.
• Inventory of any HSMs and other SCDs used for key management

Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary.
3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry-accepted method

Note: It is not required that public keys be stored in one of these forms.
3.5.4 Store cryptographic keys in the fewest possible locations.
3.6.1 Generation of strong cryptographic keys
3.6.2 Secure cryptographic key distribution
3.6.3 Secure cryptographic key storage
3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).
3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.

Note: If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes.
3.6.6 If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.

Note: Examples of manual key-management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
3.6.7 Prevention of unauthorized substitution of cryptographic keys.
3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.
3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, to include:
• Identifying onsite personnel and visitors (for example, assigning badges)
• Changes to access requirements
• Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.
9.4.2 Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors from onsite personnel.
9.4.3 Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.
9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.
Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.
Retain this log for a minimum of three months, unless otherwise restricted by law.
9.5 Physically secure all media.
9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
9.6.1 Classify media so the sensitivity of the data can be determined.
9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.
9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).
9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.

HIPAA Level: 43%


HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.


Area Level
Security Standards: General Rules 36 %
Administrative Safeguards 39 %
Physical Safeguards 49 %
Technical Safeguards 45 %
Organizational Requirements 41 %

Security Standards: General Rules

Item ID Description Level
164.306(a) Ensure Confidentiality, Integrity and Availability
Ensure CIA and protect against threats
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
164.306(b) Flexibility of Approach
Reasonably consider factors in security compliance
(b) Flexibility of approach.
(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
164.306(c) Standards
CEs must comply with standards
(c) Standards. A covered entity must comply with the standards as provided in this section and in § 164.308,
§ 164.310, § 164.312, § 164.314, and § 164.316 with respect to all electronic protected health information.
164.306(d) Implementation Specifications
Required and Addressable Implementation Specification requirements
(d) Implementation specifications.
In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.
(3) When a standard adopted in § 164.308, § 164.310,
§ 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity must--
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity--
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate--
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
164.306(e) Maintenance
Oning review and modification of security measures
(e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under § 164.105 and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at § 164.316.

Administrative Safeguards

Item ID Description Level
164.308(a)(1)(i) Security Management Process
P&P to manage security violations
Implement policies and procedures to prevent, detect, contain and correct security violations
164.308(a)(1)(ii)(A) Security Management Process > Risk Analysis (Required)
Conduct vulnerability assessment
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
164.308(a)(1)(ii)(B) Security Management Process > Risk Management (Required)
Implement security measures to reduce risk of security breaches
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec 164.206(a).
164.308(a)(1)(ii)(C) Security Management Process > Sanction Policy (Required)
Worker sanction for P&P violations
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
164.308(a)(1)(ii)(D) Security Management Process > Information System Activity Review (Required)
Procedures to review system activity
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
164.308(a)(2) Assigned Security Responsibility
Identify security official responsible for P&P
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
164.308(a)(3)(i) Workforce Security
Implement P&P to ensure appropriate PHI access
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a))(4) of this section from obtaining access to electronic protected health information.
164.308(a)(3)(ii)(A) Workforce Security > Authorization and/or Supervision (Addressable)
Authorization/supervision for PHI access
Implement procedures for authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
164.308(a)(3)(ii)(B) Workforce Security > Clearance Procedure (Addressable)
Procedures to ensure appropriate PHI access
Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
164.308(a)(3)(ii)(C) Workforce Security > Termination Procedures (Addressable)
Procedures to terminate PHI access
Implement procedures for termination access to electronic protected health information when the employment of a workforce member ends or as required by determination made as specified in paragraph (a)(3)(ii)(B) of this section.
164.308(a)(4)(i) Information Access Management
P&P to authorize access to PHI
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
164.308(a)(4)(ii)(A) Information Access Management > Isolation Health Clearinghouse Functions (Required)
P&P to separate PHI from other operations
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement polices and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
164.308(a)(4)(ii)(B) Information Access Management > Access Authorization (Addressable)
P&P to authorize access to PHI
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process or other mechanism.
164.308(a)(4)(ii)(C) Information Access Management > Access Establishment and Modification (Addressable)
P&P to grant access to PHI
Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
164.308(a)(5)(i) Security Awareness Training
Training program for workers and managers
Implement a security awareness and training program for all members of its workforce (including management).
164.308(a)(5)(ii)(A) Security Awareness Training > Security Reminders (Addressable)
Distribute periodic security updates
Periodic security updates.
164.308(a)(5)(ii)(B) Security Awareness Training > Protection from Malicious Software (Addressable)
Procedures to guard against malicious software
Procedures for guarding against, detecting, and reporting malicious software.
164.308(a)(5)(ii)(C) Security Awareness Training > Log-in Monitoring (Addressable)
Procedures and monitoring of log-in attempts
Procedures for monitoring log-in attempts and reporting discrepancies.
164.308(a)(5)(ii)(D) Security Awareness Training > Password Management (Addressable)
Procedures for password management
Procedures for creating, changing, and safeguarding passwords.
164.308(a)(6)(i) Security Incident Procedures
P&P to manage security incidents
Implement policies and procedures to address security incidents.
164.308(a)(6)(ii) Security Incident Procedures > Response and Reporting (Required)
Mitigate and document security incidents
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
164.308(a)(7)(i) Contingency Plan
Emergency response P&P
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
164.308(a)(7)(ii)(A) Contingency Plan > Data Backup Plan (Required)
Data backup planning & procedures
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
164.308(a)(7)(ii)(B) Contingency Plan > Disaster Recovery Plan (Required)
Data recovery planning & procedures
Establish (and implement as needed) procedures to restore loss of data.
164.308(a)(7)(ii)(C) Contingency Plan > Emergency Mode Operation Plan (Required)
Business continuity procedures
Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operation in emergency mode.
164.308(a)(7)(ii)(D) Contingency Plan > Testing and Revision Procedures (Addressable)
Contingency planning periodic testing procedures
Implement procedures for periodic testing and revision of contingency plans.
164.308(a)(7)(ii)(E) Contingency Plan > Applications and Data Criticality Analysis (Addressable)
Prioritize data and system criticality for contingency planning
Assess the relative criticality of specific applications and data in support of other contingency plan components.
164.308(a)(8) Evaluation
Periodic security evaluation
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that established the extent to which an entity's security policies and procedures meet the requirements of this subpart.
164.308(b)(1) Business Associate Contracts and Other Arrangements
CE implement BACs to ensure safeguards
A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information.
(2) This standard does not apply with respect to -
(i) The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual.
(ii) The transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of § 164.314(b) and § 164.504(f) apply and are met; or
(iii) The transmission of electronic protected health information from or to other agencies providing the services at § 164.502(e)(1)(ii)(C), when the covered entity is a health plan that is a vernment program providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met.
(3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and § 164.314(a).
164.308(b)(4) Business Associate Contracts and Other Arrangements > Written Contract (Required)
Implement compliant BACs
Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

Physical Safeguards

Item ID Description Level
164.310(a)(1) Facility Access Controls
P&P to limit access to systems and facilities
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
164.310(a)(2)(i) Facility Access Controls > Contingency Operations (Addressable)
Procedures to support emergency operations and recovery
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
164.310(a)(2)(ii) Facility Access Controls > Facility Security Plan (Addressable)
P&P to safeguard equipment and facilities
Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized physical access, tampering, and theft.
164.310(a)(2)(iii) Facility Access Controls > Access Control Validation Procedures (Addressable)
Facility access procedures for personnel
Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
164.310(a)(2)(iv) Facility Access Controls > Maintenance Records (Addressable)
P&P to document security-related repairs and modifications
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks).
164.310(b) Workstation Use
P&P to specify workstation environment & use
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
164.310(c) Workstation Security
Physical safeguards for workstation access
Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
164.310(d)(1) Device and Media Controls
P&P to vern receipt and removal of hardware and media
Implement policies and procedures that vern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
164.310(d)(2)(i) Device and Media Controls > Disposal (Required)
P&P to manage media and equipment disposal
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
164.310(d)(2)(ii) Device and Media Controls > Media Re-use (Required)
P&P to remove PHI from media and equipment
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
164.310(d)(2)(iii) Device and Media Controls > Accountability (Addressable)
Document hardware and media movement
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
164.310(d)(2)(iv) Device and Media Controls > Data Backup and Storage (Addressable)
Backup PHI before moving equipment
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Technical Safeguards

Item ID Description Level
164.312(a)(1) Access Control (-)
Technical (administrative) P&P to manage PHI access
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
164.312(a)(2)(i) Access Control > Unique User Identification (Required)
Assign unique IDs to support tracking
Assign a unique name and/or number for identifying and tracking user identity.
164.312(a)(2)(ii) Access Control > Emergency Access Procedure (Required)
Procedures to support emergency access
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
164.312(a)(2)(iii) Access Control > Automatic Loff (Addressable)
Session termination mechanisms
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
164.312(a)(2)(iv) Access Control > Encryption and Decryption (Addressable)
Mechanism for encryption of stored PHI
Implement a mechanism to encrypt and decrypt electronic protected health information.
164.312(b) Audit Controls
Procedures and mechanisms for monitoring system activity
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
164.312(c)(1) Integrity
P&P to safeguard PHI unauthorized alteration
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
164.312(c)(2) Integrity > Mechanism to Authenticate Electronic Protected Health Information (Addressable)
Mechanisms to corroborate PHI not altered
Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
164.312(d) Person or Entity Authentication
Procedures to verify identities
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
164.312(e)(1) Transmission Security
Measures to guard against unauthorized access to transmitted PHI
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
164.312(e)(2)(i) Transmission Security > Integrity Controls (Addressable)
Measures to ensure integrity of PHI on transmission
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
164.312(e)(2)(ii) Transmission Security > Encryption (Addressable)
Mechanism for encryption of transmitted PHI
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Organizational Requirements

Item ID Description Level
164.314(a)(1) Business Associate Contracts or Other Arrangements
CE must ensure BA safeguards PHI
(i) The contract or other arrangement between the covered entity and its business associate required by
§ 164.308(b) must meet the requirements of paragraph (a)(2)(i) or (a)(2)(ii) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards in § 164.502(e) and paragraph (a) of this section if the covered entity knew of a pattern of an activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful.
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the Secretary.
164.314(a)(2) Business Associate Contracts or Other Arrangements > Business Associate Contracts (Required)
BACs must contain security language
(i) Business associate contracts. The contract between a covered entity and a business associate must provide that the business associate will--
(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;
(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
(C) Report to the covered entity any security incident of which it becomes aware;
(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
(ii) Other arrangements.
(A) When a covered entity and its business associate are both vernmental entities, the covered entity is in compliance with paragraph (a)(1) of this section, if -
(1) It enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (a)(2)(i) of this section; or
(2) Other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (a)(2)(i) of this section.
(B) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate as specified in § 160.103 of this subchapter to a covered entity, the covered entity may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirements of paragraph (a)(2)(i) of this section, provided that the covered entity attempts in od faith to obtain satisfactory assurances as required by paragraph (a)(2)(ii)(A) of this section, and documents the attempt and the reasons that these assurances cannot be obtained.
(C) The covered entity may omit from its other arrangements authorization of the termination of the contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.
164.314(b)(1) Requirements for Group Health Plans (-)
Plan documents must reflect security safeguards
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
164.314(b)(2)(i) Requirements for Group Health Plans > Implement Safeguards (Required)
Plan sponsor to implement safeguards as appropriate
The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to--
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
164.314(b)(2)(ii) Requirements for Group Health Plans > Ensure Adequate Separation (Required)
Security measures to separate PHI from plan sponsor and plan
Ensure that the adequate separation required by
§ 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
164.314(b)(2)(iii) Requirements for Group Health Plans > Ensure Agents Safeguard (Required)
Ensure subcontractors safeguard PHI
Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
164.314(b)(2)(iv) Requirements for Group Health Plans > Report Security Incidents (Required)
Plan sponsors report breaches to health plan
Report to the group health plan any security incident of which it becomes aware.
164.316(a) Policies and Procedures (-)
P&P to ensure safeguards to PHI
A covered entity must, in accordance with § 164.306: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
164.316(b)(1) Policies and Procedures > Documentation (Required)
Document P&P and actions & activities
Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
164.316(b)(2)(i) Policies and Procedures > Time Limit (Required)
Retain documentation for 6 years
Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
164.316(b)(2)(ii) Policies and Procedures > Availability (Required)
Documentation available to system administrators
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
164.316(b)(2)(iii) Policies and Procedures > Updates (Required)
Periodic review and updates to changing needs
Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

COBIT Level: 36%


COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT gogovernance. COBIT provides an implementable 'set of controls over information technology and organizes them around a logical framework of IT - related processes and enablers.'


Area Level
Align, Plan and Organize 36 %
Build, Acquire and Implement 37 %
Deliver, Service and Support 37 %
Evaluate, Direct and Monitor 34 %
Monitor, Evaluate and Assess 31 %

Align, Plan and Organize

Item ID Description Level
APO01.01 Manage the IT Management Framework > Define the organizational structure.
1. Define the scope, internal and external functions, internal and external roles, and capabilities and decision rights required, including those IT activities performed by third parties.
2. Identify decisions required for the achievement of enterprise outcomes and the IT strategy, and for the management and execution of IT services.
3. Establish the involvement of stakeholders who are critical to decision making (accountable, responsible, consulted or informed).
4. Align the IT-related organization with enterprise architecture organizational models.
5. Define the focus, roles and responsibilities of each function within the IT-related organizational structure.
6. Define the management structures and relationships to support the functions and roles of management and execution, in alignment with the governance direction set.
7. Establish an IT strategy committee (or equivalent) at the board level. This committee should ensure that governance of IT, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board.
8. Establish an IT steering committee (or equivalent) composed of executive, business and IT management to determine prioritization of IT-enabled investment programmed in line with the enterprise’s business strategy and priorities; track status of projects and resolve resource conflicts; and monitor service levels and service improvements.
9. Provide guidelines for each management structure (including mandate, objectives, meeting attendees, timing, tracking, supervision and oversight) as well as required inputs for and expected outcomes of meetings.
10. Define ground rules for communication by identifying communication needs, and implementing plans based on those needs, considering top-down, bottom-up and horizontal communication.
11. Establish and maintain an optimal co-ordination, communication and liaison structure between the business and IT functions within the enterprise and with entities outside the enterprise.
12. Regularly verify the adequacy and effectiveness of the organizational structure.
APO01.02 Manage the IT Management Framework > Establish roles and responsibilities.
1. Establish, agree on and communicate IT-related roles and responsibilities for all personnel in the enterprise, in alignment with business needs and objectives. Clearly delineate responsibilities and accountabilities, especially for decision making and approvals.
2. Consider requirements from enterprise and IT service continuity when defining roles, including staff back-up and cross-training requirements.
3. Provide input to the IT service continuity process by maintaining up-to-date contact information and role descriptions in the enterprise.
4. Include in role and responsibility descriptions adherence to management policies and procedures, the code of ethics, and professional practices.
5. Implement adequate supervisory practices to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review performance. The level of supervision should be in line with the sensitivity of the position and extent of responsibilities assigned.
6. Ensure that accountability is defined through roles and responsibilities.
7. Structure roles and responsibilities to reduce the possibility for a single role to compromise a critical process.
APO01.03 Manage the IT Management Framework > Maintain the enablers of the management system.
1. Obtain an understanding of the enterprise vision, direction and strategy.
2. Consider the enterprise’s internal environment, including management culture and philosophy, risk tolerance, security, ethical values, code of conduct, accountability, and requirements for management integrity.
3. Derive and integrate IT principles with business principles.
4. Align the IT control environment with the overall IT policy environment, IT governance and IT process frameworks, and existing enterprise-level risk and control frameworks. Assess industry-specific od practices or requirements (e.g., industry-specific regulations) and integrate them where appropriate.
5. Align with any applicable national and international governance and management standards and codes of practice, and evaluate available od practices such as COSO’s Internal Control—Integrated Framework and COSO’s Enterprise Risk Management—Integrated Framework.
6. Create a set of policies to drive the IT control expectations on relevant key topics such as quality, security, confidentiality, internal controls, usage of IT assets, ethics and intellectual property rights.
7. Evaluate and update the policies at least yearly to accommodate changing operating or business environments.
8. Roll out and enforce IT policies to all relevant staff, so they are built into, and are an integral part of, enterprise operations.
9. Ensure that procedures are in place to track compliance with policies and define the consequences of non-compliance.
APO01.04 Manage the IT Management Framework > Communicate management objectives and direction.
1. Continuously communicate IT objectives and direction. Ensure that communications are supported by executive management in action and words, using all available channels.
2. Ensure that the information communicated encompasses a clearly articulated mission, service objectives, security, internal controls, quality, code of ethics/conduct, policies and procedures, roles and responsibilities, etc. Communicate the information at the appropriate level of detail for the respective audiences within the enterprise.
3. Provide sufficient and skilled resources to support the communication process.
APO01.05 Manage the IT Management Framework > Optimize the placement of the IT function.
1. Understand the context for the placement of the IT function, including an assessment of the enterprise strategy and operating model (centralized, federated, decentralized, hybrid), importance of IT, and sourcing situation and options.
2. Identify, evaluate and prioritize options for organizational placement, sourcing and operating models.
3. Define placement of the IT function and obtain agreement.
APO01.06 Manage the IT Management Framework > Define information (data) and system ownership.
1. Provide policies and guidelines to ensure appropriate and consistent enterprise wide classification of information (data).
2. Define, maintain and provide appropriate tools, techniques and guidelines to provide effective security and controls over information and information systems in collaboration with the owner.
3. Create and maintain an inventory of information (systems and data) that includes a listing of owners, custodians and classifications. Include systems that are outsourced and those for which ownership should stay within the enterprise.
4. Define and implement procedures to ensure the integrity and consistency of all information stored in electronic form such as databases, data warehouses and data archives.
APO01.07 Manage the IT Management Framework > Manage continual improvement of processes.
1. Identify business-critical processes based on performance and conformance drivers and related risk. Assess process capability and identify improvement targets. Analyze gaps in process capability and control. Identify options for improvement and redesign of the process. Prioritize initiatives for process improvement based on potential benefits and costs.
2. Implement agreed-on improvements, operate as normal business practice, and set performance als and metrics to enable monitoring of process improvements.
3. Consider ways to improve efficiency and effectiveness (e.g., through training, documentation, standardization and automation of the process).
4. Apply quality management practices to update the process.
5. Retire outdated processes, process components or enablers.
APO01.08 Manage the IT Management Framework > Maintain compliance with policies and procedures.
1. Track compliance with policies and procedures.
2. Analyze non-compliance and take appropriate action (this could include changing requirements).
3. Integrate performance and compliance into individual staff members’ performance objectives.
4. Regularly assess the performance of the framework’s enablers and take appropriate action.
5. Analyze trends in performance and compliance and take appropriate action.
APO02.01 Manage Strategy > Understand enterprise direction.
1. Develop and maintain an understanding of enterprise strategy and objectives, as well as the current enterprise operational environment and challenges.
2. Develop and maintain an understanding of the external environment of the enterprise.
3. Identify key stakeholders and obtain insight on their requirements.
4. Identify and analyze sources of change in the enterprise and external environments.
5. Ascertain priorities for strategic change.
6. Understand the current enterprise architecture and work with the enterprise architecture process to determine any potential architectural gaps.
APO02.02 Manage Strategy > Assess the current environment, capabilities and performance.
1. Develop a baseline of the current business and IT environment, capabilities and services against which future requirements can be compared. Include the relevant high-level detail of the current enterprise architecture (business, information, data, applications and technology domains), business processes, IT processes and procedures, the IT organization structure, external service provision, governance of IT, and enterprise wide IT related skills and competencies.
2. Identify risk from current, potential and declining technologies.
3. Identify gaps between current business and IT capabilities and services and reference standards and best practices, competitor business and IT capabilities, and comparative benchmarks of best practice and emerging IT service provision.
4. Identify issues, strengths, opportunities and threats in the current environment, capabilities and services to understand current performance. Identify areas for improvement in terms of IT’s contribution to enterprise objectives.
APO02.03 Manage Strategy > Define the target IT capabilities.
1. Consider validated emerging technology or innovation ideas.
2. Identify threats from declining, current and newly acquired technologies.
3. Define high-level IT objectives/als and how they will contribute to the enterprise’s business objectives.
4. Define required and desired business process and IT capabilities and IT services and describe the high-level changes in the enterprise architecture (business, information, data, applications and technology domains), business and IT processes and procedures, the IT organization structure, IT service providers, governance of IT, and IT skills and competencies.
5. Align and agree with the enterprise architect on proposed enterprise architecture changes.
6. Demonstrate traceability to the enterprise strategy and requirements.
APO02.04 Manage Strategy > Conduct a gap analysis.
1. Identify all gaps and changes required to realize the target environment.
2. Consider the high-level implications of all gaps. Consider the value of potential changes to business and IT capabilities, IT services and enterprise architecture, and the implications if no changes are realized.
3. Assess the impact of potential changes on the business and IT operating models, IT research and development capabilities, and IT investment programmed.
4. Refine the target environment definition and prepare a value statement with the benefits of the target environment.
APO02.05 Manage Strategy > Define the strategic plan and road map.
1. Define the initiatives required to close gaps and migrate from the current to the target environment, including investment/operational budget, funding sources, sourcing strategy and acquisition strategy.
2. Identify and adequately address risk, costs and implications of organizational changes, technology evolution, regulatory requirements, business process re-engineering, staffing, insourcing and outsourcing opportunities, etc., in the planning process.
3. Determine dependencies, overlaps, synergies and impacts amongst initiatives, and prioritize the initiatives.
4. Identify resource requirements, schedule and investment/operational budgets for each of the initiatives.
5. Create a road map indicating the relative scheduling and interdependencies of the initiatives.
6. Translate the objectives into outcome measures represented by metrics (what) and targets (how much) that can be related to enterprise benefits.
7. Formally obtain support from stakeholders and obtain approval for the plan.
APO02.06 Manage Strategy > Communicate the IT strategy and direction.
1. Develop and maintain a network for endorsing, supporting and driving the IT strategy.
2. Develop a communication plan covering the required messages, target audiences, communication mechanisms/channels and schedules.
3. Prepare a communication package that delivers the plan effectively using available media and technologies.
4. Obtain feedback and update the communication plan and delivery as required.
APO03.01 Manage Enterprise Architecture > Develop the enterprise architecture vision.
1. Identify the key stakeholders and their concerns/objectives, and define the key enterprise requirements to be addressed as well as the architecture views to be developed to satisfy the various stakeholder requirements.
2. Identify the enterprise als and strategic drivers of the enterprise and define the constraints that must be dealt with, including enterprise wide constraints and project-specific constraints (time, schedule, resources, etc.).
3. Align architecture objectives with strategic programmed priorities.
4. Understand the capabilities and desires of the business, then identify options to realize those capabilities.
5. Assess the enterprise’s readiness for change.
6. Define what is inside and what is outside the scope of the baseline architecture and target architecture efforts, understanding that the baseline and target need not be described at the same level of detail.
7. Confirm and elaborate architecture principles, including enterprise principles. Ensure that any existing definitions are current and clarify any areas of ambiguity.
8. Understand the current enterprise strategic als and objectives and work with the strategic planning process to ensure that IT-related enterprise architecture opportunities are leveraged in the development of the strategic plan.
9. Based on stakeholder concerns, business capability requirements, scope, constraints and principles, create the architecture vision: a high-level view of the baseline and target architectures.
10. Define the target architecture value propositions, als and metrics.
11. Identify the enterprise change risk associated with the architecture vision, assess the initial level of risk (e.g., critical, marginal or negligible) and develop a mitigation strategy for each significant risk.
12. Develop an enterprise architecture concept business case, outline plans and statement of architecture work, and secure approval to initiate a project aligned and integrated with the enterprise strategy.
APO03.02 Manage Enterprise Architecture > Define reference architecture.
1. Maintain an architecture repository containing standards, reusable components, modelling artefacts, relationships, dependencies and views to enable uniformity of architectural organization and maintenance.
2. Select reference viewpoints from the architecture repository that will enable the architect to demonstrate how stakeholder concerns are being addressed in the architecture.
3. For each viewpoint, select the models needed to support the specific view required, using selected tools or methods and the appropriate level of decomposition.
4. Develop baseline architectural domain descriptions, using the scope and level of detail necessary to support the target architecture and, to the extent possible, identifying relevant architecture building blocks from the architecture repository.
5. Maintain a process architecture model as part of the baseline and target domain descriptions. Standardize the descriptions and documentation of processes. Define the roles and responsibilities of the process decision makers, process owner, process users, process team and any other process stakeholders who should be involved.
6. Maintain an information architecture model as part of the baseline and target domain descriptions, consistent with the enterprise’s strategy to enable optimal use of information for decision making. Maintain an enterprise data dictionary that promotes a common understanding and a classification scheme that includes details about data ownership, definition of appropriate security levels, and data retention and destruction requirements.
7. Verify the architecture models for internal consistency and accuracy and perform a gap analysis between the baseline and target. Prioritize gaps and define new or modified components that must be developed for the target architecture. Resolve potential impacts such as incompatibilities, inconsistencies or conflicts within the envisioned architecture.
8. Conduct a formal stakeholder review by checking the proposed architecture against the original motivation for the architecture project and the statement of architecture work.
9. Finalize business, information, data, applications and technology domain architectures, and create an architecture definition document.
APO03.03 Manage Enterprise Architecture > Select opportunities and solutions.
1. Determine and confirm key enterprise change attributes, including the enterprise’s culture and how this will impact enterprise architecture implementation, as well as the enterprise’s transition capabilities.
2. Identify any enterprise drivers that would constrain the sequence of implementation, including a review of the enterprise and line of business strategic and business plans, and consideration of the current enterprise architecture maturity.
3. Review and consolidate the gap analysis results between the baseline and target architectures and assess their implications with respect to potential solutions/opportunities, interdependencies and alignment with current IT-enabled programmed.
4. Assess the requirements, gaps, solutions and factors to identify a minimal set of functional requirements whose integration into work packages would lead to a more efficient and effective implementation of the target architecture.
5. Reconcile the consolidated requirements with potential solutions.
6. Refine the initial dependencies, ensuring that any constraints on the implementation and migration plans are identified, and consolidate them into a dependency analysis report.
7. Confirm the enterprise’s readiness for, and the risk associated with, enterprise transformation.
8. Formulate a high-level implementation and migration strategy that will guide the target architecture implementation and structure the transition architectures in alignment with enterprise strategic objectives and time scales.
9. Identify and group major work packages into a coherent set of programmed and projects, respecting the enterprise strategic implementation direction and approach.
10. Develop a series of transition architectures as necessary where the scope of change required to realize the target architecture requires an incremental approach.
APO03.04 Manage Enterprise Architecture > Define architecture implementation.
1. Establish what the implementation and migration plan should include as part of programmed and project planning and ensure that it is aligned with the requirements of applicable decision makers.
2. Confirm transition architecture increments and phases and update the architecture definition document.
3. Define architecture implementation governance requirements.
APO03.05 Manage Enterprise Architecture > Provide enterprise architecture services.
1. Confirm scope and priorities and provide guidance for solution development and deployment.
2. Manage the portfolio of enterprise architecture services to ensure alignment with strategic objectives and solution development.
3. Manage enterprise architecture requirements and support with architectural principles, models and building blocks.
4. Identify and align enterprise architecture priorities to value drivers. Define and collect value metrics and measure and communicate enterprise architecture value.
5. Establish a technology forum to provide architectural guidelines, advice on projects and guidance on the selection of technology. Measure compliance with these standards and guidelines, including compliance with external requirements and their business relevance.
APO04.01 Manage Innovation > Create an environment conducive to innovation.
1. Create an innovation plan that includes risk appetite, the envisioned budget to spend on innovation initiatives, and innovation objectives.
2. Provide infrastructure that can be an enabler for innovation, such as collaboration tools for enhancing work between geographic locations and divisions.
3. Create an environment that is conducive to innovation by maintaining relevant HR initiatives, such as innovation recognition and reward programmed, appropriate job rotation, and discretionary time for experimentation.
4. Maintain a programmed enabling staff to submit innovation ideas and create an appropriate decision-making structure to assess and take these ideas forward.
5. Encourage innovation ideas from customers, suppliers and business partners.
APO04.02 Manage Innovation > Maintain an understanding of the enterprise environment.
1. Maintain an understanding of the business drivers, enterprise strategy, industry drivers, enterprise operations and other issues so that the potential value-add of technologies or IT innovation can be identified.
2. Conduct regular meetings with business units, divisions and/or other stakeholder entities to understand current business problems, process bottlenecks, or other constraints where emerging technologies or IT innovation can create opportunities.
3. Understand enterprise investment parameters for innovation and new technologies so appropriate strategies are developed.
APO04.03 Manage Innovation > Monitor and scan the technology environment.
1. Understand the enterprise’s interest and potential for adopting new technology innovations and focus awareness efforts on the most opportunistic technology innovations.
2. Perform research and scanning of the external environment, including appropriate web sites, journals and conferences, to identify emerging technologies.
3. Consult with third-party experts where needed to confirm research findings or as a source of information on emerging technologies.
4. Capture staff members’ IT innovation ideas and analyze them for potential implementation.
APO04.04 Manage Innovation > Assess the potential of emerging technologies and innovation ideas.
1. Evaluate identified technologies, considering aspects such as time to reach maturity, inherent risk of new technologies (including potential legal implications), fit with the enterprise architecture, and potential to provide additional value.
2. Identify any issues that may need to be resolved or proven through a proof-of-concept initiative.
3. Scope the proof-of-concept initiative, including desired outcomes, required budget, time frames and responsibilities.
4. Obtain approval for the proof-of-concept initiative.
5. Conduct proof-of-concept initiatives to test emerging technologies or other innovation ideas, identify any issues, and determine whether further implementation or roll-out should be considered based on feasibility and potential ROI.
APO04.05 Manage Innovation > Recommend appropriate further initiatives.
1. Document proof-of-concept results, including guidance and recommendations for trends and innovation programmed.
2. Communicate viable innovation opportunities into the IT strategy and enterprise architecture processes.
3. Follow up on proof-of-concept initiatives to measure the degree to which they have been leveraged in actual investment.
4. Analyze and communicate reasons for rejected proof-of-concept initiatives.
APO04.06 Manage Innovation > Monitor the implementation and use of innovation.
1. Assess the implementation of the new technologies or IT innovations adopted as part of IT strategy and enterprise architecture developments and their realization during programmed management of initiatives.
2. Capture lessons learned and opportunities for improvement.
3. Adjust the innovation plan, if required.
4. Identify and evaluate the potential value to be realized from the use of innovation.
APO05.01 Manage Portfolio > Establish the target investment mix.
1. Validate that IT-enabled investments and current IT services are aligned with enterprise vision, enterprise principles, strategic als and objectives, enterprise architecture vision, and priorities.
2. Obtain a common understanding between IT and the other business functions on the potential opportunities for IT to drive and support the enterprise strategy.
3. Create an investment mix that achieves the right balance amongst a number of dimensions, including an appropriate balance of short- and long-term returns, financial and non-financial benefits, and high- and low-risk investments.
4. Identify the broad cateries of information systems, applications, data, IT services, infrastructure, IT assets, resources, skills, practices, controls and relationships needed to support the enterprise strategy.
5. Agree on an IT strategy and als, taking into account the inter-relationships between the enterprise strategy and the IT services, assets and other resources. Identify and leverage synergies that can be achieved.
APO05.02 Manage Portfolio > Determine the availability and sources of funds.
1. Understand the current availability and commitment of funds, the current approved spending, and the actual amount spent to date.
2. Identify options for obtaining additional funds for IT-enabled investments, internally and from external sources.
3. Determine the implications of the funding source on the investment return expectations.
APO05.03 Manage Portfolio > Evaluate and select programmed to fund.
1. Recognize investment opportunities and classify them in line with the investment portfolio cateries. Specify expected enterprise outcome(s), all initiatives required to achieve the expected outcomes, costs, dependencies and risk, and how all would be measured.
2. Perform detailed assessments of all programmed business cases, evaluating strategic alignment, enterprise benefits, risk and availability of resources.
3. Assess the impact on the overall investment portfolio of adding candidate programmed, including any changes that might be required to other programmed.
4. Decide which candidate programmed should be moved to the active investment portfolio. Decide whether rejected programmed should be held for future consideration or provided with some seed funding to determine whether the business case can be improved or discarded.
5. Determine the required milestones for each selected programme’s full economic life cycle. Allocate and reserve total programmed funding per milestone. Move the programmed into the active investment portfolio.
6. Establish procedures to communicate the cost, benefit and risk-related aspects of these portfolios to the budget prioritization, cost management and benefit management processes.
APO05.04 Manage Portfolio > Monitor, optimize and report on investment portfolio performance.
1. Review the portfolio on a regular basis to identify and exploit synergies, eliminate duplication between programmed, and identify and mitigate risk.
2. When changes occur, re-evaluate and reprioritize the portfolio to ensure that the portfolio is aligned with the business strategy and the target mix of investments is maintained so the portfolio is optimizing overall value. This may require programmed to be changed, deferred or retired, and new programmed to be initiated.
3. Adjust the enterprise targets, forecasts, budgets and, if required, the degree of monitoring to reflect the expenditures to be incurred and enterprise benefits to be realized by programmed in the active investment portfolio. Incorporate programmed expenditures into chargeback mechanisms.
4. Provide an accurate view of the performance of the investment portfolio to all stakeholders.
5. Provide management reports for senior management’s review of the enterprise’s progress towards identified als, stating what still needs to be spent and accomplished over what time frames.
6. Include in the regular performance monitoring information on the extent to which planned objectives have been achieved, risk mitigated, capabilities created, deliverables obtained and performance targets met.
7. Identify deviations for:
• Budget control between actual and budget
• Benefit management of:
– Actual vs. targets for investments for solutions, possibly expressed in terms of ROI, NPV or internal rate of return (IRR)
– The actual trend of service portfolio cost for service delivery productivity improvements
8. Develop metrics for measuring IT’s contribution to the enterprise, and establish appropriate performance targets reflecting the required IT and enterprise capability targets. Use guidance from external experts and benchmark data to develop metrics.
APO05.05 Manage Portfolio > Maintain portfolios.
1. Create and maintain portfolios of IT-enabled investment programmed, IT services and IT assets, which form the basis for the current IT budget and support the IT tactical and strategic plans.
2. Work with service delivery managers to maintain the service portfolios and with operations managers and architects to maintain the asset portfolios. Prioritize portfolios to support investment decisions.
3. Remove the programmed from the active investment portfolio when the desired enterprise benefits have been achieved or when it is clear that benefits will not be achieved within the value criteria set for the programmed.
APO05.06 Manage Portfolio > Manage benefits achievement.
1. Use the agreed-on metrics and track how benefits are achieved, how they evolve throughout the life cycle of programmed and projects, how they are being delivered from IT services, and how they compare to internal and industry benchmarks. Communicate results to stakeholders.
2. Implement corrective action when achieved benefits significantly deviate from expected benefits. Update the business case for new initiatives and implement business process and service improvements as required.
3. Consider obtaining guidance from external experts, industry leaders and comparative benchmarking data to test and improve the metrics and targets.
APO06.01 Manage Budget and Costs > Manage finance and accounting.
1. Define processes, inputs and outputs, and responsibilities in alignment with the enterprise budgeting and cost accounting policies and approach to systematically drive IT budgeting and costing; enable fair, transparent, repeatable and comparable estimation of IT costs and benefits for input to the portfolio of IT-enabled business programmed; and ensure that budgets and costs are maintained in the IT asset and services portfolios.
2. Define a classification scheme to identify all IT-related cost elements, how they are allocated across budgets and services, and how they are captured.
3. Use financial and portfolio information to provide input to business cases for new investments in IT assets and services.
4. Define how to analyze, report (to whom and how), and use the budget control and benefit management processes.
5. Establish and maintain practices for financial planning, investment management and decision making, and the optimization of recurring operational costs to deliver maximum value to the enterprise for the least expenditure.
APO06.02 Manage Budget and Costs > Prioritize resource allocation.
1. Establish a decision-making body for prioritizing business and IT resources, including use of external service providers within the high-level budget allocations for IT-enabled programmed, IT services and IT assets as established by the strategic and tactical plans. Consider the options for buying or developing capitalized assets and services vs. externally utilized assets and services on a pay-for-use basis.
2. Rank all IT initiatives based on business cases and strategic and tactical plans, and establish procedures to determine budget allocations and cut-off. Establish a procedure to communicate budget decisions and review them with the business unit budget holders.
3. Identify, communicate and resolve significant impacts of budget decisions on business cases, portfolios and strategy plans (e.g., when budgets may require revision due to changing enterprise circumstances, when they are not sufficient to support strategic objectives or business case objectives).
4. Obtain ratification from the executive committee for the overall IT budget changes that negatively impact the entity’s strategic or tactical plans and offer suggested actions to resolve these impacts.
APO06.03 Manage Budget and Costs > Create and maintain budgets.
1. Implement a formal IT budget, including all expected IT costs of IT-enabled programmed, IT services and IT assets as directed by the strategy, programmed and portfolios.
2. When creating the budget, consider the following components:
• Alignment with the business
• Alignment with the sourcing strategy
• Authorized sources of funding
• Internal resource costs, including personnel, information assets and accommodations
• Third-party costs, including outsourcing contracts, consultants and service providers
• Capital and operational expenses
• Cost elements that depend on the workload
3. Document the rationale to justify contingencies and review them regularly.
4. Instruct process, service and programmed owners, as well as project and asset managers, to plan budgets.
5. Review the budget plans and make decisions about budget allocations. Compile and adjust the budget based on changing enterprise needs and financial considerations.
6. Record, maintain and communicate the current IT budget, including committed expenditures and current expenditures, considering IT projects recorded in the IT-enabled investment portfolios and operation and maintenance of asset and service portfolios.
7. Monitor the effectiveness of the different aspects of budgeting and use the results to implement improvements to ensure that future budgets are more accurate, reliable and cost-effective.
APO06.04 Manage Budget and Costs > Model and allocate costs.
1. Cateries all IT costs appropriately, including those relating to service providers, according to the enterprise management accounting framework.
2. Inspect service definition catalogues to identify services subject to user chargeback and those that are shared services.
3. Define and agree on a model that:
• Supports the calculation of chargeback rates per service
• Defines how IT costs will be calculated/charged
• Is differentiated, where and when appropriate
• Is aligned with the IT budget
4. Design the cost model to be transparent enough to allow users to identify their actual usage and charges, and to better enable predictability of IT costs and efficient and effective utilization of IT resources.
5. After review with user departments, obtain approval and communicate the IT costing model inputs and outputs to the management of user departments.
6. Communicate changes in the cost/chargeback model with enterprise process owners.
APO06.05 Manage Budget and Costs > Manage costs.
1. Ensure proper authority and independence between IT budget holders and the individuals who capture, analyze and report financial information.
2. Establish time scales for the operation of the cost management process in line with budgeting and accounting requirements.
3. Define a method for the collection of relevant data to identify deviations for:
• Budget control between actual and budget
• Benefit management of:
– Actual vs. targets for investments for solutions; possibly expressed in terms of ROI, NPV or IRR
– The actual trend of service cost for cost optimization of services (e.g., defined as cost per user)
– Actual vs. budget for responsiveness and predictability improvements of solutions delivery
• Cost distribution between direct and indirect (absorbed and unabsorbed) costs
4. Define how costs are consolidated for the appropriate levels in the enterprise and how they will be presented to the stakeholders. The reports provide information to enable the timely identification of required corrective actions.
5. Instruct those responsible for cost management to capture, collect and consolidate the data, and present and report the data to the appropriate budget owners. Budget analysts and owners jointly analyze deviations and compare performance to internal and industry benchmarks. The result of the analysis provides an explanation of significant deviations and the suggested corrective actions.
6. Ensure that the appropriate levels of management review the results of the analysis and approve suggested corrective actions.
7. Align IT budgets and services to the IT infrastructure, enterprise processes and owners who use them.
8. Ensure that changes in cost structures and enterprise needs are identified and budgets and forecasts are revised as required.
9. At regular intervals, and especially when budgets are cut due to financial constraints, identify ways to optimize costs and introduce efficiencies without jeopardizing services.
APO07.01 Manage Human Resources > Maintain adequate and appropriate staffing.
1. Evaluate staffing requirements on a regular basis or upon major changes to ensure that the:
• IT function has sufficient resources to adequately and appropriately support enterprise als and objectives
• Enterprise has sufficient resources to adequately and appropriately support business processes and controls and IT-enabled initiatives
2. Maintain business and IT personnel recruitment and retention processes in line with the overall enterprise’s personnel policies and procedures.
3. Include background checks in the IT recruitment process for employees, contractors and vendors. The extent and frequency of these checks should depend on the sensitivity and/or criticality of the function.
4. Establish flexible resource arrangements to support changing business needs, such as the use of transfers, external contractors and third-party service arrangements.
5. Ensure that cross-training takes place and there is backup to key staff to reduce single-person dependency.
APO07.02 Manage Human Resources > Identify key IT personnel.
1. Minimize reliance on a single individual performing a critical job function through knowledge capture (documentation), knowledge sharing, succession planning, staff backup, cross-training and job rotation initiatives.
2. As a security precaution, provide guidelines on a minimum time of annual vacation to be taken by key individuals.
3. Take expedient actions regarding job changes, especially job terminations.
4. Regularly test staff backup plans.
APO07.03 Manage Human Resources > Maintain the skills and competencies of personnel.
1. Define the required and currently available skills and competencies of internal and external resources to achieve enterprise, IT and process als.
2. Provide formal career planning and professional development to encourage competency development, opportunities for personal advancement and reduced dependence on key individuals.
3. Provide access to knowledge repositories to support the development of skills and competencies.
4. Identify gaps between required and available skills and develop action plans to address them on an individual and collective basis, such as training (technical and behavioral skills), recruitment, redeployment and changed sourcing strategies.
5. Develop and deliver training programmed based on organizational and process requirements, including requirements for enterprise knowledge, internal control, ethical conduct and security.
6. Conduct regular reviews to assess the evolution of the skills and competencies of the internal and external resources. Review succession planning.
7. Review training materials and programmed on a regular basis to ensure adequacy with respect to changing enterprise requirements and their impact on necessary knowledge, skills and abilities.
APO07.04 Manage Human Resources > Evaluate employee job performance.
1. Consider functional/enterprise als as the context for setting individual als.
2. Set individual als aligned with the relevant process als so that there is a clear contribution to IT and enterprise als. Base als on SMART objectives (specific, measurable, achievable, relevant and time-bound) that reflect core competencies, enterprise values and skills required for the role(s).
3. Compile 360-degree performance evaluation results.
4. Implement and communicate a disciplinary process.
5. Provide specific instructions for the use and storage of personal information in the evaluation process, in compliance with applicable personal data and employment legislation.
6. Provide timely feedback regarding performance against the individual’s als.
7. Implement a remuneration/recognition process that rewards appropriate commitment, competency development and successful attainment of performance als. Ensure that the process is applied consistently and in line with organizational policies.
8. Develop performance improvement plans based on the results of the evaluation process and identified training and skills development requirements.
APO07.05 Manage Human Resources > Plan and track the usage of IT and business human resources.
1. Create and maintain an inventory of business and IT human resources.
2. Understand the current and future demand for human resources to support the achievement of IT objectives and to deliver services and solutions based on the portfolio of current IT-related initiatives, the future investment portfolio and day-to-day operational needs.
3. Identify shortfalls and provide input into sourcing plans as well as enterprise and IT recruitment processes. Create and review the staffing plan, keeping track of actual usage.
4. Maintain adequate information on the time spent on different tasks, assignments, services or projects.
APO07.06 Manage Human Resources > Manage contract staff.
1. Implement policies and procedures that describe when, how and what type of work can be performed or augmented by consultants and/or contractors, in accordance with the organization's enterprise wide IT procurement policy and the IT control framework.
2. Obtain formal agreement from contractors at the commencement of the contract that they are required to comply with the enterprise’s IT control framework, such as policies for security clearance, physical and logical access control, use of facilities, information confidentiality requirements, and non-disclosure agreements.
3. Advise contractors that management reserves the right to monitor and inspect all usage of IT resources, including email, voice communications, and all programs and data files.
4. Provide contractors with a clear definition of their roles and responsibilities as part of their contracts, including explicit requirements to document their work to agreed-on standards and formats.
5. Review contractors’ work and base the approval of payments on the results.
6. Define all work performed by external parties in formal and unambiguous contracts.
7. Conduct periodic reviews to ensure that contract staff have signed and agreed on all necessary agreements.
8. Conduct periodic reviews to ensure that contractors’ roles and access rights are appropriate and in line with agreements.
APO08.01 Manage Relationships > Understand business expectations.
1. Identify business stakeholders, their interests and their areas of responsibilities.
2. Review current enterprise direction, issues, strategic objectives, and alignment with enterprise architecture.
3. Maintain an awareness of business processes and associated activities and understand demand patterns that relate to service volumes and use.
4. Clarify business expectations for IT-enabled services and solutions and ensure that requirements are defined with associated business acceptance criteria and metrics.
5. Confirm agreement of business expectations, acceptance criteria and metrics to relevant parts of IT by all stakeholders.
6. Manage expectations by ensuring that business units understand priorities, dependencies, financial constraints and the need to schedule requests.
7. Understand the current business environment, process constraints or issues, geographical expansion or contraction, and industry/regulatory drivers.
APO08.02 Manage Relationships > Identify opportunities, risk and constraints for IT to enhance the business.
1. Understand technology trends and new technologies and how these can be applied innovatively to enhance business process performance.
2. Play a proactive role in identifying and communicating with key stakeholders on opportunities, risk and constraints. This includes current and emerging technologies, services and business process models.
3. Collaborate in agreeing on next steps for major new initiatives in co-operation with portfolio management, including business case development.
4. Ensure that the business and IT understand and appreciate the strategic objectives and enterprise architecture vision.
5. Co-ordinate when planning new IT initiatives to ensure integration and alignment with the enterprise architecture.
APO08.03 Manage Relationships > Manage the business relationship.
1. Assign a relationship manager as a single point of contact for each significant business unit. Ensure that a single counterpart is identified in the business organization and the counterpart has business understanding, sufficient technology awareness and the appropriate level of authority.
2. Manage the relationship in a formalized and transparent way that ensures a focus on achieving a common and shared al of successful enterprise outcomes in support of strategic als and within the constraint of budgets and risk tolerance.
3. Define and communicate a complaints and escalation procedure to resolve any relationship issues.
4. Plan specific interactions and schedules based on mutually agreed-on objectives and common language (service and performance review meetings, review of new strategies or plans, etc.).
5. Ensure that key decisions are agreed on and approved by relevant accountable stakeholders.
APO08.04 Manage Relationships > Co-ordinate and communicate.
1. Co-ordinate and communicate changes and transition activities such as project or change plans, schedules, release policies, release known errors, and training awareness.
2. Co-ordinate and communicate operational activities, roles and responsibilities, including the definition of request types, hierarchical escalation, major outages (planned and unplanned), and contents and frequency of service reports.
3. Take ownership of the response to the business for major events that may influence the relationship with the business. Provide direct support if required.
4. Maintain an end-to-end communication plan that defines the content, frequency and recipients of service delivery information, including status of value delivered and any risk identified.
APO08.05 Manage Relationships > Provide input to the continual improvement of services.
1. Perform customer and provider satisfaction analysis. Ensure that issues are actioned and report results and status.
2. Work together to identify, communicate and implement improvement initiatives.
3. Work with service management and process owners to ensure that IT-enabled services and service management processes are continually improved and the root causes of any issues are identified and resolved.
APO09.01 Manage Service Agreements > Identify IT services.
1. Assess current IT services and service levels to identify gaps between existing services and the business activities they support. Identify areas for improvement of existing services and service level options.
2. Analyze, study and estimate future demand and confirm capacity of existing IT-enabled services.
3. Analyze business process activities to identify the need for new or redesigned IT services.
4. Compare identified requirements to existing service components in the portfolio. If possible, package existing service components (IT services, service level options and service packages) into new service packages to meet identified business requirements.
5. Where possible, match demands to service packages and create standardized services to obtain overall efficiencies.
6. Regularly review the portfolio of IT services with portfolio management and business relationship management to identify obsolete services. Agree on retirement and propose change.
APO09.02 Manage Service Agreements > Catalogue IT-enabled services.
1. Publish in catalogues relevant live IT-enabled services, service packages and service level options from the portfolio.
2. Continually ensure that the service components in the portfolio and the related service catalogues are complete and up to date.
3. Inform business relationship management of any updates to the service catalogues.
APO09.03 Manage Service Agreements > Define and prepare service agreements.
1. Analyze requirements for new or changed service agreements received from business relationship management to ensure that the requirements can be matched. Consider aspects such as service times, availability, performance, capacity, security, continuity, compliance and regulatory issues, usability, and demand constraints.
2. Draft customer service agreements based on the services, service packages and service level options in the relevant service catalogues.
3. Determine, agree on and document internal operational agreements to underpin the customer service agreements, if applicable.
4. Liaise with supplier management to ensure that appropriate commercial contracts with external service providers underpin the customer service agreements, if applicable.
5. Finalize customer service agreements with business relationship management.
APO09.04 Manage Service Agreements > Monitor and report service levels.
1. Establish and maintain measures to monitor and collect service level data.
2. Evaluate performance and provide regular and formal reporting of service agreement performance, including deviations from the agreed-on values. Distribute this report to business relationship management.
3. Perform regular reviews to forecast and identify trends in service level performance.
4. Provide the appropriate management information to aid performance management.
5. Agree on action plans and remediation's for any performance issues or negative trends.
APO09.05 Manage Service Agreements > Review service agreements and contracts.
1. Regularly review service agreements according to the agreed-on terms to ensure that they are effective and up to date and changes in requirements, IT-enabled services, service packages or service level options are taken into account, when appropriate.
APO10.01 Manage Suppliers > Identify and evaluate supplier relationships and contracts.
1. Establish and maintain criteria relating to type, significance and criticality of suppliers and supplier contracts, enabling a focus on preferred and important suppliers.
2. Establish and maintain supplier and contract evaluation criteria to enable overall review and comparison of supplier performance in a consistent way.
3. Identify, record and cateries existing suppliers and contracts according to defined criteria to maintain a detailed register of preferred suppliers that need to be managed carefully.
4. Periodically evaluate and compare the performance of existing and alternative suppliers to identify opportunities or a compelling need to reconsider current supplier contracts.
APO10.02 Manage Suppliers > Select suppliers.
1. Review all RFIs and RFPs to ensure that they:
• Clearly define requirements
• Include a procedure to clarify requirements
• Allow vendors sufficient time to prepare their proposals
• Clearly define award criteria and the decision process
2. Evaluate RFIs and RFPs in accordance with the approved evaluation process/criteria, and maintain documentary evidence of the evaluations. Verify the references of candidate vendors.
3. Select the supplier that best fits the RFP. Document and communicate the decision, and sign the contract.
4. In the specific case of software acquisition, include and enforce the rights and obligations of all parties in the contractual terms. These rights and obligations may include ownership and licensing of intellectual property, maintenance, warranties, arbitration procedures, upgrade terms, and fit for purpose, including security, escrow and access rights.
5. In the specific case of acquisition of development resources, include and enforce the rights and obligations of all parties in the contractual terms. These rights and obligations may include ownership and licensing of intellectual property; fit for purpose, including development methodologies; testing; quality management processes, including required performance criteria; performance reviews; basis for payment; warranties; arbitration procedures; human resource management; and compliance with the enterprise’s policies.
6. Obtain legal advice on resource development acquisition agreements regarding ownership and licensing of intellectual property.
7. In the specific case of acquisition of infrastructure, facilities and related services, include and enforce the rights and obligations of all parties in the contractual terms. These rights and obligations may include service levels, maintenance procedures, access controls, security, performance review, basis for payment and arbitration procedures.
APO10.03 Manage Suppliers > Manage supplier relationships and contracts.
1. Assign relationship owners for all suppliers and make them accountable for the quality of service(s) provided.
2. Specify a formal communication and review process, including supplier interactions and schedules.
3. Agree on, manage, maintain and renew formal contracts with the supplier. Ensure that contracts conform to enterprise standards and legal and regulatory requirements.
4. Within contracts with key service suppliers include provisions for the review of supplier site and internal practices and controls by management or independent third parties.
5. Evaluate the effectiveness of the relationship and identify necessary improvements.
6. Define, communicate and agree on ways to implement required improvements to the relationship.
7. Use established procedures to deal with contract disputes, first using, wherever possible, effective relationships and communications to overcome service problems.
8. Define and formalize roles and responsibilities for each service supplier. Where several suppliers combine to provide a service, consider allocating a lead contractor role to one of the suppliers to take responsibility for an overall contract.
APO10.04 Manage Suppliers > Manage supplier risk.
1. Identify, monitor and, where appropriate, manage risk relating to the supplier’s ability to deliver service efficiently, effectively, securely, reliably and continually.
2. When defining the contract, provide for potential service risk by clearly defining service requirements, including software escrow agreements, alternative suppliers or standby agreements to mitigate possible supplier failure; security and protection of intellectual property (IP); and any legal or regulatory requirements.
APO10.05 Manage Suppliers > Monitor supplier performance and compliance.
1. Define and document criteria to monitor supplier performance aligned with service level agreements and ensure that the supplier regularly and transparently reports on agreed-on criteria.
2. Monitor and review service delivery to ensure that the supplier is providing an acceptable quality of service, meeting requirements and adhering to contract conditions.
3. Review supplier performance and value for money to ensure that they are reliable and competitive, compared with alternative suppliers and market conditions.
4. Request independent reviews of supplier internal practices and controls, if necessary.
5. Record and assess review results periodically and discuss them with the supplier to identify needs and opportunities for improvement.
6. Monitor and evaluate externally available information about the supplier.
APO11.01 Manage Quality > Establish a quality management system (QMS).
1. Ensure that the IT control framework and the business and IT processes include a standard, formal and continuous approach to quality management that is aligned with enterprise requirements. Within the IT control framework and the business and IT processes, identify quality requirements and criteria (e.g., based on legal requirements and requirements from customers).
2. Define roles, tasks, decision rights and responsibilities for quality management in the organizational structure.
3. Define quality management plans for important processes, projects or objectives in alignment with enterprise quality management criteria and policies. Record quality data.
4. Monitor and measure the effectiveness and acceptance of quality management, and improve them when needed.
5. Align IT quality management with an enterprise wide quality system to encourage a standardized and continuous approach to quality.
6. Obtain input from management and external and internal stakeholders on the definition of quality requirements and quality management criteria.
7. Effectively communicate the approach (e.g., through regular, formal quality training programmed).
8. Regularly review the continued relevance, efficiency and effectiveness of specific quality management processes. Monitor the achievement of quality objectives.
APO11.02 Manage Quality > Define and manage quality standards, practices and procedures.
1. Define the quality management standards, practices and procedures in line with the IT control framework’s requirements. Use industry best practices for reference when improving and tailoring the enterprise’s quality practices.
2. Consider the benefits and costs of quality certifications.
APO11.03 Manage Quality > Focus quality management on customers.
1. Focus quality management on customers by determining internal and external customer requirements and ensuring alignment of the IT standards and practices. Define and communicate roles and responsibilities concerning conflict resolution between the user/customer and the IT organization.
2. Manage the business needs and expectations for each business process, IT operational service and new solutions, and maintain their quality acceptance criteria. Capture quality acceptance criteria for inclusion in SLAs.
3. Communicate customer requirements and expectations throughout the business and IT organization.
4. Periodically obtain customer views on business process and service provisioning and IT solution delivery, to determine the impact on IT standards and practices and to ensure that customer expectations are met and are acted upon.
5. Regularly monitor and review the QMS against agreed-on acceptance criteria. Include feedback from customers, users and management. Respond to discrepancies in review results to continuously improve the QMS.
6. Capture quality acceptance criteria for inclusion in SLAs.
APO11.04 Manage Quality > Perform quality monitoring, control and reviews.
1. Monitor the quality of processes and services on an oning and systematic basis by describing, measuring, analyzing, improving/engineering and controlling the processes.
2. Prepare and conduct quality reviews.
3. Report the review results and initiate improvements where appropriate.
4. Monitor quality of processes, as well as the value quality provides. Ensure that measurement, monitoring and recording of information is used by the process owner to take appropriate corrective and preventive actions.
5. Monitor al-driven quality metrics aligned to overall quality objectives covering the quality of individual projects and services.
6. Ensure that management and process owners regularly review quality management performance against defined quality metrics.
7. Analyze overall quality management performance results.
APO11.05 Manage Quality > Integrate quality management into solutions for development and service delivery.
1. Integrate quality management practices in solutions development processes and practices.
2. Continuously monitor service levels and incorporate quality management practices in the service delivery processes and practices.
3. Identify and document root causes for non-conformance, and communicate findings to IT management and other stakeholders in a timely manner to enable remedial action to be taken. Where appropriate, perform follow-up reviews.
APO11.06 Manage Quality > Maintain continuous improvement.
1. Maintain and regularly communicate the need for, and benefits of, continuous improvement.
2. Establish a platform to share best practices and to capture information on defects and mistakes to enable learning from them.
3. Identify recurring examples of quality defects, determine their root cause, evaluate their impact and result, and agree on improvement actions with the service and project delivery teams.
4. Identify examples of excellent quality delivery processes that can benefit other services or projects, and share these with the service and project delivery teams to encourage improvement.
5. Promote a culture of quality and continual improvement.
6. Establish a feedback loop between quality management and problem management.
7. Provide employees with training in the methods and tools of continual improvement.
8. Benchmark the results of the quality reviews against internal historical data, industry guidelines, standards and data from similar types of enterprises.
APO12.01 Manage Risk > Collect data.
1. Establish and maintain a method for the collection, classification and analysis of IT risk-related data, accommodating multiple types of events, multiple cateries of IT risk and multiple risk factors.
2. Record relevant data on the enterprise’s internal and external operating environment that could play a significant role in the management of IT risk.
3. Survey and analyze the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based event logs, databases, and industry agreements for common event disclosure.
4. Record data on risk events that have caused or may cause impacts to IT benefit/value enablement, IT programmed and project delivery, and/or IT operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations.
5. For similar classes of events, organize the collected data and highlight contributing factors. Determine common contributing factors across multiple events.
6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency and loss magnitude.
7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and external risk factors.
APO12.02 Manage Risk > Analyse risk.
1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis scope after performing a cost-benefit analysis.
2. Build and regularly update IT risk scenarios, including compound scenarios of cascading and/or coincidental threat types, and develop expectations for specific control activities, capabilities to detect and other response measures.
3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known operational controls and estimate residual risk levels.
4 Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response.
5. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate, transfer/share, and accept and exploit/seize. Propose the optimal risk response.
6. Specify high-level requirements for projects or programmes that will implement the selected risk responses. Identify requirements and expectations for appropriate key controls for risk mitigation responses.
7. Validate the risk analysis results before using them in decision making, confirming that the analysis aligns with enterprise requirements and verifying that estimations were properly calibrated and scrutinised for bias.
APO12.03 Manage Risk > Maintain a risk profile.
1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and outsourcers, and document the dependency on IT service management processes and IT infrastructure resources.
2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyse dependencies and identify weak links.
3. Aggregate current risk scenarios by catery, business line and functional area.
4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile.
5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends.
6. Capture information on IT risk events that have materialised, for inclusion in the IT risk profile of the enterprise.
7. Capture information on the status of the risk action plan, for inclusion in the IT risk profile of the enterprise.
APO12.04 Manage Risk > Articulate risk.
1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return.
2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal or regulatory considerations.
3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies, redundancies, remediation status, and their impacts on the risk profile.
4. Review the results of objective third-party assessments, internal audit and quality assurance reviews, and map them to the risk profile. Review identified gaps and exposures to determine the need for additional risk analysis.
5. On a periodic basis, for areas with relative risk and risk capacity parity, identify IT-related opportunities that would allow the acceptance of greater risk and enhanced growth and return.
APO12.05 Manage Risk > Define a risk management action portfolio.
1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance. Classify control activities and map them to specific IT risk statements and aggregations of IT risk.
2. Determine whether each organisational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels.
3. Define a balanced set of project proposals designed to reduce risk and/or projects that enable strategic enterprise opportunities, considering cost/benefits, effect on current risk profile and regulations.
APO12.06 Manage Risk > Respond to risk.
1. Prepare, maintain and test plans that document the specific steps to take when a risk event may cause a significant operational or development incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise.
2. Caterise incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision makers as part of reporting, and update the risk profile.
3. Apply the appropriate response plan to minimise the impact when risk incidents occur.
4. Examine past adverse events/losses and missed opportunities and determine root causes. Communicate root cause, additional risk response requirements and process improvements to appropriate decision makers and ensure that the cause, response requirements and process improvement are included in risk governance processes.
APO13.01 Manage Security > Establish and maintain an ISMS.
1. Define the scope and boundaries of the ISMS in terms of the characteristics of the enterprise, the organisation, its location, assets and technology. Include details of, and justification for, any exclusions from the scope.
2. Define an ISMS in accordance with enterprise policy and aligned with the enterprise, the organisation, its location, assets and technology.
3. Align the ISMS with the overall enterprise approach to the management of security.
4. Obtain management authorisation to implement and operate or change the ISMS.
5. Prepare and maintain a statement of applicability that describes the scope of the ISMS.
6. Define and communicate Information security management roles and responsibilities.
7. Communicate the ISMS approach.
APO13.02 Manage Security > Define and manage an information security risk treatment plan.
1. Formulate and maintain an information security risk treatment plan aligned with strategic objectives and the enterprise architecture. Ensure that the plan identifies the appropriate and optimal management practices and security solutions, with associated resources, responsibilities and priorities for managing identified information security risk.
2. Maintain as part of the enterprise architecture an inventory of solution components that are in place to manage security-related risk.
3. Develop proposals to implement the information security risk treatment plan, supported by suitable business cases, which include consideration of funding and allocation of roles and responsibilities.
4. Provide input to the design and development of management practices and solutions selected from the information security risk treatment plan.
5. Define how to measure the effectiveness of the selected management practices and specify how these measurements are to be used to assess effectiveness to produce comparable and reproducible results.
6. Recommend information security training and awareness programmes.
7. Integrate the planning, design, implementation and monitoring of information security procedures and other controls capable of enabling prompt prevention, detection of security events and response to security incidents.
APO13.03 Manage Security > Monitor and review the ISMS.
1. Undertake regular reviews of the effectiveness of the ISMS including meeting ISMS policy and objectives, and review of security practices. Take into account results of security audits, incidents, results from effectiveness measurements, suggestions and feedback from all interested parties.
2. Conduct internal ISMS audits at planned intervals.
3. Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified.
4. Provide input to the maintenance of the security plans to take into account the findings of monitoring and reviewing activities.
5. Record actions and events that could have an impact on the effectiveness or performance of the ISMS.

Build, Acquire and Implement

Item ID Description Level
BAI01.01 Manage Programmes and Projects > Maintain a standard approach for programme and project management.
1. Maintain and enforce a standard approach to programme and project management aligned to the enterprise’s specific environment and with od practice based on defined process and use of appropriate technology. Ensure that the approach covers the full life cycle and disciplines to be followed, including the management of scope, resources, risk, cost, quality, time, communication, stakeholder involvement, procurement, change control, integration and benefit realisation.
2. Update the programme and project management approach based on lessons learned from its use.
BAI01.02 Manage Programmes and Projects > Initiate a programme.
1. Agree on programme sponsorship and appoint a programme board/committee with members who have strategic interest in the programme, have responsibility for the investment decision making, will be significantly impacted by the programme and will be required to enable delivery of the change.
2. Confirm the programme mandate with sponsors and stakeholders. Articulate the strategic objectives for the programme, potential strategies for delivery, improvement and benefits that are expected to result, and how the programme fits with other initiatives.
3. Develop a detailed business case for a programme, if warranted. Involve all key stakeholders to develop and document a complete understanding of the expected enterprise outcomes, how they will be measured, the full scope of initiatives required, the risk involved and the impact on all aspects of the enterprise. Identify and assess alternative courses of action to achieve the desired enterprise outcomes.
4. Develop a benefits realisation plan that will be managed throughout the programme to ensure that planned benefits always have owners and are achieved, sustained and optimised.
5. Prepare and submit for in-principle approval the initial (conceptual) programme business case, providing essential decision-making information regarding purpose, contribution to business objectives, expected value created, time frames, etc.
6. Appoint a dedicated manager for the programme, with the commensurate competencies and skills to manage the programme effectively and efficiently.
BAI01.03 Manage Programmes and Projects > Manage stakeholder engagement.
1. Plan how stakeholders inside and outside the enterprise will be identified, analysed, engaged and managed through the life cycle of the projects.
2. Identify, engage and manage stakeholders by establishing and maintaining appropriate levels of co-ordination, communication and liaison to ensure that they are involved in the programme/project.
3. Measure the effectiveness of stakeholder engagement and take remedial actions as required.
4. Analyse stakeholder interests and requirements.
BAI01.04 Manage Programmes and Projects > Develop and maintain the programme plan.
1. Define and document the programme plan covering all projects, including what is needed to bring about changes to the enterprise; its image, products and services; business processes; people skills and numbers; relationships with stakeholders, customers, suppliers and others; technology needs; and organisational restructuring required to achieve the programme’s expected enterprise outcomes.
2. Specify required resources and skills to execute the project, including project managers and project teams as well as business resources. Specify funding, cost, schedule and inter-dependencies of multiple projects. Specify the basis for acquiring and assigning competent staff members and/or contractors to the projects. Define the roles and responsibilities for all team members and other interested parties.
3. Assign accountability clearly and unambiguously for each project, including achieving the benefits, controlling the costs, managing the risk and co-ordinating the project activities.
4. Ensure that there is effective communication of programme plans and progress reports amongst all projects and with the overall programme. Ensure that any changes made to individual plans are reflected in the other enterprise programme plans.
5. Maintain the programme plan to ensure that it is up to date and reflects alignment with current strategic objectives, actual progress and material changes to outcomes, benefits, costs and risk. Have the business drive the objectives and prioritise the work throughout to ensure that the programme as designed will meet enterprise requirements. Review progress of individual projects and adjust the projects as necessary to meet scheduled milestones releases.
6. Update and maintain throughout the programme’s economic life the business case and a benefits register to identify and define key benefits arising from undertaking the programme.
7. Prepare a programme budget that reflects the full economic life cycle costs and the associated financial and non-financial benefits.
BAI01.05 Manage Programmes and Projects > Launch and execute the programme.
1. Plan, resource and commission the necessary projects required to achieve the programme results, based on funding review and approvals at each stage-gate review.
2. Establish agreed-on stages of the development process (development checkpoints). At the end of each stage, facilitate formal discussions of approved criteria with the stakeholders. After successful completion of functionality, performance and quality reviews, and before finalising stage activities, obtain formal approval and sign-off from all stakeholders and the sponsor/business process owner.
3. Undertake a benefits realisation process throughout the programme to ensure that planned benefits always have owners and are likely to be achieved, sustained and optimised. Monitor benefits delivery and report against performance targets at the stage-gate or iteration and release reviews. Perform root cause analysis for deviations from the plan and identify and address any necessary remedial actions.
4. Manage each programme or project to ensure that decision making and delivery activities are focussed on value by achieving benefits for the business and als in a consistent manner, addressing risk and achieving stakeholder requirements.
5. Set up programme/project management office(s) and plan audits, quality reviews, phase/stage-gate reviews and reviews of realised benefits.
BAI01.06 Manage Programmes and Projects > Monitor, control and report on the programme outcomes.
1. Monitor and control the performance of the overall programme and the projects within the programme, including contributions of the business and IT to the projects, and report in a timely, complete and accurate fashion. Reporting may include schedule, funding, functionality, user satisfaction, internal controls and acceptance of accountabilities.
2. Monitor and control performance against enterprise and IT strategies and als, and report to management on enterprise changes implemented, benefits realised against the benefits realisation plan, and the adequacy of the benefits realisation process.
3. Monitor and control IT services, assets and resources created or changed as a result of the programme. Note implementation and in-service dates. Report to management on performance levels, sustained service delivery and contribution to value.
4. Manage programme performance against key criteria (e.g., scope, schedule, quality, benefits realisation, costs, risk, velocity), identify deviations from the plan and take timely remedial action when required.
5. Monitor individual project performance related to delivery of the expected capabilities, schedule, benefits realisation, costs, risk or other metrics to identify potential impacts on programme performance. Take timely remedial action when required.
6. Update operational IT portfolios reflecting changes that result from the programme in the relevant IT service, asset or resource portfolios.
7. In accordance with stage-gate, release or iteration review criteria, undertake reviews to report on the progress of the programme so that management can make /no- or adjustment decisions and approve further funding up to the following stage-gate, release or iteration.
BAI01.07 Manage Programmes and Projects > Start up and initiate projects within a programme.
1. To create a common understanding of project scope amongst stakeholders, provide to the stakeholders a clear written statement defining the nature, scope and benefit of every project.
2. Ensure that each project has one or more sponsors with sufficient authority to manage execution of the project within the overall programme.
3. Ensure that key stakeholders and sponsors within the enterprise and IT agree on and accept the requirements for the project, including definition of project success (acceptance) criteria and key performance indicators (KPIs).
4. Ensure that the project definition describes the requirements for a project communication plan that identifies internal and external project communications.
5. With the approval of stakeholders, maintain the project definition throughout the project, reflecting changing requirements.
6. To track the execution of a project, put in place mechanisms such as regular reporting and stage-gate, release or phase reviews in a timely manner with appropriate approval.
BAI01.08 Manage Programmes and Projects > Plan projects.
1. Develop a project plan that provides information to enable management to control project progress progressively. The plan should include details of project deliverables and acceptance criteria, required internal and external resources and responsibilities, clear work breakdown structures and work packages, estimates of resources required, milestones/release plan/phases, key dependencies, and identification of a critical path.
2. Maintain the project plan and any dependent plans (e.g., risk plan, quality plan, benefits realisation plan) to ensure that they are up to date and reflect actual progress and approved material changes.
3. Ensure that there is effective communication of project plans and progress reports amongst all projects and with the overall programme. Ensure that any changes made to individual plans are reflected in the other plans.
4. Determine the activities, interdependencies and required collaboration and communication among multiple projects within a programme.
5. Ensure that each milestone is accompanied by a significant deliverable requiring review and sign-off.
6. Establish a project baseline (e.g., cost, schedule, scope, quality) that is appropriately reviewed, approved and incorporated into the integrated project plan.
BAI01.09 Manage Programmes and Projects > Manage programme and project quality.
1. Identify assurance tasks and practices required to support the accreditation of new or modified systems during programme and project planning, and include them in the integrated plans. Ensure that the tasks provide assurance that internal controls and security solutions meet the defined requirements.
2. To provide quality assurance for the project deliverables, identify ownership and responsibilities, quality review processes, success criteria and performance metrics.
3. Define any requirements for independent validation and verification of the quality of deliverables in the plan.
4. Perform quality assurance and control activities in accordance with the quality management plan and QMS.
BAI01.10 Manage Programmes and Projects > Manage programme and project risk.
1. Establish a formal project risk management approach aligned with the ERM framework. Ensure that the approach includes identifying, analysing, responding to, mitigating, monitoring and controlling risk.
2. Assign to appropriately skilled personnel the responsibility for executing the enterprise’s project risk management process within a project and ensuring that this is incorporated into the solution development practices. Consider allocating this role to an independent team, especially if an objective viewpoint is required or a project is considered critical.
3. Perform the project risk assessment of identifying and quantifying risk continuously throughout the project. Manage and communicate risk appropriately within the project governance structure.
4. Reassess project risk periodically, including at initiation of each major project phase and as part of major change request assessments.
5. Identify owners for actions to avoid, accept or mitigate risk.
6. Maintain and review a project risk register of all potential project risk, and a risk mitigation log of all project issues and their resolution. Analyse the log periodically for trends and recurring problems to ensure that root causes are corrected.
BAI01.11 Manage Programmes and Projects > Monitor and control projects.
1. Establish and use a set of project criteria including, but not limited to, scope, schedule, quality, cost and level of risk.
2. Measure project performance against key project performance criteria. Analyse deviations from established key project performance criteria for cause, and assess positive and negative effects on the programme and its component projects.
3. Report to identified key stakeholders project progress within the programme, deviations from established key project performance criteria, and potential positive and negative effects on the programme and its component projects.
4. Monitor changes to the programme and review existing key project performance criteria to determine whether they still represent valid measures of progress.
5. Document and submit any necessary changes to the programme’s key stakeholders for their approval before adoption. Communicate revised criteria to project managers for use in future performance reports.
6. Recommend and monitor remedial action, when required, in line with the programme and project governance framework.
7. Gain approval and sign-off on the deliverables produced in each iteration, release or project phase from designated managers and users in the affected business and IT functions.
8. Base the approval process on clearly defined acceptance criteria agreed on by key stakeholders prior to work commencing on the project phase or iteration deliverable.
9. Assess the project at agreed-on major stage-gates, releases or iterations and make formal /no- decisions based on predetermined critical success criteria.
10. Establish and operate a change control system for the project so that all changes to the project baseline (e.g., cost, schedule, scope, quality) are appropriately reviewed, approved and incorporated into the integrated project plan in line with the programme and project governance framework.
BAI01.12 Manage Programmes and Projects > Manage project resources and work packages.
1. Identify business and IT resource needs for the project and clearly map appropriate roles and responsibilities, with escalation and decision-making authorities agreed on and understood.
2. Identify required skills and time requirements for all individuals involved in the project phases in relation to defined roles. Staff the roles based on available skills information (e.g., IT skills matrix).
3. Utilise experienced project management and team leader resources with skills appropriate to the size, complexity and risk of the project.
4. Consider and clearly define the roles and responsibilities of other involved parties, including finance, legal, procurement, HR, internal audit and compliance.
5. Clearly define and agree on the responsibility for procurement and management of third-party products and services, and manage the relationships.
6. Identify and authorise the execution of the work according to the project plan.
7. Identify project plan gaps and provide feedback to the project manager to remediate.
BAI01.13 Manage Programmes and Projects > Close a project or iteration.
1. Define and apply key steps for project closure, including post-implementation reviews that assess whether a project attained desired results and benefits.
2. Plan and execute post-implementation reviews to determine whether projects delivered expected benefits and to improve the project management and system development process methodology.
3. Identify, assign, communicate and track any uncompleted activities required to achieve planned programme project results and benefits.
4. Regularly, and upon completion of the project, collect from the project participants the lessons learned. Review them and key activities that led to delivered benefits and value. Analyse the data and make recommendations for improving the current project as well as project management method for future projects.
5. Obtain stakeholder acceptance of project deliverables and transfer ownership.
BAI01.14 Manage Programmes and Projects > Close a programme.
1. Bring the programme to an orderly closure, including formal approval, disbanding of the programme organisation and supporting function, validation of deliverables, and communication of retirement.
2. Review and document lessons learned. Once the programme is retired, remove it from the active investment portfolio.
3. Put accountability and processes in place to ensure that the enterprise continues to optimise value from the service, asset or resources. Additional investments may be required at some future time to ensure that this occurs.
BAI02.01 Manage Requirements Definition > Define and maintain business functional and technical requirements.
1. Define and implement a requirements definition and maintenance procedure and a requirements repository that are appropriate for the size, complexity, objectives and risk of the initiative that the enterprise is considering undertaking.
2. Express business requirements in terms of how the gap between current and desired business capabilities needs to be addressed and how a role will interact with and use the solution.
3. Throughout the project, elicit, analyse and confirm that all stakeholder requirements, including relevant acceptance criteria, are considered, captured, prioritised and recorded in a way that is understandable to the stakeholders, business sponsors and technical implementation personnel, recognising that the requirements may change and will become more detailed as they are implemented.
4. Specify and prioritise the information, functional and technical requirements based on the confirmed stakeholder requirements. Include information control requirements in the business processes, automated processes and IT environments to address information risk and to comply with laws, regulations and commercial contracts.
5. Validate all requirements through approaches such as peer review, model validation or operational prototyping.
6. Confirm acceptance of key aspects of the requirements, including enterprise rules, information controls, business continuity, legal and regulatory compliance, auditability, ernomics, operability and usability, safety, and supporting documentation.
7. Track and control scope, requirements and changes through the life cycle of the solution throughout the project as understanding of the solution evolves.
8. Consider requirements relating to enterprise policies and standards, enterprise architecture, strategic and tactical IT plans, in-house and outsourced business and IT processes, security requirements, regulatory requirements, people competencies, organisational structure, business case, and enabling technology.
BAI02.02 Manage Requirements Definition > Perform a feasibility study and formulate alternative solutions.
1. Define and execute a feasibility study, pilot or basic working solution that clearly and concisely describes the alternative solutions that will satisfy the business and functional requirements. Include an evaluation of their technological and economic feasibility.
2. Identify required actions for solution acquisition or development based on the enterprise architecture, and take into account scope and/or time and/or budget limitations.
3. Review the alternative solutions with all stakeholders and select the most appropriate one based on feasibility criteria, including risk and cost.
4. Translate the preferred course of action into a high-level acquisition/development plan identifying resources to be used and stages requiring a /no- decision.
BAI02.03 Manage Requirements Definition > Manage requirements risk.
1. Involve the stakeholders to create a list of potential quality, functional, and technical requirements and risk related to information processing (due to, e.g., lack of user involvement, unrealistic expectations, developers adding unnecessary functionality).
2. Analyse and prioritise the requirements risk according to probability and impact. If applicable, determine budget and schedule impacts.
3. Identify ways to control, avoid or mitigate the requirements risk in order of priority.
BAI02.04 Manage Requirements Definition > Obtain approval of requirements and solutions.
1. Ensure that the business sponsor or product owner makes the final decision with respect to the choice of solution, acquisition approach and high-level design, according to the business case. Co-ordinate feedback from affected stakeholders and obtain sign-off from appropriate business and technical authorities (e.g., business process owner, enterprise architect, operations manager, security) for the proposed approach.
2. Obtain quality reviews throughout, and at the end of, each key project stage, iteration or release to assess the results against the original acceptance criteria. Have business sponsors and other stakeholders sign off on each successful quality review.
BAI03.01 Manage Solutions Identification and Build > Design high-level solutions.
1. Establish a high-level design specification that translates the proposed solution into business processes, supporting services, applications, infrastructure, and information repositories capable of meeting business and enterprise architecture requirements.
2. Involve appropriately qualified and experienced users and IT specialists in the design process to make sure that the design provides a solution that optimally uses the proposed IT capabilities to enhance the business process.
3. Create a design that is compliant with the organisation’s design standards, at a level of detail that is appropriate for the solution and development method and consistent with business, enterprise and IT strategies, the enterprise architecture, security plan, and applicable laws, regulations and contracts.
4. After quality assurance approval, submit the final high-level design to the project stakeholders and the sponsor/business process owner, for approval based on agreed-on criteria. This design will evolve throughout the project as understanding grows.
BAI03.02 Manage Solutions Identification and Build > Design detailed solution components.
1. Design progressively the business process activities and work flows that need to be performed in conjunction with the new application system to meet the enterprise objectives, including the design of the manual control activities.
2. Design the application processing steps, including specification of transaction types and business processing rules, automated controls, data definitions/business objects, use cases, external interfaces, design constraints, and other requirements (e.g., licensing, legal, standards and internationalisation/localisation).
3. Classify data inputs and outputs according to enterprise architecture standards. Specify the source data collection design, documenting the data inputs (regardless of source) and validation for processing transactions as well as the methods for validation. Design the identified outputs, including data sources.
4. Design system/solution interface, including any automated data exchange.
5. Design data storage, location, retrieval and recoverability.
6. Design appropriate redundancy, recovery and backup.
7. Design the interface between the user and the system application so that it is easy to use and self-documenting.
8. Consider the impact of the solution’s need for infrastructure performance, being sensitive to the number of computing assets, bandwidth intensity and time sensitivity of the information.
9. Proactively evaluate for design weaknesses (e.g., inconsistencies, lack of clarity, potential flaws) throughout the life cycle, identifying improvements when required.
10. Provide an ability to audit transactions and identify root causes of processing errors.
BAI03.03 Manage Solutions Identification and Build > Develop solution components.
1. Develop business processes, supporting services, applications and infrastructure, and information repositories based on agreed-on specifications and business, functional and technical requirements.
2. When third-party providers are involved with the solution development, ensure that maintenance, support, development standards and licensing are addressed and adhered to in contractual obligations.
3. Track change requests and design, performance and quality reviews, ensuring active participation of all impacted stakeholders.
4. Document all solution components according to defined standards and maintain version control over all developed components and associated documentation.
5. Assess the impact of solution customisation and configuration on the performance and efficiency of acquired solutions and on inter-operability with existing applications, operating systems and other infrastructure. Adapt business processes as required to leverage the application capability.
6. Ensure that responsibilities for using high security or restricted access infrastructure components are clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.
BAI03.04 Manage Solutions Identification and Build > Procure solution components.
1. Create and maintain a plan for the acquisition of solution components, considering future flexibility for capacity additions, transition costs, risk and upgrades over the lifetime of the project.
2. Review and approve all acquisition plans, considering risk, costs, benefits and technical conformance with enterprise architecture standards.
3. Assess and document the degree to which acquired solutions require adaptation of business process to leverage the benefits of the acquired solution.
4. Follow required approvals at key decision points during the procurement processes.
5. Record receipt of all infrastructure and software acquisitions in an asset inventory.
BAI03.05 Manage Solutions Identification and Build > Build solutions.
1. Integrate and configure business and IT solution components and information repositories in line with detailed specifications and quality requirements. Consider the role of users, business stakeholders and the process owner in the configuration of business processes.
2. Complete and update business process and operational manuals, where necessary, to account for any customisation or special conditions unique to the implementation.
3. Consider all relevant information control requirements in solution component integration and configuration, including implementation of business controls, where appropriate, into automated application controls such that processing is accurate, complete, timely, authorised and auditable.
4. Implement audit trails during configuration and integration of hardware and infrastructural software to protect resources and ensure availability and integrity.
5. Consider when the effect of cumulative customisations and configurations (including minor changes that were not subjected to formal design specifications) require a high-level reassessment of the solution and associated functionality.
6. Ensure the interoperability of solution components with supporting tests, preferably automated.
7. Configure acquired application software to meet business processing requirements.
8. Define service catalogues for relevant internal and external target groups based on business requirements.
BAI03.06 Manage Solutions Identification and Build > Perform quality assurance.
1. Define a QA plan and practices including, e.g., specification of quality criteria, validation and verification processes, definition of how quality will be reviewed, necessary qualifications of quality reviewers, and roles and responsibilities for the achievement of quality.
2. Frequently monitor the solution quality based on project requirements, enterprise policies, adherence to development methodologies, quality management procedures and acceptance criteria.
3. Employ code inspection, test-driven development practices, automated testing, continuous integration, walk-throughs and testing of applications as appropriate. Report on outcomes of the monitoring process and testing to the application software development team and IT management.
4. Monitor all quality exceptions and address all corrective actions. Maintain a record of all reviews, results, exceptions and corrections. Repeat quality reviews, where appropriate, based on the amount of rework and corrective action.
BAI03.07 Manage Solutions Identification and Build > Prepare for solution testing.
1. Create an integrated test plan and practices commensurate with the enterprise environment and strategic technology plans that will enable the creation of suitable testing and simulation environments to help verify that the solution will operate successfully in the live environment and deliver the intended results and that controls are adequate.
2. Create a test environment that supports the full scope of the solution and reflects, as closely as possible, real-world conditions, including the business processes and procedures, range of users, transaction types, and deployment conditions.
3. Create test procedures that align with the plan and practices and allow evaluation of the operation of the solution in real-world conditions. Ensure that the test procedures evaluate the adequacy of the controls, based on enterprisewide standards that define roles, responsibilities and testing criteria, and are approved by project stakeholders and the sponsor/business process owner.
BAI03.08 Manage Solutions Identification and Build > Execute solution testing.
1. Undertake testing of solutions and their components in accordance with the testing plan. Include testers independent from the solution team, with representative business process owners and end users. Ensure that testing is conducted only within the development and test environments.
2. Use clearly defined test instructions, as defined in the test plan, and consider the appropriate balance between automated scripted tests and interactive user testing.
3. Undertake all tests in accordance with the test plan and practices including the integration of business processes and IT solution components and of non-functional requirements (e.g., security, interoperability, usability).
4. Identify, log and classify (e.g., minor, significant and mission-critical) errors during testing. Repeat tests until all significant errors have been resolved. Ensure that an audit trail of test results is maintained.
5. Record testing outcomes and communicate results of testing to stakeholders in accordance with the test plan.
BAI03.09 Manage Solutions Identification and Build > Manage changes to requirements.
1. Assess the impact of all solution change requests on the solution development, the original business case and the budget, and caterise and prioritise them accordingly.
2. Track changes to requirements, enabling all stakeholders to monitor, review and approve the changes. Ensure that the outcomes of the change process are fully understood and agreed on by all the stakeholders and the sponsor/business process owner.
3. Apply change requests, maintaining the integrity of integration and configuration of solution components. Assess the impact of any major solution upgrade and classify it according to agreed-on objective criteria (such as enterprise requirements), based on the outcome of analysis of the risk involved (such as impact on existing systems and processes or security), cost-benefit justification and other requirements.
BAI03.10 Manage Solutions Identification and Build > Maintain solutions.
1. Develop and execute a plan for the maintenance of solution components that includes periodic reviews against business needs and operational requirements such as patch management, upgrade strategies, risk, vulnerabilities assessment and security requirements.
2. Assess the significance of a proposed maintenance activity on current solution design, functionality and/or business processes. Consider risk, user impact and resource availability. Ensure that the business process owners understand the effect of designating changes as maintenance.
3. In the event of major changes to existing solutions that result in significant change in current designs and/or functionality and/or business processes, follow the development process used for new systems. For maintenance updates, use the change management process.
4. Ensure that the pattern and volume of maintenance activities are analysed periodically for abnormal trends indicating underlying quality or performance problems, cost/benefit of major upgrade, or replacement in lieu of maintenance.
5. For maintenance updates, use the change management process to control all maintenance requests.
BAI03.11 Manage Solutions Identification and Build > Define IT services and maintain the service portfolio.
1. Propose definitions of the new or changed IT services to ensure that the services are fit for purpose. Document the proposed service definitions in the portfolio list of services to be developed.
2. Propose new or changed service level options (service times, user satisfaction, availability, performance, capacity, security, continuity, compliance and usability) to ensure that the IT services are fit for use. Document the proposed service options in the portfolio.
3. Interface with business relationship management and portfolio management to agree on the proposed service definitions and service level options.
4. If service change falls within agreed-on approval authority, build the new or changed IT services or service level options. Otherwise, pass the service change to portfolio management for investment review.
BAI04.01 Manage Availability and Capacity > Assess current availability, performance and capacity and create a baseline.
1. Consider the following (current and forecasted) in the assessment of availability, performance and capacity of services and resources: customer requirements, business priorities, business objectives, budget impact, resource utilisation, IT capabilities and industry trends.
2. Monitor actual performance and capacity usage against defined thresholds, supported where necessary with automated software.
3. Identify and follow up on all incidents caused by inadequate performance or capacity.
4. Regularly evaluate the current levels of performance for all processing levels (business demand, service capacity and resource capacity) by comparing them against trends and SLAs, taking into account changes in the environment.